Route53: domains found from AWS name servers, but not "public" name servers


EDIT: I think I figured it out. For some reason DNSSEC was configured by default under "Registered Domains", but not configured under "Hosted Zone". I removed the DNSSEC configuration from "Registered Domains" and it looks like things are starting to work.

A little over 48 hours ago I transferred two domains from Google Domains to Route53. The domains in question were using a redirect feature of Google Domains to redirect to another website. I created a similar setup on AWS using a combination of CloudFront, S3 buckets configured to redirect and Route53 records. The CloudFront distributions work fine if I go to the distribution URLs, however, if I try to access the domains I get messages about "server not found" (nslookup and dig report SERVFAIL).

I double checked my Route53 configurations and the NS name servers in the hosted zones match those found under "Registered Domains". I also used the "Test Record" feature of hosted zones and both domains report "No Error" for the A records.

If I use dig MYDOMAIN @AWS-NS, where MYDOMAIN is each of the domains and AWS-NS are the name servers listed in Route53 then I get good "No error" responses and everything looks correct. However, if I do dig MYDOMAIN @ I get "SERVFAIL".

At this point it has been over 48 hours and it doesn't appear as either domain is online yet.

Is there anything I'm missing? Why do the AWS name servers know about my domains but the "public" name servers do not?

Thanks in advance for any advice!

asked 10 months ago283 views
1 Answer
Accepted Answer

Hello There, It seems like you've done a thorough investigation into the issue you're experiencing with your transferred domains in Amazon Route 53. Based on the information you've provided, it appears that the issue might be related to DNSSEC configuration discrepancies between "Registered Domains" and "Hosted Zone."

DNSSEC (Domain Name System Security Extensions) is used to add an extra layer of security to DNS records by digitally signing them. If there is a mismatch or inconsistency in the DNSSEC configuration between the "Registered Domains" settings and the "Hosted Zone" settings in Route 53, it could cause DNS queries to fail or return "SERVFAIL" responses.

Here are a few steps you can take to further diagnose and potentially resolve the issue:

  1. Confirm DNSSEC Configuration: Double-check the DNSSEC configuration for both the "Registered Domains" and the corresponding "Hosted Zone" in Route 53. Ensure that they match and are correctly set up.

  2. Check DNSSEC Keys: Verify that the DNSSEC keys are correctly generated and configured in both the domain registrar settings and Route 53's hosted zone settings.

  3. Propagation Delays: While DNS updates typically propagate within a few hours, it's possible that some ISPs or DNS resolvers have cached the old DNSSEC information, causing delays in the propagation of updates. However, after 48 hours, most caches should have cleared.

  4. Retry DNSSEC Configuration: If you've made changes to DNSSEC settings, give it some time for the changes to propagate, and then retest using external DNS tools like dig or online DNS checking tools to ensure that the DNSSEC configuration is consistent and correct.

  5. Contact AWS Support: If the issue persists, consider reaching out to AWS Support for assistance. They can investigate the issue further and help you identify any specific configuration problems.

  6. Domain Registrar Support: If you continue to experience issues, you might also consider reaching out to the domain registrar's support team for guidance. They can provide insights into the domain transfer process and ensure that the DNSSEC settings are aligned.

Remember that DNSSEC can be a complex area, and small configuration discrepancies can lead to unexpected issues. It's also worth noting that DNS propagation can vary, and even though most DNS updates occur quickly, it's possible to experience intermittent issues during the transition period.

As a final note, if you made recent changes to DNSSEC settings, I recommend waiting a bit longer to allow for the changes to propagate fully. If the problem persists beyond that, consider reaching out to AWS Support or the domain registrar's support team for further assistance.

I hope this help

profile picture
answered 10 months ago
profile picture
reviewed 3 months ago
  • Thanks Gabriel, this was exactly the problem. For some reason DNSSEC was enabled by default in the "Registered Domains" section but not in the "Hosted Zone" section. Once we removed the DNSSEC from the "Registered Domains" section we started seeing other name servers picking up the changes almost immediately.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions