Looks like it might have been premature to split this off from the parent (PowerDNS) topic:
$ dig @ns1.cyso.nl version.bind txt chaos +short
"Served by PowerDNS - http://www.powerdns.com"
$ dig @ns2.cyso.eu version.bind txt chaos +short
"Served by PowerDNS - http://www.powerdns.com"
Might be the same root cause after all.
Addendum: if I do mixed-case requests manually through my local unbound (DNSSEC-validating) resolver, I get a SERVFAIL, too (with use-caps-for-ids: no), so while it’s still unbound in the mix, the problem isn’t specific to that option. Annoyingly, all the online DNSSEC checking tools I can find normalise the request to lowercase before sending it, so I can’t get a complete log of the misbehaviour. However, sending a mixed-case query to Google’s open DNS (which does DNSSEC validation) returns SERVFAIL, but its cache does case-normalisation, so if you send an all-lowercase request first, it works for the mixed-case version later – and, conversely, if you send the mixed-case version first, you will then get a SERVFAIL on the all-lowercase version! (At least until the cache expires, or you end up hitting a different machine in the load balancer group)
DNS is weird. And everyone seems to be in agreement that PowerDNS is broken.
@jsha, what’s the process for getting a domain onto the “CAA SERVFAIL” exceptions list hinted at in the API announcements topic? I doubt we’re going to be able to fix the world’s PowerDNS servers in the next few weeks.