For the last week, we’ve been getting
SERVFAIL looking up CAA in LE staging. I’ve read a half dozen other threads on this and have learned:
- LE has always inspected the DNS of domains during issuance process, but only recently started treating SERVFAIL as a failure in staging.
- The problem is almost always with the DNS operator and requires some DNS upgrade by the operator
We have literally dozens of thousands of domains, from thousands of customers, and cannot reach out to DNS operators to request upgrades. I need to find a way around this.
So my first goal, and question of this thread, is: how can I reliably test domains programmatically BEFORE sending them to LE, to avoid this happening in the first place? The reason this is crucial is that every attempt is a SAN containing 100 domains, so if one fails, they all fail.
From reading other threads, there doesn’t appear to be a single command that will always expose the issue. I’m hoping there is one command, or one series of dig commands or something, that someone could share with me. My networking knowledge isn’t exactly expert level