DNS problem: SERVFAIL looking up CAA


My domain is:

It produced this output:
DNS problem: SERVFAIL looking up CAA for agent.hy1.com

My web server is (include version):

The operating system my web server runs on is (include version):

I can login to a root shell on my machine (yes or no, or I don’t know):


Hi @patricelee

that looks bad ( https://sslmate.com/caa/ ):

agent.hy1.com has broken DNS servers that do not handle CAA properly: Could not contact DNS servers

Same with letsdebug:


DNS response for agent.hy1.com/CAA did not have an acceptable response code: SERVFAIL

Looks terrible. Are you able to create a new CAA setting for agent.hy1.com?

Use sslmate to see the format.


DNS.COM has issues.

  • Some of the DNS servers don’t respond.

  • They all have bugs; some servers have more and worse bugs than others.

  • Some of them have different versions of the zone.

  • They don’t support case randomization. That is totally valid, but Let’s Encrypt’s resolver either requires that it is supported or enters a fallback mode, which almost always works, but sometimes doesn’t.

The other issues – plus having a lot of servers, far away – make the fallback mode less reliable.


Thank you for your reply
We have change the dns provider to ns1 and it work for us.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.