Error message after renew existed ssl certificatioin



We got the error message after running renew procedure(we replace real domain name with

Type: connection
Detail: DNS problem: query timed out looking up CAA for

So, we run the command manually
dig -t type257

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46605
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512

;; Query time: 2041 msec
;; WHEN: Wed Jan 11 11:22:33 CST 2017
;; MSG SIZE rcvd: 48

We see the message “status: SERVFAIL” after running dig command and is that the reason why DNS problem occurs?

Or is any way to workaround this?

Thanks in advance.


Both SERVFAIL as well as a timeout during the CAA query would cause an error.

There’s not really a workaround, other than making sure your authoritative name servers give a valid response. You don’t need a CAA record or even a DNS server with real CAA support, an empty response is just fine. It can’t be something like SERVFAIL (or just a timeout). If Let’s Encrypt were to accept CAA timeouts as a valid response, there would not be much point in enforcing CAA at all (that opens up a way to bypass it via DoS attacks).

If you’re running your own DNS servers, an updated version of your DNS server software that doesn’t misbehave when faced with a CAA query might be available. If you’re using a third-party DNS provider, you’d have to ask them if that’s something they can fix or potentially switch to a different one.



OK. We understood and will check what you mention.
Thanks for your help.


Always use a DNS propagation checker to make sure your DNS is correct and also propagated

Also use this tool to thoroughly analyze your DNS


Thanks for your suggestion.

We use dig command to check that with different type.
dig ->status: NOERROR
dig -t soa -> status: NOERROR
dig -t type257 -> status: SERVFAIL

so we guess this may cause by SERVFAIL, but not very sure. We may check that with the website you mentioned.


A dig right now from South Africa gave

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6718
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

; IN A


;; Query time: 307 msec
;; WHEN: Thu Jan 12 12:16:37 2017
;; MSG SIZE rcvd: 44

and dns propagation checker all looks good now



it’s ok in looking up A record, but it always return “status: SERVFAIL” in looking up CAA.
Our customer will ask their DNS provider to check that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.