How to Fix DNS SERVFAIL Errors
SERVFAIL means a recursive resolver could not produce a trustworthy answer. Unlike NXDOMAIN, it does not mean the hostname is missing. The fastest fix comes from identifying which stage of resolution failed.
Reproduce the failure with several resolvers
dig @1.1.1.1 example.com A
dig @8.8.8.8 example.com A
dig @9.9.9.9 example.com ATrace the delegation
A trace follows the path from the root to the authoritative zone. Look for missing glue, unreachable nameservers, timeouts or a delegation that points to the wrong provider.
dig +trace example.com A
dig example.com NS +traceTest authoritative servers directly
dig @ns1.example.net example.com A +norecurse
dig @ns2.example.net example.com A +norecurse
dig @ns1.example.net example.com SOA +short
dig @ns2.example.net example.com SOA +shortValidate DNSSEC
If the failure affects validating resolvers, inspect the DS record at the parent and DNSKEY/RRSIG records in the child zone. A stale DS after changing DNS providers is a frequent cause.
dig example.com DS +dnssec
dig example.com DNSKEY +dnssec
dig example.com A +dnssec +cdflagFrequent root causes
Nameserver unreachable over UDP or TCP 53
Check firewall rules, routing and both DNS transports.
Lame delegation
Every delegated server must answer authoritatively for the zone.
Stale DS record
Update or remove the DS at the registrar to match the active DNSKEY.
Expired DNSSEC signatures
Restore signing and publish valid RRSIG records.
Different zone versions
Synchronise authoritative servers and compare SOA serials.