DNS problem: SERVFAIL looking up CAA


My domain is:

It produced this output:
DNS problem: SERVFAIL looking up CAA for agent.hy1.com

My web server is (include version):

The operating system my web server runs on is (include version):

I can login to a root shell on my machine (yes or no, or I don’t know):


Hi @patricelee

that looks bad ( https://sslmate.com/caa/ ):

agent.hy1.com has broken DNS servers that do not handle CAA properly: Could not contact DNS servers

Same with letsdebug:


DNS response for agent.hy1.com/CAA did not have an acceptable response code: SERVFAIL

Looks terrible. Are you able to create a new CAA setting for agent.hy1.com?

Use sslmate to see the format.


DNS.COM has issues.

  • Some of the DNS servers don’t respond.

  • They all have bugs; some servers have more and worse bugs than others.

  • Some of them have different versions of the zone.

  • They don’t support case randomization. That is totally valid, but Let’s Encrypt’s resolver either requires that it is supported or enters a fallback mode, which almost always works, but sometimes doesn’t.

The other issues – plus having a lot of servers, far away – make the fallback mode less reliable.


Thank you for your reply
We have change the dns provider to ns1 and it work for us.