unresolvable over DoH


For whatever reasons when using Cloudflare DNS over HTTPS I’m unable to resolve the domain, using seems to work just fine… When attempting to resolve using the DoH protocol I’m getting a SERVFAIL:

$ dig A
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30631
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

$ dig @ A
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31595
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

Would have pasted the entire output but unable to because of too many links…

Any idea what may be causing this? If it makes any difference my primary local DNS server on my network is named which is forwarding requests to dnscrypt-proxy. The setup works fine but it’s just this domain experiencing the problem.



I have a named instance forwarding to resolvers that aren’t Cloudflare, and aren’t using DoH or DoT, and it also returns SERVFAIL for this name.

I have a guess as to why it fails for me – the CNAME has an RRSIG, the zone has no DNSKEY, and the zone has no DS, which named doesn’t like – but I’m not sure why it fails for you, since Knot Resolver removes the RRSIG.

In any case, the domain’s nameservers are pretty shonky and it’s kind of surprising anything works.


I’m using dnssec validation in named… perhaps that’s why it’s happening for me since it appears the DNSKEY is jacked up… thanks for the help.



If named is forwarding to Cloudflare, Cloudflare doesn’t return the RRSIG, so named shouldn’t query for DNSKEY and realize that it’s broken.

(The domain doesn’t have a DS, so it doesn’t have to validate.)


I’m not sure what “knot resolver” is nor am I using it, unless you’re saying that it’s embedded in dnscrypt-proxy or something. Otherwise, I’m not sure why either assuming we’re under the impression that the RRSIG is being omitted with using the setup I have…(nor would I really know how to test that…)


Knot Resolver is the recursive DNS server implementation that uses.

dig +dnssec @” returns an RRSIG record along with the others, while “dig +dnssec @” or “dig +dnssec @” does not.

(, and all use different implementations.)


Hm, so why would something like “dig @ +dnssec” return a RRSIG (just trying to find another example…)


Because has a DS record and isn’t totally buggy.


Figured you may have been suggesting that Cloudflare doesn’t return RRSIG regardless… I’m not really too sure, one thing I found was weird is that dnscrypt-proxy doesn’t appear to be getting a SERVFAIL in it’s query log for that domain, wondering if it’s named that is the one that’s ultimately complaining about things… I have dnssec validation on for both named and dnscrypt-proxy. I could turn up my log on named to see if that’s where it’s ultimately failing but it seems like the DNS server for that domain is really what needs to be fixed…


So, I figured this out in case you were wondering… Turns out that was added to a blacklist of mine… not really surprising, I don’t like AWS either (should have checked this from get-go, apologies for the false alarm). Thanks again for the help.

1 Like