bind - Cannot resolve domain or ns after changing ns records

I know similar question have been asked, but none of them actually provide any relevant information to my situation

I have two servers with codenames DF and WP, each hosting a number of websites. DF is configured with a cluster ns1 - ns4.dekyfinweb.com while WP is configured with alpha,gamma and delta.dekyfinweb.com. The websites on each server uses the nameservers configured on that server.

Everything was working well till we began to migrate the main website for dekyfinweb.com from DF to WP. We changed the nameservers of the domain from (ns1-ns4) to (alpha, gamma and delta); and the domain with its nameservers stopped resolving after a few hours.

I've used various online dns testing tools, but i can't seem to get any relevant info on the cause of the problem

Below are the results of a few test i run using dig

$ dig dekyfinweb.com


; <<>> DiG 9.11.0-P1 <<>> dekyfinweb.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21431
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dekyfinweb.com.                        IN      A


;; Query time: 423 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Thu Jun 15 14:39:56 GMT 2017
;; MSG SIZE  rcvd: 43

Result of lookup against parent nameserver for .com

$ dig @g.gtld-servers.net dekyfinweb.com


; <<>> DiG 9.10.3-P4-Ubuntu <<>> @g.gtld-servers.net dekyfinweb.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6425
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dekyfinweb.com.            IN  A

;; AUTHORITY SECTION:
dekyfinweb.com.     172800  IN  NS  alpha.dekyfinweb.com.
dekyfinweb.com.     172800  IN  NS  gamma.dekyfinweb.com.
dekyfinweb.com.     172800  IN  NS  delta.dekyfinweb.com.

;; ADDITIONAL SECTION:

alpha.dekyfinweb.com.   172800  IN  A   137.74.192.129
gamma.dekyfinweb.com.   172800  IN  A   137.74.192.129
delta.dekyfinweb.com.   172800  IN  A   137.74.192.129

;; Query time: 226 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Thu Jun 15 16:43:47 GMT 2017
;; MSG SIZE  rcvd: 151

gamma and delta actually point to different servers, but I changed the glue records to 137.74.192.129 because they can't sync with alpha

below is a lookup of the nameserver against the IP supplied in the previeous query

$ dig @137.74.192.129 alpha.dekyfinweb.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @137.74.192.129 alpha.dekyfinweb.com
; (1 server found)
;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8980
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;alpha.dekyfinweb.com.      IN  A

;; ANSWER SECTION:

alpha.dekyfinweb.com.   14400   IN  A   137.74.192.129

;; AUTHORITY SECTION:
dekyfinweb.com.     14400   IN  NS  delta.dekyfinweb.com.
dekyfinweb.com.     14400   IN  NS  gamma.dekyfinweb.com.
dekyfinweb.com.     14400   IN  NS  alpha.dekyfinweb.com.

;; ADDITIONAL SECTION:
delta.dekyfinweb.com.   14400   IN  A   149.56.14.198
gamma.dekyfinweb.com.   14400   IN  A   149.56.46.18


;; Query time: 129 msec
;; SERVER: 137.74.192.129#53(137.74.192.129)
;; WHEN: Thu Jun 15 16:48:15 GMT 2017
;; MSG SIZE  rcvd: 151

And finally a lookup of the domain against the IP seems to be working just fine

$ dig @137.74.192.129 dekyfinweb.com


; <<>> DiG 9.11.0-P1 <<>> @137.74.192.129 dekyfinweb.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9918
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dekyfinweb.com.                        IN      A

;; ANSWER SECTION:
dekyfinweb.com.         14400   IN      A       137.74.192.129

;; AUTHORITY SECTION:
dekyfinweb.com.         14400   IN      NS      delta.dekyfinweb.com.
dekyfinweb.com.         14400   IN      NS      gamma.dekyfinweb.com.

dekyfinweb.com.         14400   IN      NS      alpha.dekyfinweb.com.

;; ADDITIONAL SECTION:
alpha.dekyfinweb.com.   14400   IN      A       137.74.192.129
delta.dekyfinweb.com.   14400   IN      A       149.56.14.198
gamma.dekyfinweb.com.   14400   IN      A       149.56.46.18

;; Query time: 793 msec
;; SERVER: 137.74.192.129#53(137.74.192.129)
;; WHEN: Thu Jun 15 14:53:58 GMT 2017

;; MSG SIZE  rcvd: 167

Answer

Your problem has nothing to do with TTLs.

You have DNSSEC problems, see http://dnsviz.net/d/dekyfinweb.com/WUhiXg/dnssec/

In short, the com zone has a DS record for your domain but you do not publish any DNSKEY record. Hence any validating recursive nameserver (such as Google ones) will detect this case as a terminal error hence the SERVFAIL because it may be either a misconfiguration or an active attack, and both case are not discernable externally. You need to quickly arrange this situation: if you do not understand anything regarding DNSSEC, stop trying to use it, go to your registrar and ask them to remove the DS record from the .COM zone ; if you do really wish to enable DNSSEC on your domain (a worthwhile and noble goal, but not without pitfalls), you need to fix your current configuration.

As long as you stay in the current configuration, your domain name will be broken for any kind of validating recursive nameserver, the situation will never fix itself.

Compare
dig @8.8.8.8 dekyfinweb.com SOA
with
dig @8.8.8.8 dekyfinweb.com SOA +cd
(the lastest case specifically requests not to do DNSSEC validation, and hence things will work, comparison between these 2 cases show that the problem is related to DNSSEC, as well as the dnsviz output above)