Getting SERVFAIL on request, OK everywhere else

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: Request from DirectAdmin

It produced this output: Challenge is invalid. Details: DNS problem: SERVFAIL looking up A for test.forcedesign.nl. Exiting…

My operating system is (include version): CentOS 6

My web server is (include version): Apache 2.4

My hosting provider, if applicable, is: Own

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

There appears to be a DNSSEC configuration issue with the name:

http://dnsviz.net/d/test.forcedesign.nl/dnssec/

For what it’s worth, i have a resolver using the same software Let’s Encrypt uses (Unbound), though it’s configured totally differently. Mine also returns SERVFAIL.

I would guess that Unbound considers the above DNSSEC problem a fatal error, but i can’t say for certain.

Seems to be working now

Broken again. The zone forcedesign.nl. doesn’t have a DNSKEY but the parent zone nl. still has a DS record, indicating that the zone must be signed.

That’s actually different than the issue i originally saw:

http://dnsviz.net/d/test.forcedesign.nl/WQxUUA/dnssec/

It looks like someone tried to disable DNSSEC but forgot to remove the anchor at his registrar.

The problem was with DirectAdmin adding a subdomain as new zone confusing DNSSEC in different key records since the zone test.forcedesign.nl did not have any but forcedesign.nl did