I know similar question have been asked, but none of them actually provide any relevant information to my situation
I have two servers with codenames DF and WP, each hosting a number of websites. DF is configured with a cluster ns1 - ns4.dekyfinweb.com while WP is configured with alpha,gamma and delta.dekyfinweb.com. The websites on each server uses the nameservers configured on that server.
Everything was working well till we began to migrate the main website for dekyfinweb.com from DF to WP. We changed the nameservers of the domain from (ns1-ns4) to (alpha, gamma and delta); and the domain with its nameservers stopped resolving after a few hours.
I've used various online dns testing tools, but i can't seem to get any relevant info on the cause of the problem
Below are the results of a few test i run using dig
$ dig dekyfinweb.com
; <<>> DiG 9.11.0-P1 <<>> dekyfinweb.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21431
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dekyfinweb.com. IN A
;; Query time: 423 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Thu Jun 15 14:39:56 GMT 2017
;; MSG SIZE rcvd: 43
Result of lookup against parent nameserver for .com
$ dig @g.gtld-servers.net dekyfinweb.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @g.gtld-servers.net dekyfinweb.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6425
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dekyfinweb.com. IN A
;; AUTHORITY SECTION:
dekyfinweb.com. 172800 IN NS alpha.dekyfinweb.com.
dekyfinweb.com. 172800 IN NS gamma.dekyfinweb.com.
dekyfinweb.com. 172800 IN NS delta.dekyfinweb.com.
;; ADDITIONAL SECTION:
alpha.dekyfinweb.com. 172800 IN A 137.74.192.129
gamma.dekyfinweb.com. 172800 IN A 137.74.192.129
delta.dekyfinweb.com. 172800 IN A 137.74.192.129
;; Query time: 226 msec
;; SERVER: 192.42.93.30#53(192.42.93.30)
;; WHEN: Thu Jun 15 16:43:47 GMT 2017
;; MSG SIZE rcvd: 151
gamma and delta actually point to different servers, but I changed the glue records to 137.74.192.129 because they can't sync with alpha
below is a lookup of the nameserver against the IP supplied in the previeous query
$ dig @137.74.192.129 alpha.dekyfinweb.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @137.74.192.129 alpha.dekyfinweb.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8980
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;alpha.dekyfinweb.com. IN A
;; ANSWER SECTION:
alpha.dekyfinweb.com. 14400 IN A 137.74.192.129
;; AUTHORITY SECTION:
dekyfinweb.com. 14400 IN NS delta.dekyfinweb.com.
dekyfinweb.com. 14400 IN NS gamma.dekyfinweb.com.
dekyfinweb.com. 14400 IN NS alpha.dekyfinweb.com.
;; ADDITIONAL SECTION:
delta.dekyfinweb.com. 14400 IN A 149.56.14.198
gamma.dekyfinweb.com. 14400 IN A 149.56.46.18
;; Query time: 129 msec
;; SERVER: 137.74.192.129#53(137.74.192.129)
;; WHEN: Thu Jun 15 16:48:15 GMT 2017
;; MSG SIZE rcvd: 151
And finally a lookup of the domain against the IP seems to be working just fine
$ dig @137.74.192.129 dekyfinweb.com
; <<>> DiG 9.11.0-P1 <<>> @137.74.192.129 dekyfinweb.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9918
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dekyfinweb.com. IN A
;; ANSWER SECTION:
dekyfinweb.com. 14400 IN A 137.74.192.129
;; AUTHORITY SECTION:
dekyfinweb.com. 14400 IN NS delta.dekyfinweb.com.
dekyfinweb.com. 14400 IN NS gamma.dekyfinweb.com.
dekyfinweb.com. 14400 IN NS alpha.dekyfinweb.com.
;; ADDITIONAL SECTION:
alpha.dekyfinweb.com. 14400 IN A 137.74.192.129
delta.dekyfinweb.com. 14400 IN A 149.56.14.198
gamma.dekyfinweb.com. 14400 IN A 149.56.46.18
;; Query time: 793 msec
;; SERVER: 137.74.192.129#53(137.74.192.129)
;; WHEN: Thu Jun 15 14:53:58 GMT 2017
;; MSG SIZE rcvd: 167
Answer
Your problem has nothing to do with TTLs.
You have DNSSEC problems, see http://dnsviz.net/d/dekyfinweb.com/WUhiXg/dnssec/
In short, the com zone has a DS record for your domain but you do not publish any DNSKEY record. Hence any validating recursive nameserver (such as Google ones) will detect this case as a terminal error hence the SERVFAIL because it may be either a misconfiguration or an active attack, and both case are not discernable externally. You need to quickly arrange this situation: if you do not understand anything regarding DNSSEC, stop trying to use it, go to your registrar and ask them to remove the DS record from the .COM zone ; if you do really wish to enable DNSSEC on your domain (a worthwhile and noble goal, but not without pitfalls), you need to fix your current configuration.
As long as you stay in the current configuration, your domain name will be broken for any kind of validating recursive nameserver, the situation will never fix itself.
Comparedig @8.8.8.8 dekyfinweb.com SOA
withdig @8.8.8.8 dekyfinweb.com SOA +cd
(the lastest case specifically requests not to do DNSSEC validation, and hence things will work, comparison between these 2 cases show that the problem is related to DNSSEC, as well as the dnsviz output above)
No comments:
Post a Comment