0

My website is ecoguardfilters.com.
I bought a domain from GoDaddy and hosting is with Hostinger.
I changed the nameserver to Hostinger, but it is still not fully propagated, after two weeks.

What could be the problem?

kenlukas
  • 2,886
  • 2
  • 14
  • 25
Shahid
  • 3
  • 2

1 Answers1

2

DNS doesn't propagate, but is cached. Every recursive name server first looks from it's own cache if it has already resolved the record within its TTL and then asks for the authoritative servers. That's why you should always start debugging by querying the authoritative servers, and then the parents.

DNSSEC enabled, but Hostinger DNS doesn't support it

In this case, whois ecoguardfilters.com shows:

Name Server: NS1.DNS-PARKING.COM
Name Server: NS2.DNS-PARKING.COM
DNSSEC: signedDelegation

The parent zone has DNSSEC DS records:

;; ANSWER SECTION:
ecoguardfilters.com.  86400  IN  DS  54169 8 2 BA98A4F1210C30B65DA7C01E6B4A3385DBF1345E84FC7B635D3EB29D 8E187E4C
ecoguardfilters.com.  86400  IN  DS  54169 8 1 8F44699EA5A178F74071A349FAF0069527F9E9BC
ecoguardfilters.com.  86400  IN  DS  28279 8 1 0DB878191AAF675C098C0A71660EE20D09C7204E

But the Hostinger nameservers hasn't signed the zone with corresponding keys:

; <<>> DiG <<>> ecoguardfilters.com RRSIG @ns1.dns-parking.com

;; ANSWER SECTION:
ecoguardfilters.com.    3789    IN      HINFO   "RFC8482" ""

From that answer it seems their nameservers don't even support DNSSEC. Their supports tells:

Do you provide DNSSEC?

If your domain is registered on Hostinger and hosted elsewhere, DNSSEC can be enabled on some domains. Not all domains support DNSSEC, thus for further information please contact our customer support via Live Chat.

DNSSEC cannot be enabled on domains hosted at Hostinger.

For testing and visualizing DNSSEC there's two awesome tools:

DNSSEC migration

Normally you could just have configured DNSSEC on the new name servers and updated the DS records. With DNSSEC, the correct order is significant! Shortened and modified a bit from Junior Payne's DNSSEC & DNS MIGRATION: How to migrate your DNS without disrupting DNSSEC:

  1. Prepare the DNSSEC on the new provider: configure the zone and sign it.

  2. Add DS record(s) of gaining DNS service provider and wait for TTL.
    This current state will validate both the losing and gaining DNS service providers’ ZSKs. At this point the delegation to the new name server(s) has not yet changed. In this configuration, it’s necessary to re-sign the zone with the gaining DNS service provider and wait for the caches to expire (TTL of the DS records).

  3. Change delegation of the zone to the gaining DNS service provider.

  4. Remove DS record(s) of the losing DNS service provider
    Once you are sure there are no longer any cached DS record(s) referring to the losing DNS service provider, the losing DNS service provider’s DS record(s) can be removed from the registry.

Erlend Eide, not recognizing this possibility, gives another path on How to Migrate Name Servers for DNS Zones with DNSSEC active. Although Junior Payne is more correct, this alternative may be the only possibility, if the new provider doesn't support configuring DNSSEC prior delegation:

  1. Disable DNSSEC at Registrar
  2. Wait 24 hours
  3. Disable DNSSEC at Name Server (remove DS-records)
  4. Switch name servers
  5. Wait 24 hours
  6. Re-enable DNSSEC

Solutions for you

  • As Hostinger doesn't support DNSSEC, using their DNS you should disable DNSSEC at the registrar.
  • If you wish continue using DNSSEC, don't move your DNS to Hostinger (i.e. move it back or find another DNS provider), but only point your web site to their servers.
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Sir, I chose the second option. Now I switch back to godaddy DNS provider and only pointing website to hostinger servers.I will wait for 24 hours to see what happen . – Shahid Jul 27 '20 at 12:06
  • Can you please tell me how to disable DNSSEC in godaddy... – Shahid Jul 27 '20 at 12:07
  • If i am going with first option as i cannot see any option of disabling it. – Shahid Jul 27 '20 at 12:07
  • With GoDaddy you can refer to https://fi.godaddy.com/help/dnssec-faq-6135 – Esa Jokinen Jul 27 '20 at 12:18
  • The DNSSEC migration outlined won't work. Right now, unfortunately only 2 things can work: disabling it prior change of nameservers (please do not say reinforce the wrong idea "wait 24 hours" nothing like that is written out it depends on TTLs, etc.) OR cooperation between the two operators (highly unlikely). The proposed migration won't work because some resolvers may have cached the old DS (hence not query new ones) and then won't see the old DNSKEY on new provider or even if they are copied the new provider won't have matching RRSIG records. This doesn't work in practice. – Patrick Mevzek Aug 03 '20 at 05:15
  • It works, but naturally you have to wait for the TTL before you can change delegation. That's in the document linked, but I shortened it a bit too much. It's now updated to include this crucial detail. It's important that both DS records exists simultaneously between the migration. I've done similar migrations when changing the keys within the same name servers, without interrupting DNSSEC. The same applies here. – Esa Jokinen Aug 03 '20 at 13:40