Cannot issue certificate: CAA lookups SRVFAIL

Domain in question:

At the moment it is impossible to issue any more certificates for my domain because CAA lookups SRVFAIL:
[Mon Oct 9 00:05:45 CEST 2017] error:DNS problem: SERVFAIL looking up CAA for

The domains primary NS is, which answers correctly:

$ dig +dnssec CAA                3600    IN      CAA     0 issue ""                3600    IN      CAA     0 iodef ""

The lookups fail on LetsEncrypt and, but work on
The aspect seems very strange, since +dnssec lookups for e.g. A or MX succeed.

DNSSEC on looks fine:
CAATest thinks it’s fine, too:

I ran this unboundtest, but cannot make sense of the output:

I already contacted my domain registrar who also runs the nameservers, they don’t have a clue.

It would be greatly appreciated if somebody here could shed light on this issue.
(My certificates will start expiring soon, I’m on yellow alert :wink:)

Hi @fireglow

I believe it could be something to do with IPV6.

Does your server listen to IPV6 addresses?


This seems to be a DNSSEC issue. While DNSSEC seems to be configured correctly and a valid signature is provided for things like the A record, there seems to be an issue for the CAA record.

You can use DNSViz to check for CAA specifically, the results can be found here. It’s reporting the following error: No RRSIG covering the RRset was returned in the response. (,,,,, 2001:67c:1bc::104, 2001:67c:10b8::104, 2001:1af8:4400:a048:1::1, 2604:9a00:2010:a013:1::1, 2a00:c98:2100:a006:3::1, UDP_0_EDNS0_32768_4096)


Hi @fireglow,

You have not set RRSIG records covering CAA records:

$ dig +dnssec caa +short
0 iodef ""
0 issue ""

But you have RRSIG records for A, AAAA, TXT, NS, SOA,… records:

$ dig +dnssec a +short
A 8 2 3600 20171021193325 20171007193325 26320 UhbqFg7apJ4afTPqpuulrWrANZ4vlvz9fW84+OClxwtK93zmeGbCQ8JC Zk3aWUaO0yiHwgAO1l0n7SZL+HXIKva8Em7sxnNpyGPizRRfA0kLILKu XRkEWcXLrziQhoL1z8JfRXkXBv3zuYnxu28J282+OSlt8CmpRBtCgXsD 3Co=

$ dig +dnssec aaaa +short
AAAA 8 2 3600 20171021193325 20171007193325 26320 J1CQf5mp6gUWqTSZ8GgtCisOcSmzONRxMZGoPhHmlFSPfkM9ugLuhMPx Q0P84u8BevHIQ+0RxktWxkkmaNn1eZaXIp5Z0vQe8HXBJYfjDet04dGs t73VcBE65rjSRBua2gHJMR0Hj4Faj4SPst74SgYp7R9oqbOsNpB2WTAg +XQ=

$ dig +dnssec txt +short
TXT 8 2 3600 20171021193325 20171007193325 26320 RcaW6WKi7K3RY8FNndJTQnecnvUAc5j6+tl8WhwAEgQlGLrm3Q1fQ8O9 hv78B/rphMjVIIche5JIfrQW/hJPLJ3LpF6i081pDoHyF2vy863Vdr4F /YHDpJlDqkr5KWkOLG/nmI/S4yRnnOqCVynsu1QhOsdqacFRN2p6nUkU c0w=
"v=spf1 +mx +ip4: +ip6:2001:bc8:3353:100::10/64 -all"
$ dig +dnssec ns +short
NS 8 2 3600 20171021193325 20171007193325 26320 gnMylL1Tn4NqGBmpWixu4E2HzVysv6Jz7Qf/OjwRqy4eo1KH6z1y0pFx 3lPy8YAvwYzo+ywh+djW69fFbMZBFlkZ6LIIlpLMTiQZKOAKFk8p1u3H 8pIw5ke9E6DQPXEPyjbtS9z8tYSa4ikBIKiTb4ru5kjnzM2OAXiQuAvl nK8=

$ dig +dnssec soa +short
SOA 8 2 3600 20171022221904 20171008221904 26320 BuLRD8D/sTUQU5P2PiiGPvzGTd+wij3X++dh/7g4JKV2DW674k3Ebruy 86NzBNOg40+8ipk7ABiyFsT17O6GIMD2K1zBgnzYeVQ8rYYJl9P/nGqq 2RAvS9ZFzB9YP3C/StNDHH/o6DLhWBD6k24E4hwgphEYHIPX3HRnuBeJ uYc= 2017011271 10800 300 604800 3600

So yes, you should talk to the company who is managing your name servers.

Edit: Sorry, I didn’t see @pfg already posted the same conclusion.



@pfg and @sahsanu: Thank you both so much!
I’m letting Knot handle DNSSEC automatically.
Will have to investigate why RRSIG records are not created for CAA.
Very many thanks to you again, I wouldn’t have found this in 1000 years.

Just a quick edit to vindicate Knot:
Knot creates RRSIGs correctly, it’s the upstream nameservers that do not seem to propagate it.


Same here, my bind manages dnssec, and i use inwx-servers as slaves. If I compare my zone with the zone-data visible in inwx-webinterface, the rrsig for caa is lost. I was in contact with inwx, but problem still is not resolved.

They do support caa and dnssec, bot not both at the same time.

1 Like

They just told me the same thing.
What are alternatives? I’d like to keep my master-slave setup.
ClouDNS for 2 USD/month seems reasonable, but maybe there’s something better?

I decided to go without CAA records until inwx resolves this problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.