Internal - SERVFAIL and NXDOMAIN when using dig to search CAA records

July 17, 2018

SERVFAIL messages show that the fully qualified domain name (FQDN) that has been looked up does exist, that the root name servers have information on the domain but that the authoritative name servers are not answering queries for this domain. For example, you have an application server that is trying to make a call to a public API to lookup some information. The application queries for, there is a SERVFAIL error thrown back and the call fails. Depending on how the application is written you may or may not see the information or be able to react to it, you may never know that the call is failing or it may take a long time to understand that it’s DNS that is causing the failure. For SERVFAIL errors you need to track down the authoritative name servers and find out why they aren’t responding.

Querying CAA for these domains against Google's toolbox (which uses & does DNSSEC validation) yields a return code of SERVFAIL but using the ANY record type, we see NOERROR.

The issue is that the customer’s domain is configured incorrectly with regards to DNSSEC. We're required to do DNSSEC validation as per the CABForum. We receive a SERVFAIL when querying for CAA records with DNSSEC Validation enabled. If we query against the ANY record type, it works

The SERVFAIL response code may have come from a recursive resolver. Recursive resolvers will return SERVFAIL if an authoritative resolver is unresponsive, OR if an authoritative resolver returns SERVFAIL (or a few other reasons). In theory Unbound has a number of retries and

For SERVFAIL errors you need to look at your NameServers and make sure they are available and also track down the authoritative name servers and find out why they aren’t responding.

NXDOMAIN can mean that the root name servers are not providing any authoritative name servers for this domain. This can be because the domain does not exist or that the domain has expired and been put on hold. These types of errors are not only fatal for applications and clients trying to connect but they can be extremely hard to diagnose. Think about it this way, for a web browser, if you try to get to a site that does not exist you may get an error such as “DNS_PROBE_FINISHED_NXDOMAIN”, you will check your spelling or the address and fix the issue. Now think about applications or servers running in your environment, if they are receiving NXDOMAIN because some domain they are trying to get to is expired you may or may not know this.For NXDOMAIN you need to track down the registrar with a tool such as “whois” and find out why the domain is no longer available.