Reason for Error ""DNS problem: SERVFAIL looking up A for ir.vasco.com"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ir.vasco.com

I ran this command:

dig -q CAA vasco.com

It produced this output:

Query results for CAA vasco.com

Response:
;; opcode: QUERY, status: NOERROR, id: 13029
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;vasco.com. IN CAA

;; AUTHORITY SECTION:
vasco.com. 0 IN SOA ns1.p28.dynect.net. hostmaster.vasco.com. 2011116209 3600 600 604800 1800

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

According to dnsviz, it looks like you have some DNSSEC errors: http://dnsviz.net/d/ir.vasco.com/dnssec/

Thank you for your response. Is there a way to fix it without removing DNSSEC for the domain?

Most likely there is, but I’m afraid I don’t know what steps you would need to take. Removing DNSSEC would be the simplest option.

If we create a new zone for ir.vasco.com and disable DNSSEC on it. Does the validation still check for DNSSEC records going from .com to vasco.com? I believe if that is the case, the validation would still fail?

Yes, that is correct.

Your DS record is incorrect. You need to obtain the correct one from the Dyn control panel and correct it in the domain registration control panel.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.