DNS problem: SERVFAIL looking up A for the domain's nameservers may be malfunctioning

Help
1

Hi,

I'm having problems with getting an SSL certificate for nunomira.pt.
I get the error:
DNS problem: SERVFAIL looking up A for the domain's nameservers may be malfunctioning

I have other domains, such as ourico.pt which are supposedly configured exactly in the same way as nunomira.pt, and these are working fine.

I followed the link
https://check-your-website.server-daten.de/?q=nunomira.pt
and I get an error
I also followed the link
https://check-your-website.server-daten.de/?q=ourico.pt
and I don't have any errors.

Here're the error:

Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 37072, DigestType 1, Digest hANUjoI0c6QAfei0VtjjWNQ3JM0=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

Fatal error: Parent zone has a signed DS RR (Algorithm 13, KeyTag 37072, DigestType 2, Digest 4ZiRarRhxVlyCrQ632+2JDauS8F183H5+acVILVmW0Y=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

I have no idea of what this means...
Both domains have the same registrar and nameservers, and same host.

Thanks!

2

Hi @nunomira

checking https://check-your-website.server-daten.de/?q=nunomira.pt :

The parent zone pt says, you use DNSSEC. Because the parent zone sends a signed DS RR.

But your zone doesn't send the required DNSKEY with the matching values of the parent zone.

So your DNSSEC is broken, so Letsencrypt can't find a signed ip address.

Update your zone information, remove DNSSEC (not so good) or ask your dns provider, why the DNSSEC configuration is broken.

Rechecked via DNSSEC Analyzer - nunomira.pt - same problem:

nunomira.pt
Found 2 DS records for nunomira.pt in the pt zone
DS=37072/SHA-256 has algorithm ECDSAP256SHA256
DS=37072/SHA-1 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=30640 and DNSKEY=30640 verifies the DS RRset
No DNSKEY records found
nunomira.pt A RR has value 192.241.158.94
No RRSIGs found

A DS in the parent zone and no (or not matching) DNSKEY / RRSIG in the local zone -> DNSSEC is broken or there is a man in the middle, so DNSSEC works.

But mostly, it's not a man in the middle, it's a buggy / not updated configuration.

3

Thank you very much for your help!
I understood you explanation.
Going to contact the registrar.