I’m unable to request an SSL cert for go.airliquide.com due to the following reported error: “DNS problem: SERVFAIL looking up A for go.airliquide.com - the domain’s nameservers may be malfunctioning”
Taking that domain for a spin on unboundtest.com  shows that DNS resolution indeed fails due to a “Missing DNSKEY RRset in response to DNSKEY query”, thus we “[c]ould not establish a chain of trust to keys for airliquide.com.”
It’s probably worth mentioning that airliquide.com’s nameservers are configured for DNSSEC.
Out of curiosity, I ran a local instance of the Unbound DNS resolver configured with an edns-buffer-size of 512 bytes which I understand is similar to the configuration that Let’s Encrypt uses. I was able to reproduce the same failure as reported by unboundtest.com.
However, increasing the edns-buffer-size to 1024 bytes allowed the DNS resolution for go.airliquide.com to complete successfully.
This brings me to my questions for the experts here…
- Can anyone confirm if the eDNS buffer size is indeed the root cause failure for certificate provisioning in this case?
- Can anyone recommend any obvious DNS configuration changes to make for the airliquide.com domain that would circumvent DNS resolution failure in this case?