Cant renew cert: DNS problem: SERVFAIL looking up CAA

Can anyone tell me if a CAA record is now mandatory to renew a cert?

one of my hosting providers doesnt have an option to create a AAC record from the dns admin panel so does that mean i’m out of luck?

when i try to renew i get the dreaded “SERVFAIL looking up CAA”

Not having CAA records is fine. But when Let’s Encrypt asks your DNS servers instead of saying “no, I don’t have any records like that” they report an error. In this circumstance there’s no way for Let’s Encrypt to be sure if you have any CAA records they need to examine so they can’t proceed.

Reporting SERVFAIL instead of 0 records found is a common bug in DNS software, your supplier can and should rectify this bug even if they’ve no interest in some feature like CAA. This has happened before and I must say it’s very disappointing that people charge actual money for DNS services that can’t get such a basic thing right.

Doing a manual dig to the authoritative DNS server with type 247 gives a noerror so now I’m really confused.

Is there a known problem with / DNS servers? (

The tech guys at didn’t even know what a CAA record is although they are supposedly a fairly large hosting provider in Holland.

There could be several possible issues that wouldn’t be obvious in dig, like DNSSEC bugs, or a regional DDoS filtering appliance.

What’s your domain?

DNS issues are a lot easier to track down if you post your domain name. :grinning:

@jared.m you are right :wink:
the TXT record I added is doesnt show any errors as far as i can see but far from an expert.

Definitely something wrong with that zone’s DNSSEC. More specifically negative responses. It smells like the PowerDNS bug mentioned at the link above – or possibly something different but similar – but i don’t know enough to be sure.

Google Public DNS agrees.

$ dig aaaa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23385
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;       IN      AAAA

;; Query time: 202 msec
;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844)
;; WHEN: Fri Aug 18 07:50:08 UTC 2017
;; MSG SIZE  rcvd: 52

$ dig caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31759
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;       IN      CAA

;; Query time: 199 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Fri Aug 18 07:50:11 UTC 2017
;; MSG SIZE  rcvd: 52

version.bind queries return SERVFAIL, which again suggests but doesn’t confirm PowerDNS.

1 Like

which link?
what does this mean and what can i do?

You can ask the Your tech guys to please upgrade their DNS servers to a version with this bug fixed. It is not vital that they know anything about CAA. If you aren’t sure how to explain to them you could direct them to this discussion thread, assuming they are happy reading English (I am not sure if we have contributors watching the thread who are confident in Dutch).

just wondering, whats the use of querying instead of the authoritative nameserver itself?

i dont get that servfail if i query the firstfind nameserver itself

$ dig aaaa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32210
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1680

;; AUTHORITY SECTION: 3600 IN SOA 2017081700 16384 2048 1048576 14400

;; Query time: 14 msec
;; WHEN: Fri Aug 18 14:09:25 CEST 2017
;; MSG SIZE rcvd: 113

can anyone explain why querying the authoritative nameservers themselves give a NOERROR but querying through other nameservers gives a SERVFAIL?

If i tell those guys there is something wrong with their dnssec setup they might will say it isn’t and show me a dig to their own nameservers to substantiate it… (it would return NOERROR.) correct?

dig isn't a DNS resolver. It... doesn't work like that. There are any number of issues that it wouldn't be aware of (e.g. incorrect DS record) or that it will display (e.g. AA bit not set). dig does a DNS query and shows the response if there is one and it's reasonably close to valid. A recursive DNS server iteratively resolves a name and sends a valid response, containing either correct data or a SERVFAIL error. They're not comparable.

1 Like

so in that case, what would give me the result that i can show to the guys at yourhosting to demonstrate the problem at hand?

i mean, if they are not aware of the problem and i can not show them evidence of the problem then i would look a bit stupid and probably say the problem is with the letsencrypt verification process.

iow, how can i get a decent problem report of what seems to be going wrong.

i already showed them the error report from certbot but that actually only says:
Failed authorization procedure. (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for

and their response was like we have no idea what you are talking about.

1 Like

How about the Google Public DNS dig results i pasted earlier?

ok ill try that first then.

to me it seems strange to show the output of of another nameserver to demonstrate the problem that is caused by their own nameserver set up but i guess my knowledge falls short here to see the relevance.

anyway, ill give it a try.
don’t get me wrong, really appreciate you trying to help out here.
its just that i’m also trying my to wrap my head around what is actually happening on the technical level of things.

@geegee Hi, we’re having the same issue with yourhosting. Before I reach out to them myself I was wondering if you ever heard back from them?

I sent them an email explaining exactly what was the problem two days ago and they dont even bother to respond.

The problem with yourhosting is that they are a provider for just home and small business and have a business model just milking out domain registrations and cheap websites.

Therefor we have decided we will make a plan to move our business to a professional party.
problem solved.

Sounds like a good plan. We’ll be doing the same.

In the mean time got a cert from somewhere else but i noticed something funny,
if i do a dig to the subdomain i get SERVFAIL but i i query the main domain itself i get NOERROR

dig aaaa
status: SERVFAIL

dig aaaa
status: NOERROR

could the problem be with subdomains?

I have the same problem with Yourhosting but only for new records.
All my old records give a NOERROR, but when I create a new record I get a SERVFAIL,.
I worked around it by reusing a old testing record and changed the ip.