- Newest
- Most votes
- Most comments
The problem was solved after deleting the DNSSEC Key and waiting for a couple of hours. Thanks all!
Hi Steve,
I have 2 A records, and 4 records in total (see below). The A records point to s3-website-eu-west-1.amazonaws.com, and I think it was done correctly because it showed up in the "Choose S3 bucket" dropdown with the name of the domain in parentheses (lucasdavey.xyz)
I believe DNSSEC signing is disabled in the hosted zone
However, when I go to the domain I do see a DNSSEC Key
Could this be the problem? Do I need to enable DNSSEC?
Lucas
Hello.
I ran the following command to check the domain's NS records, but I was unable to query them successfully.
This suggests that the DNS settings may not be configured properly.
You mention that you transferred from Epik to Route53, but what steps did you follow to transfer?
dig lucasdavey.xyz ns
; <<>> DiG 9.16.1-Ubuntu <<>> lucasdavey.xyz ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;lucasdavey.xyz. IN NS
;; Query time: 635 msec
;; SERVER: 2405:6581:bd60:600:9a2d:baff:fe51:9c0#53(2405:6581:bd60:600:9a2d:baff:fe51:9c0)
;; WHEN: Tue Sep 26 08:58:10 JST 2023
;; MSG SIZE rcvd: 43
Some DNS servers are resolving your domain, and some are not. e.g. my ISP (don't know who they use on the back end) gives 8 IP addresses, reverse-looking-up these shows they are all (correctly) s3-website-eu-west-1.amazonaws.com
$ nslookup lucasdavey.xyz
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: lucasdavey.xyz
Address: 52.218.117.36
.
.
.
Google and Cloudflare don't resolve it though:
$ nslookup lucasdavey.xyz 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find lucasdavey.xyz: SERVFAIL
$ nslookup lucasdavey.xyz 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
** server can't find lucasdavey.xyz: SERVFAIL
And go through a bunch of public DNS servers, some do and some don't, e.g. AlternateDNS is good too:
$ nslookup lucasdavey.xyz 76.76.19.19
Server: 76.76.19.19
Address: 76.76.19.19#53
Non-authoritative answer:
Name: lucasdavey.xyz
Address: 52.218.88.76
.
.
.
Doing a whois and a dig of your nameserver records come back okay, so I assume the domain and records are setup okay. But something in DNS isn't right if your records are propagating to some DNS servers and not others.
Raise a Route 53 support call with AWS to progress this. Even if you're on a Basic Support plan (which would preclude you from raising a support call most of the time) you can still do so under Account and Billing -> Service: Billing -> Category: Domain Registration Issue
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-contact-support.html
Lastly, what does the A-record look like in Route 53? I have a similar setup in one of my domains (A-record points to S3) does yours look the same? (this is fine with Google and Cloudflare BTW)
Also, are you using DNSSEC signing?
Hi Riku,
I followed this tutorial for the transfer. When I tried transferring, I first created a bunch of authorization codes by accident, so the first transfer failed: I put in an older authorization code. After that I put in the correct one and the transfer was successful. I then also updated the name servers of the domain to match my hosted zone following this tutorial because they still showed name servers with "epik" in them, and the domain (lucasdavey.xyz) was displaying an advertisement for epik.
Relevant content
- asked 7 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
I don't have DNSSEC enabled on mine and it works fine, I was just wondering if it might be a point of difference.
I would definitely be raising a Route 53 support call about this, as the records in your zone are being propagated to some but but not others. And it would be interesting and illuminating to know their response.