S53 Domain Name Service Does Not Propagate The DNS Records

Question

I have transferred a Domain Name from Google Cloud to AWS. Following the AWS S53 document, I have created hosted zone and related records. And I have updated the Domain Name Service "Name servers" to
ns-365.awsdns-45.com
ns-1620.awsdns-10.co.uk
ns-1514.awsdns-61.org
ns-804.awsdns-36.net

After days waiting, If I use command
dig @8.8.8.8 "my domain" 
The command "dig" returns empty A record

If I use command 
dig @ns-365.awsdns-45.com "my domain" 
The command "dig"  returns 
;; ANSWER SECTION:
mydomain.com.	60	IN	A	13.35.77.101
mydomain.com.	60	IN	A	13.35.77.40
mydomain.com.	60	IN	A	13.35.77.100
mydomain.com,	60	IN	A	13.35.77.45

;; AUTHORITY SECTION:
mydomain.com.	172800	IN	NS	ns-1514.awsdns-61.org.
mydomain.com.	172800	IN	NS	ns-1620.awsdns-10.co.uk.
mydomain.com.	172800	IN	NS	ns-365.awsdns-45.com.
mydomain.com.	172800	IN	NS	ns-804.awsdns-36.net.

I check the "mydomain.com" from https://lookup.icann.org/en/lookup  The web site check returns

Name: mydomain.com
Registry Domain ID: 2791464376_DOMAIN_COM-VRSN
Domain Status:
clientDeleteProhibited
clientTransferProhibited
clientUpdateProhibited
Nameservers:
NS-1514.AWSDNS-61.ORG
NS-1620.AWSDNS-10.CO.UK
NS-365.AWSDNS-45.COM
NS-804.AWSDNS-36.NET
Dates
Registry Expiration: 2025-06-19 00:46:50 UTC
Updated: 2023-11-03 05:14:39 UTC
Created: 2023-06-19 00:46:50 UTC

Registrar Information
Name: Amazon Registrar, Inc.
IANA ID: 468
Abuse contact phone: tel:+1.2067406200

DNSSEC Information
Delegation Signed: Signed
Delegation Signer Data:
Key Tag:  
13519
Algorithm:  
8
Digest Type:  
2
Digest:  
00C45F13609CBA517FA8854DE8CA5FEC5DD5E9DEF8C693856B61595BA1EB01DD

Thank you for your comment/help in advance.

Best

Answer

I see that you have DNSSEC enabled on your domain. If you use DNSSEC with a domain and you transfer the domain registration to Route 53, you must disable DNSSEC at the former registrar first. Then, after you transfer the domain registration, take steps to set up DNSSEC for the domain in Route 53.

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-to-route-53.html

If you transfer a domain registration to Route 53 while DNSSEC is configured, the DNSSEC public keys are transferred, too and as a result the chain of trust is broken. You can confirm the DNSSEC issue on these platforms:
[+] https://dnsviz.net/
[+] https://dnssec-analyzer.verisignlabs.com/

To resolve this issue, disable DNSSEC on the domain registrar level (which will remove the DS record from the parent) and then enable it again along with the Route 53 hosted zone.

To disable DNSSEC on the domain, you need to delete the DNSSEC keys from the domain. For instructions on how to delete public keys for a Route 53 domain please go through this document -
 
[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html#domain-configure-dnssec-deleting-keys

Once you disable the DNSSEC, you can unable it again following this article (Make sure DNSSEC signing is enabled on the hosted zone as well) -
 
[+] https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/

Answer

I find my error on AWS S53 "Domains" "Registered domains"  DNSSEC.

To address my error, I update the DNSSEC and insert the hosted zone DNSSEC Key-signing keys (KSKs) public key into the  "Domains" "Registered domains"  DNSSEC.

S53 Domain Name Service Does Not Propagate The DNS Records

相關內容