I try to renew my domain datenknoten.me, but it fails strangely with a SERVFAIL by the Let’s Encrypt Resolver, but all the resolvers I try seem to work?!
I'm not sure whether this is the actual reason for the failure, but there is are DNSSEC errors (as opposed to warnings) reported by datenknoten.me | DNSViz
datenknoten.me/A: The DS RRset for the zone included algorithm 8 (RSASHA256), but no RRSIG with algorithm 8 covering the RRset was returned in the response. (95.85.45.221, 144.76.154.114, 2a01:4f8:200:2265::2, 2a03:b0c0:0:1010::fb:8001, UDP_0_EDNS0_32768_4096)
Maybe Let's Encrypt's Unbound resolver is set to super strict DNSSEC evaluation.
On Unbound 1.6.7/1.6.8, with "harden-algo-downgrade" off, I can resolve the zone; with it on, it fails.
harden-algo-downgrade: <yes or no>
Harden against algorithm downgrade when multiple algorithms are
advertised in the DS record. If no, allows the weakest algo-
rithm to validate the zone. Default is no. Zone signers must
produce zones that allow this feature to work, but sometimes
they do not, and turning this option off avoids that validation
failure.
So in order to fix this I have to actualy downgrade the algorithm from RSASHA512 to RSASHA256? I do not understand where the algorithm 8 (RSASHA256) comes from? Is that something my provider should have taken care of?
I'm out of my depth, but I guess you either need to remove the algo 8 DS record, or (bad idea) add an algo 8 DNSKEY and/or RRSIGs. Or switch entirely to algo 8.