Issuing fails when using Microsoft DNS Servers


Hi @ryankekos,

Please see

We’re happy to work with people on this, but Microsoft may have to make a change in its software behavior.

1 Like

This makes it sound like MS is "just" not supporting something and LE is failing to do the right thing when the exact opposite is the case.

MS has broken software that violates standards and fails to respond in a correct manner. There's nothing LE can do here and MS must fix their broken software.

Let's not twist the language to shift the blame.

This isn't true. The vast majority of certificates issued from Let's Encrypt are issues to domains with no CAA records in their DNS. However, the DNS server must respond appropriately with a NOERROR response, not a timeout or SERVFAIL. The responses from Windows Server 2012 in this case are a violation of IETF standards.

Are you positive that all Windows DNS Servers return SERVFAIL, or yours in particular? As several folks have said, the server needs only return NOERROR, and so most servers works by default. One common issue is a misconfigured firewall or DDoS appliance. Would you mind setting up a clean install (e.g. on a temporary AWS instance) so we can confirm whether it’s a bug in Windows DNS Server vs your particular setup?

Also, I’d strongly encourage you to share your domains publicly. They will be listed in Certificate Transparency once you issue a certificate, so there is no secrecy value. And letting a wide audience help will get you better results.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.