SERVFAIL for A record, can't reproduce outside of Let's Encrypt


We are experiencing an odd issue with a client with the following error for the FQDN

'urn:acme:error:connection': DNS problem: SERVFAIL looking up A for

Only thing is though, we can’t reproduce this DNS response outside of the http-01 validation process.

I have tried from multiple locations to run dig +trace a and the resolution is occuring correctly with status NOERROR. Same with querying direct to its NS or to caching nameservers.

Would somebody with an internal view of Boulder be able to see what is happening?

Thank you kindly!

Your domain has some issues with DNSSEC ( mimics configuration of DNS resolvers used by Let’s Encrypt):

info: NSEC RRset for the referral proved not a delegation point

If you try checking your domain with DNSViz, which is pretty good DNSSEC diagnostic tool, you’ll also get errors:

It seems there are some problems with the way the domain is delegated.


Perfect! Thanks for, that will be a great help in future cases.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.