Hi team, we’re seeing issues and we’re not sure if it’s related to the incident or not. The status page says “monitoring” and that the root cause has been fixed.
LE is giving us:
403 urn:acme:error:caa: Error creating new cert :: Rechecking CAA: While processing CAA for brightgen.com: DNS problem: SERVFAIL looking up CAA for brightgen.com
We see NOERROR locally:
$ dig CAA brightgen.com @184.108.40.206 ; <<>> DiG 9.12.1-P2 <<>> CAA brightgen.com @220.127.116.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7437
And we get NOERROR from unboundtest: https://unboundtest.com/m/CAA/brightgen.com/MZZR5RHO
This is not an isolated case, other domains with the same or similar problem (sometimes it fails to look up A records), are:
DNS problem: SERVFAIL looking up CAA for brightgen.com
SERVFAIL looking up CAA for brightgen.co.uk
DNS problem: query timed out looking up A for www.faerykisses.co.uk
SERVFAIL looking up A for www.aclu-nca.org
We’re seeing a very high error rate trying to issue certs and wonder if there is still perhaps some fallout from the DNS issue? Could unbound require a restart or something like that?