SERVFAIL for CAA Lookup on all Domains except the root domain

flanga · December 27, 2017, 9:56pm

Hello everyone,

we are unable to get new certificates for all subdomains of flangaapis.com, except for flangaapis.com - we have set appropriate CAA records for letsencrypt.org, however all validations fail:

Domain: nsweb1.flangaapis.com
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for
nsweb1.flangaapis.com

We use PowerDNS 4.1.0 - the validation works for other domains hosted on the same nameserver with the same records - DNSSEC is green and the validation works for flangaapis.com

A hint would be great

mnordhoff · December 27, 2017, 10:16pm

unbound: debug: NODATA response failed to prove NODATA status with NSEC/NSEC3

Something’s wrong with negative responses.

Try “pdnsutil rectify-zone flangaapis.com”.

flanga · December 27, 2017, 10:32pm

Hmm that worked - I ran these commands when I created the zone, looks like this one gone wrong

Thank you very much!

mnordhoff · December 27, 2017, 10:43pm

Great!

Depending on how changes to the zone are made, it’s also necessary to rectify whenever adding or removing records.

flanga · December 27, 2017, 11:31pm

Changes are made via API - however, the zones were secured with pdnsutil secure-zone and pdnsutil rectify-zone

mnordhoff · December 28, 2017, 12:10am

In 4.1 the API should rectify automatically. I think.

system · January 27, 2018, 12:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SERVFAIL looking up CAA - prevent the case Help	3	633	March 5, 2021
SERVFAIL looking up CAA on subdomain Help	7	1814	June 1, 2018
DNS problem: SERVFAIL looking up CAA Help	9	2085	October 14, 2020
PowerDNS: Can't find why CAA servfails Help	54	10963	August 20, 2017
SERVFAIL looking up CAA Warning Help	17	1538	April 5, 2022

SERVFAIL for CAA Lookup on all Domains except the root domain

Related topics