SERVFAIL looking up A for: altodisplay.com

nickmcdonnough · May 6, 2017, 8:11pm

Hi, I work for a web host and we have provided and Let’s Encrypt integration for our customers. We are currently processing a couple thousand orders per day and saw this error for the first time this week. Our system is built in ruby and uses an open source ruby gem to place orders. I’m wonder if someone at LE can clue us into whether or not there is something specifically broken about this one site’s DNS so that I can pass that on to a customer.

I’m no expert on DNS but this looks bad: http://dnsviz.net/d/altodisplay.com/dnssec/

Could someone give me a little info on how to read that chart and what some possible remedies could be?

Thanks!

Osiris · May 6, 2017, 8:36pm

The .com nameservers have a DS record for your domain present. This tells DNSSEC enabled servers there should be a RRSIG record present for your domain in the corresponding authoritive name servers. But there is no RRSIG record. So the DNSSEC verification fails: it could be a hacker provides a fake answer!

The only way to fix this is either disable DNSSEC altogether by removing the DS record from the .com name servers or, preferably, fix DNSSEC by providing the correct DNSSEC records for your domain.

An insightful article about how DNSSEC works can be found here: How DNSSEC Works

Topic		Replies	Views
DNS problem: SERVFAIL looking up A for www.rnelnet.com DNSSEC issue? Help	4	1503	September 13, 2019
SERVFAIL looking up TXT (IDNA or DNSSEC issues?) Server	10	2712	January 30, 2019
SERVFAIL looking up A for xxxxxx.com domain Help	4	3803	January 17, 2018
400 error DNS problem servfail Help	7	2257	November 25, 2020
DNS problem: SERVFAIL looking up A for the domain's nameservers may be malfunctioning Help	3	3932	February 28, 2021

SERVFAIL looking up A for: altodisplay.com

Related topics