DNS-01 challenge problem with Azure DNS Zone

My domain is auditblackbox.com and I have set the _acme-challenge.auditblackbox.com TXT record. In Digwebinterface several DNS servers kan find the key:https://www.digwebinterface.com/?hostnames=_acme-challenge.auditblackbox.com&type=TXT&showcommand=on&useresolver=

However, not all of them find the key.

Also Let’s Encrypt (I use Certes in my C# code), cannot find the key and gives the following error:

“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: SERVFAIL looking up TXT for _acme-challenge.auditblackbox.com”,
“status”: 400
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/0EAbqefpSdzkHbLXqwfBF--9em-yNg4OXxvjNKXhNtg/5125506101”,
“token”: “EhP_7qkniCYT0QqL5JB4QRpog5DK6AKJYq0yIdNf9fQ”

I searched for all kinds of solutions, like adding a CAA and A record for _acme-challenge.auditblackbox.com. But none work… I have the feeling that I’m missing a record or something.

Does anyone have an idea?

This is usually a surefire sign of DNSSEC problems.

Disable DNSSEC at your registrar or setup your nameservers to sign your zone!

Edit: Azure DNS hosting doesn't support DNSSEC at the current time, so you'll need to just disable it at your registrar.

1 Like

The first one will be easier than the second one. :grimacing:


Edit: D'oh.



His site has a dnssec issue.

Which I can’t even open the site… (due to dnssec error), claiming “not resolved”

I just did an audit from http://dnsviz.net/d/auditblackbox.com/dnssec/, which showed that you have registered the dnskey on your domain provider, however your azure DNS doesn’t recognize this.

I did move my domain from a small webhosting company to Azure on wednesday. Can that also be of influence?

Furthermore, I have no idea how to fix this. How do I disable DNSSEC if Azure does not support it?


You would need to go to wildwestdomains.com (your domain registrar) and remove dnssec settings from there.

Thank you

1 Like


Your old host probably had DNSSEC keys setup on their nameservers for your domain. When you moved to Azure, these settings were lost and the domain became "bogus".

Steven is on the money with what to do.

Oh, maybe I did not tell, but I also moved the domain to Azure as registrar. I think they use a secondary company to for this… I will see if I can find how to contact them.

I guess you want to say "change in DNS server?"

Since transfer domain & billing (renew) is not publicly possible from azure. Also, azure domain is reselled through GoDaddy.

P.S. your domain status looked wierd, you might want to take a look.

I just found a advanced panel in Azure, redirecting to an additional management site. Here I found the DNSSEC option site and removed the key that I found there. This did not solve it :frowning:

Btw, transfering is possible. I used this script: http://www.lieben.nu/liebensraum/2017/07/transferring-a-domain-to-azure-dns-and-billing/

What status do you mean?

It definitely solved it.

If you're getting new issues, post the new error message. You won't get that SERVFAIL one again.

This is a snippet from your whois:

Registrar Abuse Contact Phone: +1.4806242505
Reseller: Azure
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: clientRenewProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: clientDeleteProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private

You have renew / transfer / delete / update prohibited from azure... (Which looks really wierd)

Extend on @_az's response, if you still experiencing "not resolved" on your local machine, refresh your DNS cache.(or wait for it to refresh)

I was still looking at the old letsdebug session :slight_smile:

It's all green now: Let's Debug

1 Like

Thanks Guys! What a powerful community!

“type”: “dns-01”,
“status”: “valid”,


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.