By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S53 Domain Name Service Does Not Propagate The DNS Records

0

I have transferred a Domain Name from Google Cloud to AWS. Following the AWS S53 document, I have created hosted zone and related records. And I have updated the Domain Name Service "Name servers" to ns-365.awsdns-45.com ns-1620.awsdns-10.co.uk ns-1514.awsdns-61.org ns-804.awsdns-36.net

After days waiting, If I use command dig @8.8.8.8 "my domain" The command "dig" returns empty A record

If I use command dig @ns-365.awsdns-45.com "my domain" The command "dig" returns ;; ANSWER SECTION: mydomain.com. 60 IN A 13.35.77.101 mydomain.com. 60 IN A 13.35.77.40 mydomain.com. 60 IN A 13.35.77.100 mydomain.com, 60 IN A 13.35.77.45

;; AUTHORITY SECTION: mydomain.com. 172800 IN NS ns-1514.awsdns-61.org. mydomain.com. 172800 IN NS ns-1620.awsdns-10.co.uk. mydomain.com. 172800 IN NS ns-365.awsdns-45.com. mydomain.com. 172800 IN NS ns-804.awsdns-36.net.

I check the "mydomain.com" from https://lookup.icann.org/en/lookup The web site check returns

Name: mydomain.com Registry Domain ID: 2791464376_DOMAIN_COM-VRSN Domain Status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Nameservers: NS-1514.AWSDNS-61.ORG NS-1620.AWSDNS-10.CO.UK NS-365.AWSDNS-45.COM NS-804.AWSDNS-36.NET Dates Registry Expiration: 2025-06-19 00:46:50 UTC Updated: 2023-11-03 05:14:39 UTC Created: 2023-06-19 00:46:50 UTC

Registrar Information Name: Amazon Registrar, Inc. IANA ID: 468 Abuse contact phone: tel:+1.2067406200

DNSSEC Information Delegation Signed: Signed Delegation Signer Data: Key Tag:
13519 Algorithm:
8 Digest Type:
2 Digest:
00C45F13609CBA517FA8854DE8CA5FEC5DD5E9DEF8C693856B61595BA1EB01DD

Thank you for your comment/help in advance.

Best

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Website ProvisioningAWS Directory ServiceAmazon Route 53
Language
English
mw888
asked 6 months ago226 views
2 Answers
0

I find my error on AWS S53 "Domains" "Registered domains" DNSSEC.

To address my error, I update the DNSSEC and insert the hosted zone DNSSEC Key-signing keys (KSKs) public key into the "Domains" "Registered domains" DNSSEC.

mw888
answered 6 months ago
0

I see that you have DNSSEC enabled on your domain. If you use DNSSEC with a domain and you transfer the domain registration to Route 53, you must disable DNSSEC at the former registrar first. Then, after you transfer the domain registration, take steps to set up DNSSEC for the domain in Route 53.

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-to-route-53.html

If you transfer a domain registration to Route 53 while DNSSEC is configured, the DNSSEC public keys are transferred, too and as a result the chain of trust is broken. You can confirm the DNSSEC issue on these platforms: [+] https://dnsviz.net/ [+] https://dnssec-analyzer.verisignlabs.com/

To resolve this issue, disable DNSSEC on the domain registrar level (which will remove the DS record from the parent) and then enable it again along with the Route 53 hosted zone.

To disable DNSSEC on the domain, you need to delete the DNSSEC keys from the domain. For instructions on how to delete public keys for a Route 53 domain please go through this document -

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html#domain-configure-dnssec-deleting-keys

Once you disable the DNSSEC, you can unable it again following this article (Make sure DNSSEC signing is enabled on the hosted zone as well) -

[+] https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/

profile pictureAWS
SUPPORT ENGINEER
Rutba_Z
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content