SERVFAIL looking up CAA for {domain}

Im trying to add a certificate to a website:

My domain is:

I ran this command:

n -> 1 -> 9 -> 4
Create new certificate -> Single binding of an IIS site -> -> Create temporary application in IIS

It produced this output:

Authorization result: invalid
ACME server reported type urn:acme:error:connection
ACME server reported type detail DNS problem: SERVFAIL looking up CAA for
ACME server reported status 400

My web server is (include version):

IIS version 10.0.17393.0

The operating system my web server runs on is (include version):

Windows server 2016 standard

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


It works for other domains on the same server.

This site has multiple bindings from different domains


Hi @marcel,

Seems you are suffering this PowerDNS bug but it is strange because it only affects to PowerDNS versions 4.0.3 and below and seems the DNS servers you are using for your domain are version 4.0.4.

$ dig ns +short

$ dig version.bind ch txt +short
"PowerDNS Authoritative Server 4.0.4 (built Jun 22 2017 20:08:49 by root@6454203fd461)"

$ dig version.bind ch txt +short
"PowerDNS Authoritative Server 4.0.4 (built Jun 22 2017 20:08:49 by root@6454203fd461)"

But the error seems exactly the same as for versions 4.0.3 and below. If you check it on page you will see this error…

debug: NODATA response failed to prove NODATA status with NSEC/NSEC3

So seems PowerDNS is not signing the answer when there is no record defined (in this case CAA record for domain).

I don’t use PowerDNS with DNSSEC so I can’t help here but maybe you need to use pdnsutil rectify-zone command to solve this issue or maybe the fastest way to solve the issue is adding a CAA record to your domain, if the base problem is the PowerDNS bug, then your server won’t send an empty not signed response but will send a signed response.

Just in case, this site helps to know what is the data you need to add to a CAA record for your domain… that is basically this: CAA 0 issue ""

Good luck,



Thats not one of my domains…

Sorry but I don't know what you mean.

@marcel and @marcel24 are not the same person!

Thanks, i will try adding the CAA record!


@marcel, sorry, I didn’t see that I wrote marcel instead of marcel24.

@marcel24, thanks, your nick names are too close :wink:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.