We are trying to generate a certificate for bewoners.wooncollege.nl System: Centos 6.9 with Directadmin 1.52.1 The domain owner has added a A and a AAAA record, pointing to our server. When trying to generate a Let’s Encrypt certificate with the Directadmin GUI we run into a ‘DNS problem: SERVFAIL…

Please verify the FQDN you are trying to obtain a cert for. And also the public IP addresses of your server. DNSSEC seems to be setup correctly: http://dnsviz.net/d/bewoners.wooncollege.nl/dnssec/ https://dnssec-debugger.verisignlabs.com/bewoners.wooncollege.nl

The FQDN and the public IP-addresses are correct. Over http there is no problem: http://bewoners.wooncollege.nl Do you have any idea why the Unbounds DNS Checker returns a SERVFAIL? https://unboundtest.com/m/CAA/bewoners.wooncollege.nl/D46R62GP That is exactly the error we are getting when we ar…

No I do not know why. But I see at least 3 tickets regarding CAA so they all might be related.

I also saw those tickets. Maybe @cpu can take a look at the Unbounds Debug log (when he wakes up).

LOL. I would dare to do that as newbie in this community.

Thanks for the @ tag. Looking into this.

debug: NODATA response failed to prove NODATA status with NSEC/NSEC3 info: validate(nodata): sec_status_bogus I’m not sure what exactly the issue is, but as a general rule, an issue like this is usually either that you need to upgrade PowerDNS to 4.0.4 or newer, or that you need to run “pdnsutil re…

I was guessing yourhosting.nl is using PowerDNS, allthough a query did not show that: monitor@xs9:~$ dig +short ns wooncollege.nl ns4.firstfind.nl. ns5.firstfind.net. ns3.firstfind.nl. monitor@xs9:~$ dig +short version.bind chaos txt @ns4.firstfind.nl monitor@xs9:~$ And pdnsutil rectify-zone does …

[image] Jan-E: I was guessing yourhosting.nl is using PowerDNS, allthough a query did not show that: Yeah. The RRSIGs are valid for 3 weeks, midnight Thursday to Thursday, which is PowerDNS's default signing configuration. It was almost definitely used to sign the zone, though other software …

CAA SERVFAIL on subdomain

Help

Jan-E November 3, 2017, 1:43pm 12

Any idea which version of PowerDNS they are using? If it is > 4.0.0 We could ask the domain owner if he is able to add a CAA record. Like it is suggested here:

Topic		Replies	Views
Help diagnosing CAA SERVFAIL Help	9	4519	August 19, 2017
PowerDNS: Can't find why CAA servfails Help	54	11290	August 20, 2017
DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu Help	15	7373	June 1, 2017
Cant renew cert: DNS problem: SERVFAIL looking up CAA Help	20	6370	October 6, 2017
SERVFAIL looking up CAA - prevent the case Help	3	667	March 5, 2021

CAA SERVFAIL on subdomain

Related topics