On 21/07/2017 17:39, Jacob Hoffman-Andrews via Unbound-users wrote: Hi Jacob,
> I have another question related to SERVFAIL. Let's Encrypt tries to > provide the most useful error messages possible to its users. My > understanding is that a SERVFAIL response could indicate a variety of > problems, including "DNSSEC validation failed," "a remote resolver > failed," and "Unbound failed." Is there any way for us to distinguish > the DNSSEC validation failure from the other cases, so we can provide > that in a detailed error message to our users? If you get a SERVFAIL response, you can repeat the query with the CD (checking disabled) flag set. If you then get a NOERROR response, then it's reasonable to conclude that DNSSEC validation was the problem. Regards, Anand Buddhdev
