SERVFAIL looking up TXT

Help
1

I cannot renew my expired SSL certs and i dont see any issues with it: Let's Debug

My domain is: kloon.work.gd

I ran this command: sudo certbot certonly --manual --preferred-challenge dns -d "kloon.work.gd" -d "*.kloon.work.gd"

It produced this output:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: kloon.work.gd
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.kloon.work.gd - the domain's nameservers may be malfunctioning

Domain: kloon.work.gd
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.kloon.work.gd - the domain's nameservers may be malfunctioning

My web server is (include version): nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04.2 LTS

My hosting provider, if applicable, is: dnsexit.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.0.0

2

The Let's Debug test for a DNS Challenge has only very limited tests. It is much more useful for testing HTTP Challenges (which you are not using).

Your DNS configuration is badly broken and causing the SERVFAIL result. Please see the DNSViz report here: kloon.work.gd | DNSViz

I would start by fixing all the delegation issues in the Error and Warning section. That should eliminate many of the problems. If you still get SERVFAIL after that re-run the DNSViz report and review remaining problems.

The https://unboundtest.com site is also very helpful to check DNS queries. It gets a SERVFAIL looking up an A record for your domain. You don't need an A record but your DNS server must reply with a proper "not found"

4 Likes
3

I dont think any of those errors can be fixed on my end, i do not own work.gd. Looking at the unboundtest, the SERVFAIL comes from unbound giving up:
May 12 16:08:52 unbound[23397:0] error: SERVFAIL <_acme-challenge.kloon.work.gd. TXT IN>: exceeded the maximum nameserver nxdomains
Is there anything that can be done to circumvent this and get the certs like it worked just fine a few months ago?

4

And another view of the DNS Errors Hardenize Report: kloon.work.gd

5

I see the problem now, their nameservers are just hot garbage at the moment, getting different errors now:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: kloon.work.gd
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking up TXT for _acme-challenge.kloon.work.gd - the domain's nameservers may be malfunctioning

Domain: kloon.work.gd
Type: dns
Detail: While processing CAA for kloon.work.gd: DNS problem: SERVFAIL looking up CAA for kloon.work.gd - the domain's nameservers may be malfunctioning

Guess i'll just wait and try another time, thank you guys.