Distinguishing types of SERVFAIL
Anand Buddhdev
anandb at ripe.net
Fri Jul 21 15:52:45 UTC 2017
On 21/07/2017 17:39, Jacob Hoffman-Andrews via Unbound-users wrote:
Hi Jacob,
> I have another question related to SERVFAIL. Let's Encrypt tries to
> provide the most useful error messages possible to its users. My
> understanding is that a SERVFAIL response could indicate a variety of
> problems, including "DNSSEC validation failed," "a remote resolver
> failed," and "Unbound failed." Is there any way for us to distinguish
> the DNSSEC validation failure from the other cases, so we can provide
> that in a detailed error message to our users?
If you get a SERVFAIL response, you can repeat the query with the CD
(checking disabled) flag set. If you then get a NOERROR response, then
it's reasonable to conclude that DNSSEC validation was the problem.
Regards,
Anand Buddhdev
More information about the Unbound-users
mailing list