My website is ecoguardfilters.com
.
I bought a domain from GoDaddy and hosting is with Hostinger.
I changed the nameserver to Hostinger, but it is still not fully propagated, after two weeks.
What could be the problem?
My website is ecoguardfilters.com
.
I bought a domain from GoDaddy and hosting is with Hostinger.
I changed the nameserver to Hostinger, but it is still not fully propagated, after two weeks.
What could be the problem?
DNS doesn't propagate, but is cached. Every recursive name server first looks from it's own cache if it has already resolved the record within its TTL and then asks for the authoritative servers. That's why you should always start debugging by querying the authoritative servers, and then the parents.
In this case, whois ecoguardfilters.com
shows:
Name Server: NS1.DNS-PARKING.COM
Name Server: NS2.DNS-PARKING.COM
DNSSEC: signedDelegation
The parent zone has DNSSEC DS
records:
;; ANSWER SECTION:
ecoguardfilters.com. 86400 IN DS 54169 8 2 BA98A4F1210C30B65DA7C01E6B4A3385DBF1345E84FC7B635D3EB29D 8E187E4C
ecoguardfilters.com. 86400 IN DS 54169 8 1 8F44699EA5A178F74071A349FAF0069527F9E9BC
ecoguardfilters.com. 86400 IN DS 28279 8 1 0DB878191AAF675C098C0A71660EE20D09C7204E
But the Hostinger nameservers hasn't signed the zone with corresponding keys:
; <<>> DiG <<>> ecoguardfilters.com RRSIG @ns1.dns-parking.com
;; ANSWER SECTION:
ecoguardfilters.com. 3789 IN HINFO "RFC8482" ""
From that answer it seems their nameservers don't even support DNSSEC. Their supports tells:
If your domain is registered on Hostinger and hosted elsewhere, DNSSEC can be enabled on some domains. Not all domains support DNSSEC, thus for further information please contact our customer support via Live Chat.
DNSSEC cannot be enabled on domains hosted at Hostinger.
For testing and visualizing DNSSEC there's two awesome tools:
ecoguardfilters.com
ecoguardfilters.com
Normally you could just have configured DNSSEC on the new name servers and updated the DS
records. With DNSSEC, the correct order is significant! Shortened and modified a bit from Junior Payne's DNSSEC & DNS MIGRATION: How to migrate your DNS without disrupting DNSSEC:
Prepare the DNSSEC on the new provider: configure the zone and sign it.
Add DS record(s) of gaining DNS service provider and wait for TTL.
This current state will validate both the losing and gaining DNS service providers’ ZSKs. At this point the delegation to the new name server(s) has not yet changed. In this configuration, it’s necessary to re-sign the zone with the gaining DNS service provider and wait for the caches to expire (TTL of the DS records).Change delegation of the zone to the gaining DNS service provider.
Remove DS record(s) of the losing DNS service provider
Once you are sure there are no longer any cached DS record(s) referring to the losing DNS service provider, the losing DNS service provider’s DS record(s) can be removed from the registry.
Erlend Eide, not recognizing this possibility, gives another path on How to Migrate Name Servers for DNS Zones with DNSSEC active. Although Junior Payne is more correct, this alternative may be the only possibility, if the new provider doesn't support configuring DNSSEC prior delegation:
- Disable DNSSEC at Registrar
- Wait 24 hours
- Disable DNSSEC at Name Server (remove DS-records)
- Switch name servers
- Wait 24 hours
- Re-enable DNSSEC