Why are many DNS servers not returning the namservers for my domain correctly?

I had a quick look and the main problem with your zone seems to be that the delegation from the parent zone (photo) indicates that markfisher.photo is supposed to be signed (DS record present).

markfisher.photo however is not signed at all. The result of this is that any validating resolver will consider all answers bogus and discard them.

To my knowledge Route53 still does not support DNSSEC, which means that if you want to use that DNS service you need to remove any DS records from the delegation (done through your registrar).

Demonstration of the problem in two steps:

$ dig @ns1.uniregistry.net markfisher.photo +norec +dnssec

; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns1.uniregistry.net markfisher.photo +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55361
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 60e53f6e7a4d79f37a0879a75e14e274510b02d97b10da1c (good)
;; QUESTION SECTION:
;markfisher.photo.              IN      A

;; AUTHORITY SECTION:
markfisher.photo.       900     IN      NS      ns-1478.awsdns-56.org.
markfisher.photo.       900     IN      NS      ns-1953.awsdns-52.co.uk.
markfisher.photo.       900     IN      DS      2371 13 2 B1FB8D1E60D7B54027829321A64B612251F95A41C0F10C912FA9FC6A 9EECEEA5
markfisher.photo.       900     IN      RRSIG   DS 5 2 900 20200206185213 20200107185213 21795 photo. AN2TWw41LL15uX55vfNaQlHvidlpngYb629gSlEyP+A3JiS77NHO5TvJ gI5QF4si5/haBEoABpuVU8opxxC0Jmv3aD09NkwjZXoqikxDqwjzO/PD wNlvHKOb25fgb1+gKj3JaGvqtAD8m+m2xotmxRo74xPmb2XOvEsGUS25 Cxc=

;; Query time: 94 msec
;; SERVER: 2620:57:4000:1::1#53(2620:57:4000:1::1)
;; WHEN: Tue Jan 07 19:56:36 UTC 2020
;; MSG SIZE  rcvd: 358

$

(referral with DS record, indicating that the markfisher.photo zone is signed with the matching key)

$ dig @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec

; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54714
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;markfisher.photo.              IN      DNSKEY

;; AUTHORITY SECTION:
markfisher.photo.       900     IN      SOA     ns-893.awsdns-47.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 79 msec
;; SERVER: 2600:9000:5305:c600::1#53(2600:9000:5305:c600::1)
;; WHEN: Tue Jan 07 19:58:44 UTC 2020
;; MSG SIZE  rcvd: 129

$

(response from the authoritative server, showing that there are no DNSKEY records, nor are there any signatures)


For a quick overview of DNS delegation as well as DNSSEC health, I can recommend Dnsviz.


the answer is quite easy... DNSSEC ;-)

I have checked it and there is available public keys for DNSSEC signing on upper level (photo.) for your domain. It mean there is enable DNSSEC for it but after your change the servers there is no (or if you want - not valid) DNSSEC signature...

The records is technically correct but it is not passing DNSSEC check for "validity". The result is that it is ignored.

You have to (one of):

  • start signing the zone and update the public keys on photo. domain level
  • remove the public keys => disable DNSSEC for the zone

Both is related to your domain registrar interface as this information is not located in markfisher.photo. zone but photo. zone (delegated up in principle) like NS records containing which servers would be used.

$ dig www.markfisher.photo @9.9.9.9

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.markfisher.photo @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38974
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.markfisher.photo.      IN  A

;; Query time: 305 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Út led 07 21:15:44 CET 2020
;; MSG SIZE  rcvd: 49

... and with disabled DNSSEC check :

$ dig +cdflag www.markfisher.photo @9.9.9.9

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> +cdflag www.markfisher.photo @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26962
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.markfisher.photo.      IN  A

;; ANSWER SECTION:
www.markfisher.photo.   298 IN  CNAME   markfisher.photo.
markfisher.photo.   60  IN  A   54.240.168.66
markfisher.photo.   60  IN  A   54.240.168.56
markfisher.photo.   60  IN  A   54.240.168.98
markfisher.photo.   60  IN  A   54.240.168.51

;; Query time: 1770 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Út led 07 21:14:43 CET 2020
;; MSG SIZE  rcvd: 127