SERVFAIL for Unbound v1.18

Since the upgrade to unbound v1.18, we have encountered numerous SERVFAIL errors when attempting to issue a new certificate without a CAA entry. I tested the process with unbound v1.19, and it functions flawlessly there.

There is also a bug related to this issue on GitHub for v1.18:

Although adding a CAA entry resolved the problem, it requires informing all our clients to add a CAA entry to ensure the certificate can be renewed.

It might be advisable to revert to v1.16 or upgrade to v1.19.

1 Like

Do you mean you're running Unbound as a DNS server for your domain(s) or do you mean the upgrade on Let's Encrypts side with the Unbound resolver library?

Because if I look at the linked error above, I think it's not applicable to the Unbound resolver upgrade used by Let's Encrypt.

However, in Unbound 1.18.0 there has been a fix with regard to some non-conforming DNS servers. See the following thread for more information:


No, I don't use unbound. I conducted some tests to determine whether our DNS Provider has an issue or if the problem is related to Let's Encrypt unbound. As mentioned earlier, the issue only arises with v1.18. The same tests work correctly on v1.16.0, v1.17.1, and v1.19.0. Only v1.18.0 presents problems.

The test can be reproduced using the following commands:

docker run --rm --name unbound klutchell/unbound:1.18.0
docker exec unbound dig @ <domain> CAA

Replace <domain> with a domain experiencing the issue.

1 Like

Well, I'm no C expert and also not a DNS RFC expert, but it seems the fix in 1.18.0 mentioned in the earlier thread I linked was altered in 1.19.0:

Fix in 1.18.0:

Another fix (?) within the same code in 1.19.0:

Not sure what's going on there though. Something has changed and I assume for the better? Perhaps sounds like the second change has reverted the Unbound stricter compatibility with the DNS specs with regard to the SOA RR that has to come with the NOERROR reply.

@jcjones Do you perhaps have an opinion with regard to this issue? (As you seem to be involved in the upgrade to 1.18.0 earlier.)


I'm planning an upgrade to Unbound 1.19 as soon as we come back in the new year; I've got the changeset already worked up. Hopefully 1.18 -> 1.19 will be smoother than 1.16.x -> 1.18.


@alex_capturemedia just so the support community can correlate likely affected providers, who is your DNS provider? There is a known issue with, which may be using servers based on a version of PowerDNS.


@webprofusion Our infrastructure uses DNSimple.

1 Like

did new LE side update fixed the problem?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.