DNS problem: SERVFAIL looking up A for mysite - the domain's nameservers may be malfunctioning (renew cert)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot renew

It produced this output:
DNS problem: SERVFAIL looking up A for 4no1.net - the
domain’s nameservers may be malfunctioning
My web server is (include version):
Server version: Apache/2.4.25 (Raspbian)
Server built: 2019-10-13T15:43:54

The operating system my web server runs on is (include version):
NAME=“Raspbian GNU/Linux”
VERSION=“9 (stretch)”

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO control panel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

Your domain name has DNSSEC issues. See for more info: https://dnsviz.net/d/4no1.net/dnssec/

Sorry i don’t understand, I was used the certificate in the past two years and I never had a trouble until today.

Could you explain me a little more detail?

There’s not really much more to explain which isn’t already covered on the DNSViz URI I pasted above. If you hoover over the triangular icons with the exclamation mark, you’ll see the actual error messages.

The main error (in the graph pointed out by the big red error from the “net” zone to your domain) is:

No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.

1 Like

Hi @gerflores

checking your domain you see ( https://check-your-website.server-daten.de/?q=4no1.net ):


That’s the same DNSSEC problem DNSViz reports.

And your SOA has different Serial numbers.

  • Did you change your DNS provider?
  • Looks like your old DNS provider had DNSSEC support, your new not. Then the result is expected.

Check, if you can recalculate your DNSSEC. If that isn’t possible, check, if you can remove DNSSEC.

PS: The parent zone says, you have a working DNSSEC. But your zone doesn’t send the correct DNSKEY RR. So your DNSSEC is broken. Or there is a man in the middle. But in most cases, it’s a buggy configuration.


Thanks for your reply. Me vendor says is obligatory de DNSSEC in .net. However I thinls this is new because in the las 2 years I can use my domain whithout problem until I need renew in this thre mounts. I don’t know how can i fix it

Who is your vendor?

DNSSEC is excellent. But it’s the job of the DNS provider to create a working solution.

Normally, it’s only a “one click thing” - the client (you) can it activate or deactivate. The DNS provider creates the correct DS and DNSKEY or removes the DS in the parent zone.

–>> Ask your DNS provider why your DNSSEC is broken. They have to fix ist.


Unless the user has deleted the DS RR manually :grin:

In the parent zone? A normal user / customer can’t do such things.


No, the parent zone does have a RRSIG… But the zone for 4no1.net is missing the corresponding DS RR. And users could delete that DS RR, or change it.

IMO, users shouldn’t be able to do that, however… But maybe there are DNS providers out there where the user might do that.

My vendor for 4no1.net is akky.mx
My DNS provider is CDMON, do you know other DNS provider? because I have a dinamic IP and CDMON is so easy configuration. but I only can create a A name forma my domain and sub domain. and MX But I can’t create another kind enter in the DNS.

Or I have other 3 points with Debian servers I would create my own DNS. But I can’t remember the name for this kind the DNS to replicate in the world.

Do you know the name for this dns and search information to create my own dns.

Or what dou you think is my best choise?

If you can’t modify anything about the DNSSEC settings, such as the DS record, it’s CDMON’s job to correct any DNSSEC issue.

That’s wrong, see your DNSVIZ result, see the result of “check-your-website”.

The DS exists always in the parent zone. But there is no DNSKEY in the current zone with these two values:

DS with Algorithm 7, KeyTag 30894, DigestType 2 and Digest CqxjdlTZCfDWuAsIo83yTNwRln3QROkUCnJwJVp254U=

There must be a DNSKEY with the values the DS has.

That’s how DNSSEC works.

1 Like

I will try to contact CDMON to ask aboiut this. In other hand I can see my akkyv vendor I can delete the DS register and I can see this information.

Dear JurgenAuer. Thanks a lot for graet light to show me today. In this moment I can resolve my issue. But I will read more about DNSSEC. To try use this new one for me. But in this moment I can renew my certificates.
Again Thanks a lot.
P.S. In this moment I need erease DS records. But I will be try DNSSECC when understand the whole process. I need read more about DNSSEC


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.