Why are many DNS servers not returning the namservers for my domain correctly?
I had a quick look and the main problem with your zone seems to be that the delegation from the parent zone (photo
) indicates that markfisher.photo
is supposed to be signed (DS
record present).
markfisher.photo
however is not signed at all. The result of this is that any validating resolver will consider all answers bogus and discard them.
To my knowledge Route53 still does not support DNSSEC, which means that if you want to use that DNS service you need to remove any DS
records from the delegation (done through your registrar).
Demonstration of the problem in two steps:
$ dig @ns1.uniregistry.net markfisher.photo +norec +dnssec
; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns1.uniregistry.net markfisher.photo +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55361
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 60e53f6e7a4d79f37a0879a75e14e274510b02d97b10da1c (good)
;; QUESTION SECTION:
;markfisher.photo. IN A
;; AUTHORITY SECTION:
markfisher.photo. 900 IN NS ns-1478.awsdns-56.org.
markfisher.photo. 900 IN NS ns-1953.awsdns-52.co.uk.
markfisher.photo. 900 IN DS 2371 13 2 B1FB8D1E60D7B54027829321A64B612251F95A41C0F10C912FA9FC6A 9EECEEA5
markfisher.photo. 900 IN RRSIG DS 5 2 900 20200206185213 20200107185213 21795 photo. AN2TWw41LL15uX55vfNaQlHvidlpngYb629gSlEyP+A3JiS77NHO5TvJ gI5QF4si5/haBEoABpuVU8opxxC0Jmv3aD09NkwjZXoqikxDqwjzO/PD wNlvHKOb25fgb1+gKj3JaGvqtAD8m+m2xotmxRo74xPmb2XOvEsGUS25 Cxc=
;; Query time: 94 msec
;; SERVER: 2620:57:4000:1::1#53(2620:57:4000:1::1)
;; WHEN: Tue Jan 07 19:56:36 UTC 2020
;; MSG SIZE rcvd: 358
$
(referral with DS
record, indicating that the markfisher.photo
zone is signed with the matching key)
$ dig @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec
; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54714
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;markfisher.photo. IN DNSKEY
;; AUTHORITY SECTION:
markfisher.photo. 900 IN SOA ns-893.awsdns-47.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 79 msec
;; SERVER: 2600:9000:5305:c600::1#53(2600:9000:5305:c600::1)
;; WHEN: Tue Jan 07 19:58:44 UTC 2020
;; MSG SIZE rcvd: 129
$
(response from the authoritative server, showing that there are no DNSKEY
records, nor are there any signatures)
For a quick overview of DNS delegation as well as DNSSEC health, I can recommend Dnsviz.
the answer is quite easy... DNSSEC ;-)
I have checked it and there is available public keys for DNSSEC signing on upper level (photo.) for your domain. It mean there is enable DNSSEC for it but after your change the servers there is no (or if you want - not valid) DNSSEC signature...
The records is technically correct but it is not passing DNSSEC check for "validity". The result is that it is ignored.
You have to (one of):
- start signing the zone and update the public keys on photo. domain level
- remove the public keys => disable DNSSEC for the zone
Both is related to your domain registrar interface as this information is not located in markfisher.photo. zone but photo. zone (delegated up in principle) like NS records containing which servers would be used.
$ dig www.markfisher.photo @9.9.9.9
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.markfisher.photo @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38974
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.markfisher.photo. IN A
;; Query time: 305 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Út led 07 21:15:44 CET 2020
;; MSG SIZE rcvd: 49
... and with disabled DNSSEC check :
$ dig +cdflag www.markfisher.photo @9.9.9.9
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +cdflag www.markfisher.photo @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26962
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.markfisher.photo. IN A
;; ANSWER SECTION:
www.markfisher.photo. 298 IN CNAME markfisher.photo.
markfisher.photo. 60 IN A 54.240.168.66
markfisher.photo. 60 IN A 54.240.168.56
markfisher.photo. 60 IN A 54.240.168.98
markfisher.photo. 60 IN A 54.240.168.51
;; Query time: 1770 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Út led 07 21:14:43 CET 2020
;; MSG SIZE rcvd: 127