The domain's name servers may be malfuntioning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Hi I am running an AWS EC2 instance with Ubuntu and attempting to setup https for my domain. The site is in early development and is accessible via the elastic ip setup: It I try to ping the domain or curl the domain name I get information back so I fairly certain DNS is working properly, but I am still gettting the below error. Any help is greatly appreciated!!

My domain is:

I ran this command:
sudo certbot --nginx -d -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for - the domain’s nameservers may be malfunctioning, (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for -the domain’s nameservers may be malfunctioning


  • The following errors were reported by the server:

    Type: None
    Detail: DNS problem: SERVFAIL looking up A for - the
    domain’s nameservers may be malfunctioning

    Type: None
    Detail: DNS problem: SERVFAIL looking up A for -
    the domain’s nameservers may be malfunctioning

My web server is (include version):
Not sure is this separate from the operating system the web server runs on? I am using the current version of nginx if that helps

The operating system my web server runs on is (include version):
Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:
GoDaddy hosts the domain and Amazon hosts the dns

I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Other Info
I saw this in on a different post and ran it, not really sure what to do with the information though.

It looks like your DNSSEC is misconfigured:

If you use a DNSSEC-validating resolver (like or they both report SERVFAIL too.

Either disable DNSSEC at your domain registrar, or go through the setup process again to make sure all the signing keys are configured properly.

Hi @stickly082

there - - you see the problem:

Your DNSSEC is broken.

Your parent zone says: You use DNSSEC. Your current zone doesn’t use DNSSEC, that’s fatal.

Looks like you have changed your dns provider, so your new configuration doesn’t use / support DNSSEC.

Check your name server to

  • update, so you use DNSSEC (or)
  • to refresh, so the DS record in the parent zone is removed.
1 Like

@JuergenAuer @_az
Hey sorry for the late response I work a separate day job, turning off DNSSEC worked thank you guys! Spent some time digging through AWS Route 53 trying to see if I could turn it on or reset it, before realizing that it was a setting at the “registrar” ie. GoDaddy rather than Route53 the DNS provider. Https now works and the site is visible, super excited to have this finally working have been working on this for several days.

  • The only other question I have is whether or not its okay to have turned off DNSSEC? I did some research about what it is and the background behind it and it seems like its best to leave it turned on? How imperative is it and will it be a big issue if I leave it turned off?

Once again thank you so much!

DNSSEC is a great security feature, I use it. But your configuration was inconsistent.

You may

  • activate DNSSEC again,
  • then recheck your domain

to see, if it works.

DNS answers can be spoofed. With DNSSEC, that’s not longer possible.

1 Like

Route 53’s DNS service does not support DNSSEC; you would have to switch DNS services if you want to use it.

(Route 53’s registrar features do support managing DS records, at least on some TLDs.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.