For what it’s worth, I’m getting the same error described here.

The error seems to be quite random. In the screenshot you can see that pretty much all the lookups are failing consistently right now even for different records. However, I’m unable to reproduce it as querying the same records/zones via dig (using Google Public DNS) works like a charm.

Let me know if you need more debug info privately. I’ve removed the zone names for privacy.

@cpu I can confirm the domains that are failing on my side also have DNSSEC. However, the queries are returning status: NOERROR and no NXDOMAIN.

Let me know if I can help in some way.

1 Like

Sorry to use this thread (@cpu let me know if I should open a new one for my case), but it’s not clear to me if the issue seems to be on LE side, or @rickjanssen side.

I am experiencing the same issue, and I can’t really reproduce it right now. Running a dig against a name that is reported to fail from LE is succeeding to me. We don’t use PowerDNS, we wrote our NS in house.

Is there any way I can get some more details on how is the query performed on your side @cpu? Or should I send you the hostnames so that you can help me to trace them down?

I wonder if something has changed recently at LE resolver. This is the very first time I see this issue happening.

I don’t think its clear yet whether this is a problem with our Unbound configuration or the remote server.</s.
EDIT: In this case I’m fairly confident it is not our Unbound configuration/server.

I shared an Unbound configuration in the original thread this was split from that can be used to try and replicate locally. The OP in that thread seems to have success with that. It’s not the exact configuration we run in production but seems sufficient for replicating the issue in so much as I understand it presently. Can you give that a shot? I can also provide some logs & pcaps if you share an affected domain name.

I think this was likely always a problem but was masked until our CAA SERVFAIL change.

So far investigation hints at this being caused by a broken RRSET signature - waiting on confirmation that we understand the root cause before claiming this case closed :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

For folks that might stumble upon this issue and wonder what the resolution was: There was a DNSimple bug and it has since been fixed. If you experience a CAA error and are a DNSimple customer it is not caused by this bug. Please open a new forum thread / bug report and we would be happy to help you diagnose the problem :slight_smile: