SERVFAIL looking up CAA Warning

We have a 3rd party vendor that runs one of our public websites. This vendor uses cPanel and issues SSL certs through that. We manage our DNS ourselves, so they are coming back to us with this error.

It's a warning but they are insisting it must be fixed.

The warning is:

WARN “Let’s Encrypt™” HTTP DCV error ( 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for the domain's nameservers may be malfunctioning)

They are saying "you must create a CAA record for the domain" WWW is an A record, not a DNS zone, so there is no way to make a CAA record for it.

When we validate our CAA record for our domain it comes back as valid and includes letsencrypt	3600	IN	CAA	0 iodef ""	3600	IN	CAA	0 issue ""	3600	IN	CAA	0 issue ""

why are we getting this warning when a SSL cert for lets encrypt is renewed? What causes it? what do you do about it? our CAA appears to be correct for the domain.

You can have a CAA record and A record coexist for the www subdomain. Multiple records on a single label is a common thing in DNS.

I am not convinced that creating the record would solve your problem, but you could certainly give it a go.

Try throw your www domain into,, to see if it comes up with any issues as well.


I dont understand what you mean by " You can have a CAA record and A record coexist for the www subdomain."

We have an A record for WWW, and we have CAA records for our domain. Network solutions doesn't let you make a CAA for anything but the domain name

That's ... dumb.

Would you be able to take a screenshot of the user interface where they allow you to create CAA records?


I can't get into it right now from where I am right now, but when you go into manage DNS for your domain > add a record > change type of record to CAA you only get the following fields for the domain.

Record type (CAA)
Flag (integer)
tag (issue, wildissue, iodef)
Value (what string you want associated with the tag)

and that is it

You don't need to have a CAA record for your domain, but your DNS host needs to respond properly when asked for one. "There's no CAA record here" is a proper response. "What's a CAA record?" isn't. If your DNS host is giving SERVFAIL (i.e., "What's a CAA record?") when queried for the CAA record, it's very badly broken. Creating that record might solve the immediate problem, but the real solution is to use a less-broken DNS host.


Please ensure you are only using nameservers from this one DSP.
[mixing nameservers can be difficult to properly manage (for the inexperienced)]

1 Like

It's only giving SERVFAIL for the, it works fine for with no host name specified.

Please show all the entries for "www".

1 Like

The only www entries are 3600 IN	A

Network solutions only lets you add CAA as an @ root record

Please show that there are no other nameservers involved:

Use this format:
nslookup -q=ns

and show the output on the right side:

1 Like

Non-authoritative answer: nameserver = nameserver =


Then, as that all shows, Network Solutions must be to blame for "SERVFAIL" response on CAA requests to "www".


Since (I suspect) your DNS zone is very simple, you could quickly/easily switch your DNS Service Provider (DSP) and see if the problem goes away.

[note: you don't have to switch the domain registrar]


They are notorious for messing this CAA thing up. Please host your DNS elsewhere.

Also: this is why you don't redact you domain name, if you hadn't, we could've seen that the nameservers didn't behave.


I have to follow our companies security policy unfortunately.

1 Like

That was a use case for paid consultants, I think.

Without the domain we can't query its DNS servers, we can't see how/what/where it responds, and a lot more things that are useful to help users.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.