Redirect to domain for website hosted on S3 Bucket returns "DNSSEC validation failure"

0

Introduction

Hi, I bought a domain on Epik a while ago in preparation for a small personal website I am hosting. However, when I learned of AWS and the ability to host static websites on an S3 Bucket, I immediately transferred my domain to Route53. Unfortunately, the transition has not been very smooth, and in this tutorial, I am stuck at the last step (Step 12: Test the website). I have tested my domain endpoint (http://lucasdavey.xyz.s3-website-eu-west-1.amazonaws.com), and it correctly shows the example indexz.html file I uploaded, however, when I go to my domain (http://lucasdavey.xyz) which should be routed to the endpoint, I get "This site can’t be reached" and "DNS_PROBE_FINISHED_NXDOMAIN".

Aim

Redirect domain (lucasdavey.xyz) to website hosted on S3 endpoint (http://lucasdavey.xyz.s3-website-eu-west-1.amazonaws.com).

What I have tried

  • Cleared cache of my browser (google chrome)
  • Verified that I have correctly added an alias record to hosted zone
  • https://dns.google/ shows DNSSEC validation failure
  • Verified that name servers of domain correspond to name servers of hosted zone

All help is appreciated!

5 Answers
0
Accepted Answer

The problem was solved after deleting the DNSSEC Key and waiting for a couple of hours. Thanks all!

ldaveyl
answered 9 months ago
0

Hi Steve,

I have 2 A records, and 4 records in total (see below). The A records point to s3-website-eu-west-1.amazonaws.com, and I think it was done correctly because it showed up in the "Choose S3 bucket" dropdown with the name of the domain in parentheses (lucasdavey.xyz)

Enter image description here

I believe DNSSEC signing is disabled in the hosted zone

Enter image description here

However, when I go to the domain I do see a DNSSEC Key

Enter image description here

Could this be the problem? Do I need to enable DNSSEC?

Lucas

ldaveyl
answered 9 months ago
  • I don't have DNSSEC enabled on mine and it works fine, I was just wondering if it might be a point of difference.

    I would definitely be raising a Route 53 support call about this, as the records in your zone are being propagated to some but but not others. And it would be interesting and illuminating to know their response.

0

Hello.

I ran the following command to check the domain's NS records, but I was unable to query them successfully.
This suggests that the DNS settings may not be configured properly.
You mention that you transferred from Epik to Route53, but what steps did you follow to transfer?

dig lucasdavey.xyz ns

; <<>> DiG 9.16.1-Ubuntu <<>> lucasdavey.xyz ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41249
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;lucasdavey.xyz.                        IN      NS

;; Query time: 635 msec
;; SERVER: 2405:6581:bd60:600:9a2d:baff:fe51:9c0#53(2405:6581:bd60:600:9a2d:baff:fe51:9c0)
;; WHEN: Tue Sep 26 08:58:10 JST 2023
;; MSG SIZE  rcvd: 43
profile picture
EXPERT
answered 9 months ago
0

Some DNS servers are resolving your domain, and some are not. e.g. my ISP (don't know who they use on the back end) gives 8 IP addresses, reverse-looking-up these shows they are all (correctly) s3-website-eu-west-1.amazonaws.com

$ nslookup lucasdavey.xyz
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   lucasdavey.xyz
Address: 52.218.117.36
.
.
.

Google and Cloudflare don't resolve it though:

$ nslookup lucasdavey.xyz 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find lucasdavey.xyz: SERVFAIL

$ nslookup lucasdavey.xyz 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

** server can't find lucasdavey.xyz: SERVFAIL

And go through a bunch of public DNS servers, some do and some don't, e.g. AlternateDNS is good too:

$ nslookup lucasdavey.xyz 76.76.19.19
Server:         76.76.19.19
Address:        76.76.19.19#53

Non-authoritative answer:
Name:   lucasdavey.xyz
Address: 52.218.88.76
.
.
.

Doing a whois and a dig of your nameserver records come back okay, so I assume the domain and records are setup okay. But something in DNS isn't right if your records are propagating to some DNS servers and not others.

Raise a Route 53 support call with AWS to progress this. Even if you're on a Basic Support plan (which would preclude you from raising a support call most of the time) you can still do so under Account and Billing -> Service: Billing -> Category: Domain Registration Issue

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-contact-support.html

Lastly, what does the A-record look like in Route 53? I have a similar setup in one of my domains (A-record points to S3) does yours look the same? (this is fine with Google and Cloudflare BTW)

Also, are you using DNSSEC signing?

Enter image description here

profile picture
EXPERT
Steve_M
answered 9 months ago
0

Hi Riku,

I followed this tutorial for the transfer. When I tried transferring, I first created a bunch of authorization codes by accident, so the first transfer failed: I put in an older authorization code. After that I put in the correct one and the transfer was successful. I then also updated the name servers of the domain to match my hosted zone following this tutorial because they still showed name servers with "epik" in them, and the domain (lucasdavey.xyz) was displaying an advertisement for epik.

Enter image description here

ldaveyl
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions