0

My site www.acurent.com is not resolving to its IP address 23.20.46.124 uniformly

Check on: https://www.whatsmydns.net/#A/acurent.com, it shows that its resolving for certain networks only. If you refresh the page after 5-10 mins, it will show you a different set of servers which resolve the domain and the previous ones dont.

Background: I got this domain from a reseller on Sedo and this problem is persisting from the time the domain was transferred to my account. It has been 3 weeks now.

I have tried using 4 different internet connections at home and it is opening only via one. Also tried using VPNs worldover and the behavior is non consistent.

Upon further investigation, it looks like the nameservers aren't being propagated effectively.

See here: https://www.whatsmydns.net/#NS/acurent.com

Following is the result from opendns cache check tool. If this does not resolve on OpenDNS, then there is definitely a problem somewhere:

https://snipboard.io/HJehKj.jpg

Also google's DNS tool gives me this error:

https://snipboard.io/znPbLX.jpg

I have setup servers and DNS for over more than 10 years but I'm at my wits end on this. I would really appreciate it if someone could help me get to the bottom of this problem.

Neil S
  • 1
  • 2

2 Answers2

2

It looks like this domain is in a broken state in terms of DNSSEC validation where ideally it should not resolve at all. (SERVFAIL status is the expected outcome for any validating resolver.)

If you look at for instance DNSViz output, you can see that the delegation has a DS record (specifies a DNSSEC key that is used for signing the zone) which refers to a key with tag 20198 but there does not appear to be any keys at all in the zone (so no key 20198 to be found), and there seems to be no signing going on.

You probably want to update (potentially remove?) the DS record for the zone to match your actual expectations for DNSSEC signing. This would be done through the registrar.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
0

You have an issue with your DNSSEC config. Looks like you have DNSSEC enabled for your domain but your nameservers are missing their side of the config.

https://dns.google/query?name=www.acurent.com&rr_type=A&ecs=&show_dnssec=true

https://dnssec-analyzer.verisignlabs.com/acurent.com

Derek Held
  • 41
  • 2
  • Thanks a lot! I will get back to my registrar with this and see if they can resolve it. – Neil S Oct 18 '20 at 15:22
  • It looks like I have an option to add DNS sec values. https://snipboard.io/QmuRjO.jpg what should I set this to ? – Neil S Oct 18 '20 at 15:23
  • I'm not entirely sure how to direct you as your domain and DNS are both hosted by Bigrock and I can't find any documentation from them on enabling DNSSEC within their platform. – Derek Held Oct 18 '20 at 15:38
  • @NeilS What options do they give you? We have no means of seeing their UI. – Håkan Lindqvist Oct 18 '20 at 17:24
  • @NeilS In terms of the DS side of things, it was easy enough to find https://manage.bigrock.in/kb/node/1909 but for the signing I don't know. – Håkan Lindqvist Oct 18 '20 at 17:42
  • If you are not understanding what is happening, it is better for you to remove DNSSEC altogether (which means removing the DS records through your registrar) because otherwise you will only have other problems down the road. Of course having DNSSEC is better on paper, but you have to fully grasp how the DNS and then DNSSEC work otherwise you will create more problems for yourself than solutions. – Patrick Mevzek Oct 18 '20 at 19:02
  • Thanks @PatrickMevzek I removed it and everything is working perfectly now! – Neil S Oct 20 '20 at 03:53