Distinguishing types of SERVFAIL

Jacob Hoffman-Andrews jsha at eff.org
Fri Jul 21 17:39:10 CEST 2017

Thanks to W.C.A Wijngaards for the very helpful reply on my last
question, about DNSSEC, empty responses, and use-caps-for-id. We
discovered a bug in PowerDNS
which happily was fixed in the 4.0.4 release in June.

I have another question related to SERVFAIL. Let's Encrypt tries to
provide the most useful error messages possible to its users. My
understanding is that a SERVFAIL response could indicate a variety of
problems, including "DNSSEC validation failed," "a remote resolver
failed," and "Unbound failed." Is there any way for us to distinguish
the DNSSEC validation failure from the other cases, so we can provide
that in a detailed error message to our users?


More information about the Unbound-users mailing list