SERVFAIL when trying to get a certificate


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --manual certonly

It produced this output: Failed authorization procedure. (http-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for

The operating system my web server runs on is (include version): Ubuntu 16

I can login to a root shell on my machine (yes or no, or I don’t know): yes


Hi @itolymp

you have buggy nameservers ( ):


|X|Fatal error: Nameserver doesn't support TCP connection: /|
|X|Fatal error: Nameserver doesn't support TCP connection: /|
|X|Fatal error: Nameserver doesn't support TCP connection: / 2604:a880:400:d0::1699:d001|
|X|Fatal error: Nameserver doesn't support TCP connection: /|
|X|Fatal error: Nameserver doesn't support TCP connection: / 2a01:4f9:c010:2624::1|

Authoritative name servers must support TCP connections:

Name server reachability

The name servers must answer DNS queries over both the UDP and TCP protocols on port 53. Tests will be conducted from multiple network locations to verify the name server is responding.

This tool sees an IP address.

Unboundtest (Letsencrypt uses the same config)

has the same SERVFAIL.


For me, TCP does respond.

It looks like the nameservers incorrectly respond to capitalized queries with a referral to the root:

$ dig +norecurse @2604:a880:400:d0::1699:d001 Itolymp.Com

; <<>> DiG <<>> +norecurse @2604:a880:400:d0::1699:d001 Itolymp.Com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63279
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;Itolymp.Com.                   IN      A

.                       3600000 IN      NS      J.ROOT-SERVERS.NET.
.                       3600000 IN      NS      K.ROOT-SERVERS.NET.
.                       3600000 IN      NS      L.ROOT-SERVERS.NET.
.                       3600000 IN      NS      M.ROOT-SERVERS.NET.
.                       3600000 IN      NS      A.ROOT-SERVERS.NET.
.                       3600000 IN      NS      B.ROOT-SERVERS.NET.
.                       3600000 IN      NS      C.ROOT-SERVERS.NET.
.                       3600000 IN      NS      D.ROOT-SERVERS.NET.
.                       3600000 IN      NS      E.ROOT-SERVERS.NET.
.                       3600000 IN      NS      F.ROOT-SERVERS.NET.
.                       3600000 IN      NS      G.ROOT-SERVERS.NET.
.                       3600000 IN      NS      H.ROOT-SERVERS.NET.
.                       3600000 IN      NS      I.ROOT-SERVERS.NET.

;; Query time: 44 msec
;; SERVER: 2604:a880:400:d0::1699:d001#53(2604:a880:400:d0::1699:d001)
;; WHEN: Sun Feb 10 12:45:01 UTC 2019
;; MSG SIZE  rcvd: 251

Responses to lowercase queries are apparently correct.


That’s interesting.

I’ve checked my code manual. The result:

The nameserver sends one byte back (0x0). If I read again, I get the rest.

There are other nameservers who send two bytes (this is the size of the following UDP-response), then reading again, then follows the rest.

So now the tool sees TCP-support.

Perhaps unboundtest (and Letsencrypt with the same settings)

gets the same: One byte -> SERVFAIL.

Query results for A

;; opcode: QUERY, status: SERVFAIL, id: 1739
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

But I don’t see a single SERVFAIL in the answer.