DNS SERVFAIL after moving Domain between AWS accounts

Question

I moved a domain (route53) from one AWS account to another. I had trouble making it resolve using configuration in the new account. Eventually I found out that it somehow was in both AWS account's route53 (ie remained registered in the old one after the move) and that seems to have messed it it up. I tried to remedy it:

I removed the entry in the old account.
I recreated the domain and hosted zone in the new account
I also added completely new subdomains to try if they work
No luck

Here is the issue with dig:

❯ dig <REDACTED> NS

; <<>> DiG 9.10.6 <<>> <REDACTED> NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58108
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; OPT=15: 00 17 5b 32 30 35 2e 32 35 31 2e 31 39 36 2e 34 32 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[205.251.196.42] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 36 30 30 3a 39 30 30 30 3a 35 33 30 34 3a 32 61 30 30 3a 3a 31 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[2600:9000:5304:2a00::1] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 36 30 30 3a 39 30 30 30 3a 35 33 30 36 3a 36 34 30 30 3a 3a 31 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[2600:9000:5306:6400::1] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 30 35 2e 32 35 31 2e 31 39 38 2e 31 30 30 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[205.251.198.100] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 36 30 30 3a 39 30 30 30 3a 35 33 30 33 3a 32 65 30 30 3a 3a 31 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[2600:9000:5303:2e00::1] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 30 35 2e 32 35 31 2e 31 39 33 2e 35 35 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[205.251.193.55] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 17 5b 32 30 35 2e 32 35 31 2e 31 39 35 2e 34 36 5d 20 72 63 6f 64 65 3d 52 45 46 55 53 45 44 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..[205.251.195.46] rcode=REFUSED for <REDACTED>/ns")
; OPT=15: 00 16 41 74 20 64 65 6c 65 67 61 74 69 6f 6e 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 20 66 6f 72 20 62 6f 6c 64 64 61 74 61 2e 63 6c 6f 75 64 2f 6e 73 ("..At delegation <REDACTED> for <REDACTED>/ns")
;; QUESTION SECTION:
;<REDACTED>.			IN	NS

;; Query time: 87 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jun 12 15:59:00 BST 2024
;; MSG SIZE  rcvd: 530

Akira · Answer

The NameServer is not automatically changed when the domain is transferred. Therefore, the records set in the old Route53 will be referred to.

And since you have deleted the old Route53 settings, we assume that the records can no longer be referred to.

Please change your domain's name servers to the name servers provided by the new Route53.
Please refer to the following document for information on changing a domain's name server using Route53.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html#domain-name-servers-glue-records- adding-changing

For the Name Server that should be configured, refer to Step 7 of the following document.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html#migrate-dns-change-name-servers-with- Provider

DNS SERVFAIL after moving Domain between AWS accounts

Add your answer

Relevant content