Getting SERVFAIL error for one domain

Operating System & Version
Centos 7.7
cPanel & WHM Version
86.0.18

veronicabend

Well-Known Member
Feb 25, 2005
70
1
158
I am facing a very weird issue.

Everything works well for all the domains on server but one.

I added this domain some days ago and this is the situation:

1) If I run intodns.com/domain.com I get the correct domain NS records. And also correct NS records from your nameservers. All looks fine.

2) If I ping from my computer, it also works ok.

3) The AutoSSL certificates for this domain never leave the queue. They stay there indefinitely as Pending. I added another domain by the time I added this one, and that one worked ok. So AutoSSL is failing only for this one domain.

4) If I enter WHM > Terminal and run dig domain.com , I get SERVFAIL:

[[email protected] ~]# dig domain.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54617
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;domain.com. IN A

;; Query time: 28 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 24 14:51:40 GMT 2020
;; MSG SIZE rcvd: 50
But if I run dig domain.com +trace, it works ok.

5) If enter WHM > Terminal and run host domain.com I get SERVFAIL error too:

Host domain.com not found: 2(SERVFAIL)
I've waited but nothing changed. I added this domain two days ago.

I've tried removing the domain from server, terminating the account, and add it back. No change. When I terminated the account, the AutoSSL queue got cleared, then when added it back, the entries were added again and they're still there.

I have the Google resolvers on this server, tried changing to OpenSSL, no difference.

I need to run a script on server which is failing because it cannot resolve the domain, so I cannot use the domain at all besides the fact that it doesn't get the SSL certificates.

It is odd that from my computer I can ping it ok, though.

What can be happenning here?
Thanks for any help to get this fixed!
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
It sounds like the domain is pointed to the server correctly but the DNS Zone file on the server is either not present or not being recognized. Are you using a DNS Cluster? What is the output of the following?

Code:
dig @youserverIP domain.tld
Then the same but with the nameservers:

Code:
dig @ns1.yourhost.tld domain.tld

dig @ns2.yourhost.tld domain.tld
 

veronicabend

Well-Known Member
Feb 25, 2005
70
1
158
It sounds like the domain is pointed to the server correctly but the DNS Zone file on the server is either not present or not being recognized. Are you using a DNS Cluster? What is the output of the following?

Code:
dig @youserverIP domain.tld
This is the output:
Code:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @x.x.x.x domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22376
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.tld.                    IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020042401 1800 900 604800 86400

;; Query time: 50 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Fri Apr 24 18:06:41 GMT 2020
;; MSG SIZE  rcvd: 114
Then the same but with the nameservers:

Code:
dig @ns1.yourhost.tld domain.tld

dig @ns2.yourhost.tld domain.tld
Code:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @ns1.xxx.xx domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16454
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.tld.                    IN      A

;; AUTHORITY SECTION:
.                       10455   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020042401 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Fri Apr 24 18:12:26 GMT 2020
;; MSG SIZE  rcvd: 114
Code:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @ns2.xxx.xxx domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37069
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.tld.                    IN      A

;; AUTHORITY SECTION:
.                       10373   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020042401 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Fri Apr 24 18:13:48 GMT 2020
;; MSG SIZE  rcvd: 114
It is very odd that all other domains on this server use the same nameservers and all work ok, and this one has this issue.
Thanks.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
This kind of confirms what I was thinking. Is the DNS Zone file for this domain present in /var/named/ and if so does it carry the same permissions as the rest of the domains? Are you running PowerDNS or named?
 

veronicabend

Well-Known Member
Feb 25, 2005
70
1
158
This kind of confirms what I was thinking. Is the DNS Zone file for this domain present in /var/named/ and if so does it carry the same permissions as the rest of the domains? Are you running PowerDNS or named?
Thanks.

I'm running named. I've already restarted it a few times in case it would help.

The zone file is there at /var/named. I just checked.
It is also listed inside named.conf, same as all the others. It is the last one.

I just tried ping domain.com from my home computer. And it resolves the domain to the right IP and pings ok.
Then I tried ping domain.com from WHM > Terminal, both on the server where this domain is, and on another server.
When pinging from terminal on the same server, I get:

ping: xxxxx.com: Name or service not known

When pinging from terminal on another server, I get:

ping: unknown host xxxxx.com

In both cases, pinging to other domains on this server pings correctly.

I also put a coming soon page on the domain, and I can see it in the browser in my home computer.
 

veronicabend

Well-Known Member
Feb 25, 2005
70
1
158
This kind of confirms what I was thinking. Is the DNS Zone file for this domain present in /var/named/ and if so does it carry the same permissions as the rest of the domains? Are you running PowerDNS or named?
I found a way to test the domain name resolution at Google Public nameservers. Since the server uses 8.8.8.8 and 8.8.4.4 as resolvers.

And the result I get is a DNSSEC error.

Is it possible that whoever owned this domain before had DNSSEC enabled for it? How could I clear that?

Thanks.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
What's more likely is that the registrar automatically configured it when the domain was purchased. If you purchased the domain through NameCheap when you log in go to Domain list -> Domain -> Manage -> Advanced DNS and I believe that's where the DNSSEC settings for the domain live.
 

veronicabend

Well-Known Member
Feb 25, 2005
70
1
158
What's more likely is that the registrar automatically configured it when the domain was purchased. If you purchased the domain through NameCheap when you log in go to Domain list -> Domain -> Manage -> Advanced DNS and I believe that's where the DNSSEC settings for the domain live.
Thanks. The registrar in this case is GoDaddy.
And it is very odd because it is the only domain for which this has happened, ever.
I've been researching and, apparently, we need to ask them to remove the DS records from the parent (TLD) zone.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
I'm sorry, for some reason I thought you mentioned namecheap. I don't have DNSSEC setup for my domain registered with them but as far as I am aware you should be able to go to manage your domain -> DNS -> Advanced Features -> DNSSEC It's explained here: Delete a DS record | Domains - GoDaddy Help US
 
  • Like
Reactions: veronicabend