FYI, me too on this issue.
I’m on networksolutions and worldnic nameservers, noticed errors starting Feb 26, 2020 on renewal attempts, and still today on renewals for systems that are published correctly for over a year.
All remote IPs I have access to test with I can query my A records and reach the site and acme client just fine. Only the renewal itself is failing to get DNS from worldnic.
It appears Networksolutions / worldnic are blocking LetsEncrypt datacenters entirely at this point.
Some of the various errors I’m seeing right now on renewal attempts, the “SERVFAIL looking up A” is the most prevelant in todays attempts to renew.
- DNS problem: SERVFAIL looking up A for
- DNS problem: SERVFAIL looking up CAA
- DNS problem: query timed out looking up CAA
We don’t have DNSSEC deployed, nor CAA records, so those errors really don’t make sense except that LetsEncrypt isn’t getting valid responses for CAA nor A record attempts, where is should be getting an NXDOMAIN for the CAA lookups so it knows to bypass the CAA check. But since all DNS queries are being blocked, a “SERVFAIL” causes the CAA check to fail.