we are unable to get new certificates for all subdomains of flangaapis.com, except for flangaapis.com - we have set appropriate CAA records for letsencrypt.org, however all validations fail:
Detail: DNS problem: SERVFAIL looking up CAA for
We use PowerDNS 4.1.0 - the validation works for other domains hosted on the same nameserver with the same records - DNSSEC is green and the validation works for flangaapis.com
A hint would be great
unbound: debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
Something’s wrong with negative responses.
Try “pdnsutil rectify-zone flangaapis.com”.
pdnsutil rectify-zone flangaapis.com
Hmm that worked - I ran these commands when I created the zone, looks like this one gone wrong
Thank you very much!
Depending on how changes to the zone are made, it’s also necessary to rectify whenever adding or removing records.
Changes are made via API - however, the zones were secured with pdnsutil secure-zone and pdnsutil rectify-zone
In 4.1 the API should rectify automatically. I think.