4

I can't seem to be able access my site: yippie.nl, using Google's public DNS 8.8.8.8. Other DNS's work fine.

Could this be due to DNSKEY? Cause Route53 doesn't provide it.

http://dnscheck.pingdom.com/?domain=yippie.nl shows:

Inconsistent security for yippie.nl - DS found at parent, but no DNSKEY found at child.

The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation.

That's the only thing i could find.

When i do dig +trace +add yippie.nl I do get the full thing: Ends:

yippie.nl.      300 IN  A   94.75.224.2

Any idea what could be the problem?

Many thanks!

Maurice Kroon
  • 165
  • 1
  • 5
  • I had once similar problem - it was because nameservers for the given domain gave were not properly synchronized. I would suggest checking DNS records for the given domain on ALL domain's nameservers. – Aleš Krajník Jan 07 '14 at 13:49
  • @AlešKrajník, unsure how to do that on route 53. everything seems fine on that end, it really seems like dnssec issue. – Maurice Kroon Jan 08 '14 at 20:09

1 Answers1

2

Your domain have DS record (at it's parent zone):

dig yippie.nl DS
;; ANSWER SECTION:
yippie.nl.      7181    IN  DS  47534 8 2 07DF0CFD5F01119819B8319F7FEE01F7B8121EA11AB5BDEA765F5396 BB5B9CD1

, and haven't DNSKEY record:

dig yippie.nl DNSKEY
(no answer section)

And, it is not signed with DNSSEC (no RRSIG records).

Google public DNS checks DNSSEC and since your domain claims to have DNSSEC (DS record), but really is not signed, any DNSSEC-aware resolver consider it bogus. Most DNS resolvers today still ignore DNSSEC but google is one of whose who already started to check DNSSEC.

Verisign provides a very handy DNSSEC-checking tool

To fix the situation, either

  1. Remove the DS record for your domain from the parent zone.

  2. Make the zone properly signed with DNSKEY that corresponds to the DS record you already have. (Amazon Route 53 does not support DNSSEC thus you will have to either host the zone on your own, or use another provider.) In any case, you can do it only if you posses a key that corresponds to the existing DS.

  3. Sign the zone with a new DNSKEY, and replace the curent DS record with the one which corresponds to the DNKSEY you use. See my video guide here (refers to a proprietary service I'm affiliated with.)

Sandman4
  • 4,045
  • 2
  • 20
  • 27
  • Thanks! I've decided to go for option 2: switching provider. Dynect offered to help me out with it. Thanks! – Maurice Kroon Jan 08 '14 at 20:08
  • 1
    @MauriceKroon probably what you do with your new provider is "option 3" in my list. (_...you can do it (option 2), only if you posses a key that corresponds to the existing DS._ And I guess you don't). – Sandman4 Jan 08 '14 at 23:16