Getting a SERVFAIL lookup up A for domains

My domain is:,, and and subdomains

I ran this command: certbot renew

It produced this output: … SERVFAIL looking up A for

My web server is (include version): Apache httpd 2.4.41-1

The operating system my web server runs on is (include version): Arch, kept up to date.

My hosting provider, if applicable, is: ARP Networks

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, properly through sudo and su.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Everywhere that I’ve looked online have been able to lookup my domains no issue, so I think it’s on Let’s Encrypt’s side.

1 Like

Your domain isn’t resolvable publically. Here’s an snippit (the last part) of dig +trace		86400	IN	NS		86400	IN	NS		86400	IN	DS	58278 10 1 CE69C813B8F96E8D08346E09249F5A926EE0CAD0		86400	IN	DS	58278 10 2 ED95F1C4C9FA10CC0B03E76336EB8136C25FCA176267ED6B0E47665A B3A0F7AB		86400	IN	DS	20589 10 1 44265D6EBEEE618FB9E17E9042A60B414A8F2297		86400	IN	DS	20589 10 2 3FEE7966E35A8AFA49F89C7B5D9EAD5DED31972990ECDC8041014709 8F395739		86400	IN	RRSIG	DS 7 2 86400 20200122152138 20200101142138 59927 info. aSgUE297olnes0fOXzlkdFmZFBJGnXiR75yVYmCpm8rfvGYLFMiZJ9k0 LLG57uIpP6leg8q36BLlhSVT6Rj5yU5/o+QyrUEudPRwTpp/FCIUW7fJ bZ96ltAuUy0kcIbJ3CIahoLTUSEB4V+3tq59ziDFbOzEhNMeWnE/qBZS pjU=
couldn't get address for '': failure
couldn't get address for '': failure
dig: couldn't get address for '': no more

Looks like your DNS servers aren’t resolvable and thus not reachable.

If we try the first DNS hostname, we get the same error:		172800	IN	NS		172800	IN	NS		86400	IN	DS	30252 10 2 0FAD7B800CFCBF949689D7631BCF9E9A6EDEC868FE58C0DFB538EEFE 4A06F1F5		86400	IN	DS	30252 10 1 F27B7CA2F5AB0588C0BEB9C54356F4B03EE157F6		86400	IN	DS	31356 10 2 04AE639D0D71172D34F0973B7BCE5C75612D6375AF7A65A7974465B1 57BCE536		86400	IN	DS	31356 10 1 463C3087DAD8A8F287325C85A13B822DEC7747C3		86400	IN	RRSIG	DS 8 2 86400 20200117054601 20200110043601 12163 com. HFHKwvxeDNS6NZB+RYCY3ZX+WSHATs7n3i/hWEYjHsV+1d9quInEX3Y5 8aS0mm/5NX+nxssTzkm8K5PH8IHl21qucGLyKGH3CvyrSkxeIcxUSAcM DcOaeo/JcDcWraXym4zgJrPEAbwwK5h+cHlg4JnJCmiiGalUQmLCzCgL hskG7DEjOMpZc+0/63N4Wwq7b19YmGItbMIabsvYoAGSlA==
couldn't get address for '': failure
couldn't get address for '': failure
dig: couldn't get address for '': no more

The same for

You should add glue records to your zone.

1 Like

It looks like your domains have/had bogus DNSSEC.

DNSViz reports errors like, “No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.”

You’ve added and removed DS records while I was writing this, but that’s what I get when DNSSEC is on, at least.

Additionally, your DNSKEY responses are over 8 KB. That is really big. It won’t cause things to fail – at least when clients and the network are working correctly, which they aren’t always – but it will cause things to be unnecessarily slow. Can you delete most of your keys and/or use smaller keys? If you want higher security than small RSA keys, consider using ECDSA.

(Though the TLDs you’re using have 1024- and 1280-bit ZSKs anyway.)

Edit: Okay, now your domains are all valid and most of the keys are gone.

1 Like

Finally found a tool that suggested it was the DNSSEC record and fixed that up.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.