DNS problem: SERVFAIL looking up CAA


#1

My domain is:
agent.hy1.com

It produced this output:
DNS problem: SERVFAIL looking up CAA for agent.hy1.com

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
centos6.0

I can login to a root shell on my machine (yes or no, or I don’t know):
no


#2

Hi @patricelee

that looks bad ( https://sslmate.com/caa/ ):

agent.hy1.com has broken DNS servers that do not handle CAA properly: Could not contact DNS servers

Same with letsdebug:

https://letsdebug.net/agent.hy1.com/7646

DNS response for agent.hy1.com/CAA did not have an acceptable response code: SERVFAIL

Looks terrible. Are you able to create a new CAA setting for agent.hy1.com?

Use sslmate to see the format.


#3

DNS.COM has issues.

  • Some of the DNS servers don’t respond.

  • They all have bugs; some servers have more and worse bugs than others.

  • Some of them have different versions of the zone.

  • They don’t support case randomization. That is totally valid, but Let’s Encrypt’s resolver either requires that it is supported or enters a fallback mode, which almost always works, but sometimes doesn’t.

The other issues – plus having a lot of servers, far away – make the fallback mode less reliable.


#4

Thank you for your reply
We have change the dns provider to ns1 and it work for us.