Failed authorization procedure. cega-official.at (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for cega-official.at - the domain's nameservers may be malfunctioning, www.cega-official.at (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for www.cega-official.at - the domain's nameservers may be malfunctioning
Strange.
My authoritive nameservers seems to answer correctly on CAA requests.
But when I try it through google or other non-authoritative nameservers, they return ServerFailure.
It has always done so, at least the last few years.
Anyway, you should enable DNS using TCP too, as sometimes the UDP packages are just too large or something similar, requiring TCP. Not just for zone transfers.
No it does not. Your nameservers [ns1.zunter.com, ns3.zunter.com, ns2.zunter.com] do not answer authoritatively (flag not set) when asked for a record (apparently) not present in the zone.
When asked for an existing record:
dig A cega-official.at @ns1.zunter.com
; <<>> DiG 9.16.22-Debian <<>> A cega-official.at @ns1.zunter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2885
;; flags: qr **aa** rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;cega-official.at. IN A
;; ANSWER SECTION:
cega-official.at. 3600 IN A 91.250.98.52
And when asked for any non-existing record (such as AAAA, or CAA):
dig AAAA cega-official.at @ns1.zunter.com
; <<>> DiG 9.16.22-Debian <<>> AAAA cega-official.at @ns1.zunter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17710
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;cega-official.at. IN AAAA
;; AUTHORITY SECTION:
cega-official.at. 3600 IN NS ns1.zunter.com.
cega-official.at. 3600 IN NS ns3.zunter.com.
cega-official.at. 3600 IN NS ns2.zunter.com.
Notice the missing AA (Authoritative Answer) flag. Resolvers treat this as if you weren't hosting the zone* (dig seems to report this as BAD (HORIZONTAL) REFERRAL when using +trace) and therefore won't use your answer.
There are additional weirdnesses/bad configurations going on (such as the namservers not supporting EDNS), but above is probably the major issue right now.
*The non-existent response matches what you would expect if you wanted to refer to another nameserver (authority section mentioning who's authoritative, but we're already talking to the nameservers we're getting referred to....)
But for some other domains it works correctly. Only for this domain and one more I do not get authoritative answers.
Do you think that it comes from that Google still delivers cached information?
Otherwise my nameserver is buggy (but I do not understand why it works for other domains).
In meantime I tried to enable TCP, but this does not solve the issue.