DNS Resolver Upgraded to Unbound 1.18, Empty Responses require SOA sections

On November 28th, Let’s Encrypt updated our Production environment to Unbound 1.18, which enforces more strict compliance with RFC 2308, section 3:

Name servers authoritative for a zone MUST include the SOA record of the zone in the authority section of the response when reporting an NXDOMAIN or indicating that no data of the requested type exists. This is required so that the response may be cached.

This most commonly affects Let’s Encrypt validations during the CAA check specified by RFC 8659, section 3: When requesting a CAA record where one does not exist, Unbound 1.18 expects the NXDOMAIN, NOERROR and NODATA responses to include the SOA record. If not provided, Unbound will return SERVFAIL. A SERVFAIL response during the CAA check will cause issuance to fail with errors like the following:

DNS problem: SERVFAIL looking up CAA for www.example.com - the domain's nameservers may be malfunctioning

It’s possible to isolate this problem using DNSViz, which will show this condition as an Error for a lookup. One can also test this using UnboundTest, which has options to test both Unbound 1.16 and Unbound 1.18.

Generally updates to Unbound have not caused subscriber-visible behavior changes. Given the unexpected impacts of this change, we’ll announce the next update to Unbound as an API Announcement beforehand.