We can get SERVFAIL responses from our DNS server for a number of reasons, one of which is DNSSEC failure. It would be useful to show a helpful message for the latter, which is a fairly common failure. This would also also allow us to use the specific DNSSEC error type that's provided in ACME.
We can do this by adding a helper method that will re-query SERVFAIL responses with the CD (Checking Disabled) bit, and if the re-query succeeds, we can consider the original error a DNSSEC error.
We can get SERVFAIL responses from our DNS server for a number of reasons, one of which is DNSSEC failure. It would be useful to show a helpful message for the latter, which is a fairly common failure. This would also also allow us to use the specific DNSSEC error type that's provided in ACME.
We can do this by adding a helper method that will re-query SERVFAIL responses with the CD (Checking Disabled) bit, and if the re-query succeeds, we can consider the original error a DNSSEC error.