Intermittent SERVFAIL looking up CAA

genesis-root · February 4, 2022, 5:10pm

OK, I did find in there a "Use custom nameservers" option that allowed me to input those Cloudflare nameservers. After putting the provided names there, I seem to be getting the expected results from dig and have been able to run multiple repeated certificate renewal dryruns without error.

9peppe · February 4, 2022, 5:14pm

Ok, tell njalla support this. They should check their nameservers.

genesis-root · February 14, 2022, 10:05am

An update from njalla support:

Hi,
we also failed to get further insight into why Let's Encrypt certbot failed for your domain, it is used by many of the domains registered with Njalla and we also use it for njal.la
Non of the other users reported any errors like yours.

My best guess is that this must have been some caching issues on the servers of Let's Encrypt. If CloudFlare works for now its great that you found a workaround.

kind regards, Njalla team

So, any way to verify if that was a caching issue on Let's Encrypt's servers?

rg305 · February 14, 2022, 12:13pm

The caching servers are operated by CloudFlare (and they do it globally).
So, I'm not sure how much LE can dig into that (or if they even have the time for that).

genesis-root · February 14, 2022, 12:24pm

I am talking about the initial issues I was having before using CloudFlare as a workaround.

rg305 · February 14, 2022, 12:26pm

OK, my confusion.
I was talking about how LE works.
[they also use CloudFlare]

genesis-root · February 14, 2022, 12:33pm

Hm, so you're saying that, unless there is some peculiarity in how LE configured their CF stuff, it can't be a caching issue?

petercooperjr · February 15, 2022, 12:06am

No, it can't be a caching issue. Let's Encrypt doesn't cache DNS responses more than a couple seconds at most.

genesis-root · February 22, 2022, 1:49pm

So, what could it be then?

petercooperjr · March 1, 2022, 5:46pm

I don't think anyone here would be able to give you much better advice than you've already received. If your DNS service is sometimes returning SERVFAIL, then you need to fix your DNS service. If your current DNS service provider isn't handling or understanding the issue, perhaps switch to a different provider. (Your DNS provider doesn't need to be the same as your registrar or hosting provider.)

webprofusion · March 2, 2022, 8:35am

Nameservers look good now (all on cloudflare).

system · April 1, 2022, 8:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.