Getting SERVFAIL on request, OK everywhere else

rickjanssen · May 5, 2017, 9:54am

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: Request from DirectAdmin

It produced this output: Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for test.forcedesign.nl. Exiting…

My operating system is (include version): CentOS 6

My web server is (include version): Apache 2.4

My hosting provider, if applicable, is: Own

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

mnordhoff · May 5, 2017, 10:36am

There appears to be a DNSSEC configuration issue with the name:

http://dnsviz.net/d/test.forcedesign.nl/dnssec/

For what it’s worth, i have a resolver using the same software Let’s Encrypt uses (Unbound), though it’s configured totally differently. Mine also returns SERVFAIL.

I would guess that Unbound considers the above DNSSEC problem a fatal error, but i can’t say for certain.

ahaw021 · May 7, 2017, 5:50am

Seems to be working now

TCM · May 7, 2017, 10:57am

Broken again. The zone forcedesign.nl. doesn’t have a DNSKEY but the parent zone nl. still has a DS record, indicating that the zone must be signed.

mnordhoff · May 7, 2017, 11:03am

That’s actually different than the issue i originally saw:

http://dnsviz.net/d/test.forcedesign.nl/WQxUUA/dnssec/

TCM · May 7, 2017, 12:02pm

It looks like someone tried to disable DNSSEC but forgot to remove the anchor at his registrar.

rickjanssen · May 8, 2017, 9:35am

The problem was with DirectAdmin adding a subdomain as new zone confusing DNSSEC in different key records since the zone test.forcedesign.nl did not have any but forcedesign.nl did

system · June 7, 2017, 9:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.