I have searched for, and read most of the related threads from back in 2017 about verification failures due to “DNS problem: SERVFAIL looking up CAA for XXX - the domain’s nameservers may be malfunctioning”, resulted by the server answering NOTIMP (Not Imlemented, aka. RCODE=4) to CAA query.
The reason was told to be Unbound converting NOTIMP into SERVFAIL and LE fails on SERVFAIL. This was hinted “to be known”.
Some people even went to the extent to call it invalid:
Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.
Unfortunately this statement were missing specific reference. I have tried to find this in RFC1034 and RFC1035, as well as in their updates, but found nothing to say it’d be illegal to reply NOTIMP for a function not actually implemented.
Some other people have made snarky remarks about outdated DNS servers and “you had X years to update”.
However the server in my case isn’t particularly outdated: it is rbldnsd, which is a very compact, special purpose server, specifically implementing minimal amount of RRs, since it’s main purpose to reply massive amounts of RBL requests. And does that pretty well. The minimal MUST RRs are implemented, and others are not. On purpose. According to RFCs.
So, here I am, with a server with valid replies, not implementing a function which is not compulsory for either DNS or LetsEncrypt, yet it’s impossible to have the domain verified since NOTIMP isn’t accepted.
I am still open for well referenced advices on why it would be invalid, and if justified, I’ll go out and have the server code patched; if there is no such reference, I would really appreciate if LE would follow up on a valid reply and would handle it as such: same as NXDOMAIN I suppose.
(All alternatives, like
- do not run webservers on the domain
- replace your server
- hack your dns [like dnsdist]
- you are < NAMECALLING > go away
are not really helping, since if I wanted to do that I wouldn’t have written this entry.)