PowerDNS: Can't find why CAA servfails

@ahaw021, I think that’s not the problem in this case because I looked at the site in both IPv4 and IPv6 and it seems to have the same content!

@jsha, I did some very preliminary tests here and seemed not to get the SERVFAIL myself (either via IPv4 or IPv6 DNS queries!)—can you get any more information from the logs about whether the CAA record lookup sometimes succeeds and sometimes fails from Let’s Encrypt’s point of view?

That’s interesting. From my home connection, I reproduced the SERVFAIL result right away.

@rickjanssen, are you able to file a ticket with your DNS provider?

@jsha What call did you make exactly? I’m not able to produce a SERVFAIL in any way. I am one of the administrators of the DNS servers.

I ran:

dig -t type257 vrouwejitske.nl @ns1.alt255.nl
dig -t type257 vrouwejitske.nl
dig ns vrouwejitske.nl
dig -t type257 vrouwejitske.nl @ns2.alt255.nl
dig +short -t type257 vrouwejitske.nl @ns2.alt255.nl
dig -t type257 vrouwejitske.nl @ns2.alt255.nl | grep status:
dig -t type257 vrouwejitske.nl @ns3.alt255.nl | grep status:
dig -t type257 vrouwejitske.nl @213.154.246.11 | grep status:
dig -t type257 vrouwejitske.nl @2001:7b8:e10::12 | grep status:

These queries are still returning SERVFAIL for me this morning. Note: just now I ran your for loop:

for num in {1..3}; do for flag in "" "+noadflag" ; do for type in A AAAA TYPE257 TXT ; do echo -n $flag $type ; dig $flag -t $type pop.gwvanpelt.nl @ns$num.zxcs.nl | grep status: ; done ; done ; done

And currently all results are NOERROR for me. It’s possible there’s a time-based component or an issue with some subset of your servers. Do you use anycast for your nameservers? Do you have an Intrusion Prevention System or firewall in place, especially one from Arbor Networks? We’ve gotten some reports that such systems can sometimes misidentify CAA queries and cause problems.

I’ve been poking this the last day or two. Had problems once. Resolver had to retry a few times for about 1.6 seconds before one of the servers responded. So it still worked, but it took about 1.7 seconds total.

2017-07-18 09:10:53.131754 IP6 ::1.50879 > ::1.53: 2388+ [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.210235 IP 45.33.103.94.64895 > 178.62.208.8.53: 28418% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.587653 IP 45.33.103.94.32114 > 178.62.208.8.53: 24575% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.964316 IP6 2600:3c02::13:5202.12161 > 2a03:b0c0:2:d0::57:1001.53: 25084% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.340899 IP6 2600:3c02::13:5202.4171 > 2a03:b0c0:2:d0::57:1001.53: 48752% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.717773 IP6 2600:3c02::13:5202.48881 > 2a06:2ec0:1::10.53: 5547% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.823751 IP6 2a06:2ec0:1::10.53 > 2600:3c02::13:5202.48881: 5547*- 0/4/1 (356)
2017-07-18 09:10:54.824715 IP6 ::1.53 > ::1.50879: 2388$ 0/4/1 (356)

Every other thing i tried seemed fine.

Edit: But it could have been random Internet congestion on my end, of course.

A post was split to a new topic: Help diagnosing CAA failures ns1.cyso.nl

@jsha that domain “vrouwejitske.nl” is not on our DNS server, you are confusing me with jror :slight_smile: . The domain in the loop you ran is our domain. So until now, only letsencrypt returns SERVFAILS randomly and no one else can reproduce. This is starting to get a bigger issue day by day… Some renewals are having these issues too. Can you please check why the letsencrypt server sees SERVFAILS?

Hi @rickjanssen,

One interesting result: Trying the dig queries you suggested directly against the alt255.nl nameservers seemed to work, but when I query for CAA against an Unbound test instance that I have configured similarly to production, I do seem to get repeatable SERVFAILs. Here’s an example query, and the verbose level Unbound logs. There are a bunch of ‘THROWAWAY’ responses, which from a quick Google looks like an Unbound internal error code used on receiving SERVFAIL.

$ dig caa  vrouwejitske.nl  @127.0.0.1 -p 1053
; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa vrouwejitske.nl @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38954
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vrouwejitske.nl.               IN      CAA

;; Query time: 3804 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Wed Jul 19 08:45:11 EDT 2017
;; MSG SIZE  rcvd: 44

Jul 19 08:45:07 unbound[25771:1] info: 127.0.0.1 vrouwejitske.nl. CAA IN
Jul 19 08:45:07 unbound[25771:1] info: resolving vrouwejitske.nl. CAA IN
Jul 19 08:45:07 unbound[25771:1] info: priming . IN NS
Jul 19 08:45:08 unbound[25771:1] info: response for . NS IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <.> 198.97.190.53#53
Jul 19 08:45:08 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:08 unbound[25771:1] info: priming successful for . NS IN
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <.> 202.12.27.33#53
Jul 19 08:45:08 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <nl.> 193.176.144.5#53
Jul 19 08:45:08 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: resolving ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <.> 192.203.230.10#53
Jul 19 08:45:10 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:10 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:10 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.160.213#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: resolving ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: response for ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:11 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.175.205#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: resolving ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: response for ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:11 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.175.205#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: 127.0.0.1 vrouwejitske.nl. CAA IN SERVFAIL 3.802822 0 44

Hi @jsha

Please note that this whole thread is not about vrouwejitske.nl, please forget that domain, i’ve never said anything about that domain…

Use pop.gwvanpelt.nl please.

Kind regards,
Rick

Whoops, sorry for the confusion. Often members here will chime in with example queries trying to help the original posters, and I got confused. Here is verbose Unbound output for your domain:

Jul 19 08:55:12 unbound[24997:0] info: 127.0.0.1 pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: priming . IN NS
Jul 19 08:55:12 unbound[24997:0] info: response for . NS IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.33.4.12#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: priming successful for . NS IN
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 198.97.190.53#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 213.154.241.85#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: resolving ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: response for ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.5.4.1#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: resolving donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.203.230.10#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <com.> 192.33.14.30#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <cloudflare.com.> 162.159.7.226#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.33.4.12#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.58.151#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <com.> 192.12.94.30#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <cloudflare.com.> 162.159.5.6#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.59.197#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.58.151#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <gwvanpelt.nl.> 185.104.28.19#53
Jul 19 08:55:12 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:12 unbound[24997:0] info: prime trust anchor
Jul 19 08:55:12 unbound[24997:0] info: resolving . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: response for . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 202.12.27.33#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: validate keys with anchor(DS): sec_status_secure
Jul 19 08:55:12 unbound[24997:0] info: Successfully primed trust anchor . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: validated DS nl. DS IN
Jul 19 08:55:12 unbound[24997:0] info: resolving nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: response for nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:13 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validated DNSKEY nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: validated DS gwvanpelt.nl. DS IN
Jul 19 08:55:13 unbound[24997:0] info: resolving gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: response for gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validated DNSKEY gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 178.62.208.8#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:14 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:14 unbound[24997:0] info: reply from <gwvanpelt.nl.> 185.104.28.19#53
Jul 19 08:55:14 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:14 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:14 unbound[24997:0] info: 127.0.0.1 pop.gwvanpelt.nl. CAA IN SERVFAIL 1.833978 0 45

And here is a tcpdump of the queries and responses, encoded as base64 because Discourse won't allow upload of unrecognized files:

query.log.base64.txt (19.5 KB)

1 Like

As a quick note: In the future it would be easier to keep this sort of detail straight if you created a separate thread. CAA servfails are a DNS provider specific problem, if you don't have the same DNS provider as the original poster then I think it would be best to use a separate thread.

My mistake, you are the original poster as you point out. Apologies. This advice should be for @tgx.

@cpu I am the original poster…

I apologize. You’re correct. Now there’s two confused staff in here :blush:. I’ve updated my comment above for @tgx.

Thank you @jsha, but all responses say “0000” (NOERROR). Do you have any idea?

Edit: Can you send over an resolve of an DNSSEC enabled NL domain? Like overheid.nl? And is this pcap the same as the log you gave? Was the pcap made when you got the SERVFAIL or was it made after?

Edit2: Can you send over an debug level log? Or your configuration so I don’t have to bother you with this. :slight_smile:

4 posts were split to a new topic: DNSimple CAA SERVFAIL

Here's a log with Unbound verbosity=3. The previous log was at 2.

I suspect so, but just in case here is another base64 encoded pcap file taken at the exact same time as the verbosity 3 log above.

Hi @cpu

So it seems to me like a DNSSEC validation error, but why whould it fail? According to every DNSSEC test tool I try, DNSSEC is correct. I’ve setup an default config unbound recursor, but it gives NOERROR…

Agreed. It does seem to boil down to an NSEC failure on the NODATA response. I'm also personally unsure why that's happening in this case. I think we need to do some more digging.

@cpu is there anything I can do? With my unbound setup, the requests do not fail, they give NOERROR

I can't offer any advice at present. I can share a sanitized copy of the config from the server I'm testing against if you want to try and see if you can get your Unbound to match.

EDIT: here it is - note that I removed some access-control lines and I wouldn't recommend running this as-is since I suspect it will be an open resolver.

I'm going to try increasing the verbosity level from 3 to 4 to get algorithm data. Looking at validator/val_nsec3.c's nsec3_prove_nodata function I believe this will give us more information.