Maintained by: NLnet Labs

Distinguishing types of SERVFAIL

Jacob Hoffman-Andrews
Fri Jul 21 17:39:10 CEST 2017


Thanks to W.C.A Wijngaards for the very helpful reply on my last
question, about DNSSEC, empty responses, and use-caps-for-id. We
discovered a bug in PowerDNS
(https://community.letsencrypt.org/t/caa-servfail-changes/38298/2),
which happily was fixed in the 4.0.4 release in June.

I have another question related to SERVFAIL. Let's Encrypt tries to
provide the most useful error messages possible to its users. My
understanding is that a SERVFAIL response could indicate a variety of
problems, including "DNSSEC validation failed," "a remote resolver
failed," and "Unbound failed." Is there any way for us to distinguish
the DNSSEC validation failure from the other cases, so we can provide
that in a detailed error message to our users?

Thanks,
Jacob