SERVFAIL for CAA Lookup on all Domains except the root domain


Hello everyone,

we are unable to get new certificates for all subdomains of, except for - we have set appropriate CAA records for, however all validations fail:

Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for

We use PowerDNS 4.1.0 - the validation works for other domains hosted on the same nameserver with the same records - DNSSEC is green and the validation works for

A hint would be great :slight_smile:

unbound: debug: NODATA response failed to prove NODATA status with NSEC/NSEC3

Something’s wrong with negative responses.

Try “pdnsutil rectify-zone”.


Hmm that worked - I ran these commands when I created the zone, looks like this one gone wrong :smiley:

Thank you very much!


Great! :smile:

Depending on how changes to the zone are made, it’s also necessary to rectify whenever adding or removing records.


Changes are made via API - however, the zones were secured with pdnsutil secure-zone and pdnsutil rectify-zone


In 4.1 the API should rectify automatically. I think.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.