SERVFAIL looking up TXT (IDNA or DNSSEC issues?)

Well, you have the DNS protocol to thank for that. The DNS message format does not provide a field to include detailed information about what errors were encountered. The only information that is available is at the granularity of the RCode field (which carries half a byte of data, e.g. SERVFAIL).

So if you imagine:

[CA/Validation Authority] <------ DNS protocol ------> [Resolver]                                             

there’s no way for the Resolver to tell the VA that the failure reason was DNSSEC.

To generalize this beyond Let’s Encrypt - if you try to query your domain from a properly configured resolver (like 1.1.1.1 - which runs Knot, like you - or 8.8.8.8) right now, it will result in SERVFAIL without any further detail.

For that reason we have community tooling like unboundtest.com or letsdebug.net. It’d be “nice to have” detailed DNS root cause analysis right in Let’s Encrypt, it’s kinda hard to do and and at the same time it’s kinda surprising that you didn’t notice that your domain stopped resolving much earlier.

1 Like