Distinguishing types of SERVFAIL
Jacob Hoffman-Andrews
jsha at eff.org
Fri Jul 21 15:39:10 UTC 2017
Thanks to W.C.A Wijngaards for the very helpful reply on my last
question, about DNSSEC, empty responses, and use-caps-for-id. We
discovered a bug in PowerDNS
(https://community.letsencrypt.org/t/caa-servfail-changes/38298/2),
which happily was fixed in the 4.0.4 release in June.
I have another question related to SERVFAIL. Let's Encrypt tries to
provide the most useful error messages possible to its users. My
understanding is that a SERVFAIL response could indicate a variety of
problems, including "DNSSEC validation failed," "a remote resolver
failed," and "Unbound failed." Is there any way for us to distinguish
the DNSSEC validation failure from the other cases, so we can provide
that in a detailed error message to our users?
Thanks,
Jacob
More information about the Unbound-users
mailing list