Why do I get different name server records?

amazon-web-services nameservers

I am having trouble generating a HTTPS certificate from the AWS Certificate Manager, which is stuck in Pending Validation for more than 24 hours. I found this tutorial by AWS that gives some potential clues on how to solve the problem: https://www.youtube.com/watch?v=MBGo8m6UET8

One of the steps suggests running dig on the domain and comparing against the name servers in my hosted zone. When I run dig NS <my_domain> I get:

;; ANSWER SECTION:
<my_domain>.         0       IN      NS      ns-1144.awsdns-15.org.
<my_domain>.         0       IN      NS      ns-68.awsdns-08.com.
<my_domain>.         0       IN      NS      ns-1885.awsdns-43.co.uk.
<my_domain>.         0       IN      NS      ns-718.awsdns-25.net.

In my Route53 I have a hosted zone for <my_domain> with a NS record, which was created automatically, that points to:

ns-1309.awsdns-35.org.
ns-381.awsdns-47.com.
ns-1859.awsdns-40.co.uk.
ns-722.awsdns-26.net.

As far as I understood the name servers should match in both places, so I don't know why they don't. Should I be concerned? How should I fix this?

EDIT: I found the fix to my problem. The name servers that appear on the Hosted Zone:

enter image description here

need to be set as name servers on the domain here:

enter image description here


Solution 1:

The values returned by dig are taken direct from DNS. As the NS (name server) records dont match your zone in Route53, that isnt the zone hosting your domain. There is a Route53 zone setup somewhere in AWS that hosts <my_domain> but thats not it. Do you have multiple zones in Route53, or multiple accounts perhaps - maybe your using the wrong one? Otherwise look to anyone previously involved with <my_domain>'s hosting - its probably in their aws account.

Yes you should be concerned, you do not have access to your own DNS, and some other account owns that zone in Route53. You need to resolve this issue to use domain validation in ACM or otherwise make changes to <my_domain>.

The NS values seen in dig come from the company you registered the domain name (the "registrar") - they will have a web portal. Somewhere in there will be an option for "custom name servers" or similar for your domain. They will currently be set to the values seen in dig. You need to set those to your Route53 zones name servers instead if you want to manage the DNS for the domain with that Route53 zone.

WARNING - changing name servers will effectively remove all DNS records provided by the current Route53 zone that dont already exist in your Route53 zone (once the TTL expires). This could break stuff - websites, email, 3rd party integrations etc. You should ideally get the current owner to export the zone file and then you can import it to avoid loosing any records.

If thats not possible and depending on how complicated <my_domain> is you might be able to dig DNS and retrieve enough info to setup your own route53. You need to ensure all A, CNAME, TXT, MX, etc records that exist in dns exist in your zone for the apex (<my_domain>) and any subdomains (eg www.<my_domain>). This approach is very risky and probably wont get all the records - this could break anything related to <my_domain> or any of its subdomains. This is a last resort, not a good idea ;-)

Related

How to create multiline SnackBar in Flutter?
How to search a string in a file in python [duplicate]
socket.io read browser cookies already set by php [duplicate]
How to use different remotes for different folders?
Reading contents of zip file without extracting
Add validation script, need to set values
How can I increment Windows Performance Counters from Python 3.7?
Null-Forgiving operator still showing warning
Is it possible to work on normal (not SFTP) FTP on Renci SSH.NET? - which client to use?
Download Google Drive files to a specific location using Python
Failed to send event with message "Server has been disposed" but the server keeps accepting other events
javascript remove leading zeros from a number [closed]