SERVFAIL for CAA Lookup on all Domains except the root domain


#1

Hello everyone,

we are unable to get new certificates for all subdomains of flangaapis.com, except for flangaapis.com - we have set appropriate CAA records for letsencrypt.org, however all validations fail:

Domain: nsweb1.flangaapis.com
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for
nsweb1.flangaapis.com

We use PowerDNS 4.1.0 - the validation works for other domains hosted on the same nameserver with the same records - DNSSEC is green and the validation works for flangaapis.com

A hint would be great :slight_smile:


#2
unbound: debug: NODATA response failed to prove NODATA status with NSEC/NSEC3

Something’s wrong with negative responses.

Try “pdnsutil rectify-zone flangaapis.com”.


#3

Hmm that worked - I ran these commands when I created the zone, looks like this one gone wrong :smiley:

Thank you very much!


#4

Great! :smile:

Depending on how changes to the zone are made, it’s also necessary to rectify whenever adding or removing records.


#5

Changes are made via API - however, the zones were secured with pdnsutil secure-zone and pdnsutil rectify-zone


#6

In 4.1 the API should rectify automatically. I think.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.