DNS problem: SERVFAIL looking up CAA


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html --no-bootstrap --no-self-upgrade --agree-tos --non-interactive --renew-by-default -d smoki.fish -d www.smoki.fish

It produced this output:
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for smoki.fish
http-01 challenge for www.smoki.fish
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain smoki.fish
Challenge failed for domain www.smoki.fish
http-01 challenge for smoki.fish
http-01 challenge for www.smoki.fish
Cleaning up challenges
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: smoki.fish
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for smoki.fish

    Domain: www.smoki.fish
    Type: None
    Detail: DNS problem: SERVFAIL looking up CAA for smoki.fish

My web server is (include version):
nginx 1.12.2

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
$ ./certbot-auto --version
certbot 0.32.0


It seems like the domain has some kind of DNSSEC or EDNS issues, but I don’t understand what’s happening really.


After turning up debug logging, it seems that the problem is with the signature of your nameservers’ NSEC responses … one workaround could be to add CAA records for smoki.fish and www.smoki.fish to avoid any NSEC …


Unrelated but worth the mention:


Following this trick from @mnordhoff to identify that these nameservers are running PowerDNS, if you run the nameservers , you could also try to rehash the zone:

sudo pdnsutil rectify-zone smoki.fish

or if you don’t run the nameservers, you can ask the operator to do the same.


Thank you very much for the answer! We’ll first try to remove all DNSSEC records except one with key id = 6935 which is pointed by DS record as I see here https://mxtoolbox.com/SuperTool.aspx?action=ds%3asmoki.fish&run=toolpage. If it doesn’t solve the problem, we’ll ask the operator to rehash the zone. Thanks a lot! I’ll come back soon.


How the CAA record we need to create should look like?


Hi @Ecwid

I don’t know, if DNSSEC is directly the problem.

The first nameserver of the fish-zone is buggy ( https://check-your-website.server-daten.de/?q=smoki.fish ).

Fatal error: Nameserver doesn’t support TCP connection: demand.alpha.aridns.net.au: Fatal error (-14). Details: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. - An existing connection was forcibly closed by the remote host

Checking a CAA record: First smoki.fish is checked, if there is no CAA entry, fish is checked. So if you have a smoki.fish - CAA, the buggy nameserver is ignored.

But DNSSEC without TCP-support is critical.

So create a CAA entry to stop the check of .fish.

There is a second thing: Your ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
smoki.fish A yes 1 0
AAAA yes
www.smoki.fish C smoki.co yes 1 0
A yes

Your www version has a CNAME to smoki.co - but that zone has no parent DS, but a local DNSKEY:

Fatal error: DNSKEY 55399 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

But the ip address is the same, so perhaps it’s possible to change

www.smoki.fish -> CNAME -> smoki.fish

so the smoki.co domain isn’t touched / checked.


You would need to create two CAA records to avoid this issue, otherwise the NSEC problem will stop you.

smoki.fish.              300     IN      CAA     0 issue "letsencrypt.org"
www.smoki.fish.          300     IN      CAA     0 issue "letsencrypt.org"


Thank you guys!!! You’re amazingly helpful. I’ll come back again as soon as we get managed all of that recommendations. Thanks!



version.bind.           5       CH      TXT     "Served by POWERDNS 3.2 $Id: packethandler.cc 3022 2013-01-05 13:00:10Z peter $"

Whatever the issue here is, it needs to be upgraded anyway.

closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.