Why do I get different name server records?
I am having trouble generating a HTTPS certificate from the AWS Certificate Manager, which is stuck in Pending Validation for more than 24 hours. I found this tutorial by AWS that gives some potential clues on how to solve the problem: https://www.youtube.com/watch?v=MBGo8m6UET8
One of the steps suggests running dig
on the domain and comparing against the name servers in my hosted zone. When I run dig NS <my_domain>
I get:
;; ANSWER SECTION:
<my_domain>. 0 IN NS ns-1144.awsdns-15.org.
<my_domain>. 0 IN NS ns-68.awsdns-08.com.
<my_domain>. 0 IN NS ns-1885.awsdns-43.co.uk.
<my_domain>. 0 IN NS ns-718.awsdns-25.net.
In my Route53 I have a hosted zone for <my_domain>
with a NS
record, which was created automatically, that points to:
ns-1309.awsdns-35.org.
ns-381.awsdns-47.com.
ns-1859.awsdns-40.co.uk.
ns-722.awsdns-26.net.
As far as I understood the name servers should match in both places, so I don't know why they don't. Should I be concerned? How should I fix this?
EDIT: I found the fix to my problem. The name servers that appear on the Hosted Zone:
need to be set as name servers on the domain here:
Solution 1:
The values returned by dig are taken direct from DNS. As the NS (name server) records dont match your zone in Route53, that isnt the zone hosting your domain. There is a Route53 zone setup somewhere in AWS that hosts <my_domain> but thats not it. Do you have multiple zones in Route53, or multiple accounts perhaps - maybe your using the wrong one? Otherwise look to anyone previously involved with <my_domain>'s hosting - its probably in their aws account.
Yes you should be concerned, you do not have access to your own DNS, and some other account owns that zone in Route53. You need to resolve this issue to use domain validation in ACM or otherwise make changes to <my_domain>.
The NS values seen in dig come from the company you registered the domain name (the "registrar") - they will have a web portal. Somewhere in there will be an option for "custom name servers" or similar for your domain. They will currently be set to the values seen in dig. You need to set those to your Route53 zones name servers instead if you want to manage the DNS for the domain with that Route53 zone.
WARNING - changing name servers will effectively remove all DNS records provided by the current Route53 zone that dont already exist in your Route53 zone (once the TTL expires). This could break stuff - websites, email, 3rd party integrations etc. You should ideally get the current owner to export the zone file and then you can import it to avoid loosing any records.
If thats not possible and depending on how complicated <my_domain> is you might be able to dig DNS and retrieve enough info to setup your own route53. You need to ensure all A, CNAME, TXT, MX, etc records that exist in dns exist in your zone for the apex (<my_domain>) and any subdomains (eg www.<my_domain>). This approach is very risky and probably wont get all the records - this could break anything related to <my_domain> or any of its subdomains. This is a last resort, not a good idea ;-)