Maintained by: NLnet Labs

Distinguishing types of SERVFAIL

Anand Buddhdev
Fri Jul 21 17:52:45 CEST 2017

On 21/07/2017 17:39, Jacob Hoffman-Andrews via Unbound-users wrote:

Hi Jacob,

> I have another question related to SERVFAIL. Let's Encrypt tries to
> provide the most useful error messages possible to its users. My
> understanding is that a SERVFAIL response could indicate a variety of
> problems, including "DNSSEC validation failed," "a remote resolver
> failed," and "Unbound failed." Is there any way for us to distinguish
> the DNSSEC validation failure from the other cases, so we can provide
> that in a detailed error message to our users?

If you get a SERVFAIL response, you can repeat the query with the CD
(checking disabled) flag set. If you then get a NOERROR response, then
it's reasonable to conclude that DNSSEC validation was the problem.

Anand Buddhdev