Getting SERVFAIL error for one domain on a cPanel/WHM server

Question

I am facing a very weird issue.

Everything works well for all the domains on server but one.

I added this domain some days ago and this is the situation:

1) If I run intodns.com/domain.com I get the correct domain NS records. And also correct NS records from your nameservers. All looks fine.

2) If I ping from my computer, it also works ok.

3) The AutoSSL certificates for this domain never leave the queue. They stay there indefinitely as Pending. I added another domain by the time I added this one, and that one worked ok. So AutoSSL is failing only for this one domain.

4) If I enter WHM > Terminal and run dig domain.com , I get SERVFAIL:

[root@server ~]# dig domain.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54617 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;domain.com. IN A

;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Apr 24 14:51:40 GMT 2020 ;; MSG SIZE rcvd: 50

But if I run dig domain.com +trace, it works ok.

5) If enter WHM > Terminal and run host domain.com I get SERVFAIL error too:

Host domain.com not found: 2(SERVFAIL)

I've waited but nothing changed. I added this domain two days ago.

I've tried removing the domain from server, terminating the account, and add it back. No change. When I terminated the account, the AutoSSL queue got cleared, then when added it back, the entries were added again and they're still there.

I have the Google resolvers on this server, tried changing to OpenSSL, no difference.

I need to run a script on server which is failing because it cannot resolve the domain, so I cannot use the domain at all besides the fact that it doesn't get the SSL certificates.

It is odd that from my computer I can ping it ok, though.

What can be happenning here? Thanks for any help to get this fixed!

EDIT: By using Google Public DNS test I found out that the domain throws a DNSSEC error.

https://dns.google.com/

We're contacting registrar now asking them to remove DS records from parent zone. I will write once we've resolved this in case it helps someone in the future.

score 0 · Accepted Answer · answered Apr 30 '20 at 19:39

0

This is how we resolved it in case it helps anyone in the future:

The domain had DNSSEC enabled by previous owner. We removed the DNSSEC records at the registrar, and then had to wait for propagation to parent nameservers.

answered Apr 30 '20 at 19:39

Vero

111
1
5

FWIW `SERVFAIL` can indeed be related to DNSSEC problems (and with newer nameservers using the new "extended codes" DNS extension they could tell you that in detail), or not. One way to discriminate is to use the `+cdflag` to `dig`. If there, it means to not do DNSSEC validation. So if a query without it gets SERVFAIL but same query right at same time with the flag succeeds, it is 99.99% related to DNSSEC. Otherwise do rely on good troubleshooting tools such as DNSViz online. It will pinpoint DNSSEC (and others!) errors immediately with a nice diagram of the zone and its parents. – Patrick Mevzek Jul 29 '22 at 22:05

Getting SERVFAIL error for one domain on a cPanel/WHM server

1 Answers1