I'm having problems with getting an SSL certificate for nunomira.pt.
I get the error:
DNS problem: SERVFAIL looking up A for the domain's nameservers may be malfunctioning
I have other domains, such as ourico.pt which are supposedly configured exactly in the same way as nunomira.pt, and these are working fine.
Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 37072, DigestType 1, Digest hANUjoI0c6QAfei0VtjjWNQ3JM0=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 37072, DigestType 2, Digest 4ZiRarRhxVlyCrQ632+2JDauS8F183H5+acVILVmW0Y=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.
I have no idea of what this means...
Both domains have the same registrar and nameservers, and same host.
RRSIG=30640 and DNSKEY=30640 verifies the DS RRset
No DNSKEY records found
nunomira.pt A RR has value 192.241.158.94
No RRSIGs found
A DS in the parent zone and no (or not matching) DNSKEY / RRSIG in the local zone -> DNSSEC is broken or there is a man in the middle, so DNSSEC works.
But mostly, it's not a man in the middle, it's a buggy / not updated configuration.