-1

Hope someone can help I know the basics of DNS setup, am having an issue with my hosting company. Have several domains hosted, DNS settings are basically setup by the hosting company using their nameservers.

There is this one domain that was setup recently in a new environment (other nameservers) and my client has problems reaching certain e-mail addresses from this domain, they bounce (Sender address rejected: Domain not found) Tried many dns lookup tools to find out what could be happening, resulted in using https://toolbox.googleapps.com/apps/checkmx which returns 'no nameservers found'

The dig option from the same online tool returns a SERVFAIL when using Google's DNS, when I use the hoster's nameserver these resolve correctly...

Dig from command prompt gives the same result

dig mydomain.com @8.8.8.8

; <<>> DiG 9.10.3 <<>> mydomain.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30575
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

I reported this to the hoster and eventually they responded that they couldnot find any issue that would explain this behavior. They provided a link to www.intodns.com showing that everything was setup correctly and resolves fine...

Feel like I am left hanging a bit, I don't know why Google doesnot resolve, but it seems an obvious problem that could cause lots of issues. Could someone explain to me what this probably means and how this could be rectified.

edit as per request domain name is: dwc-amsterdam.com

paul
  • 35
  • 1
  • 7
  • 1
    We are unlikely to be able to help much without the domain name. – MadHatter Nov 03 '15 at 10:22
  • 1
    This looks like syntax error in zone file or non-existing name servers. But without domain name we cannot inspect it more in details. – Ondra Sniper Flidr Nov 03 '15 at 10:25
  • Sorry about that just added the domain name below, thanks. – paul Nov 03 '15 at 10:41
  • The problem [is DNSSEC](http://dnssec-debugger.verisignlabs.com/dwc-amsterdam.com). Your hosting company is lying to you. – womble Nov 04 '15 at 05:00
  • Thank you guys, the issue is still not resolved though. The current hosting tells me they do not support DNSSEC and they have no reference to the DS record in their settings. I was told they cannot even query the DS record, even when using a public DNS, it just doesnot show up? So now I am communicating with the former hoster which do support DNSSEC, but they tell me, it was already removed months ago, I should talk to the current hosting, sigh... – paul Nov 04 '15 at 12:32
  • Wondering is it possible to query where the DS record propagates from? – paul Nov 04 '15 at 12:33

1 Answers1

4

The delegation for dwc-amsterdam.com. indicates that this is a signed zone.

dwc-amsterdam.com.      172800  IN      NS      ns01.webstekker.nl.
dwc-amsterdam.com.      172800  IN      NS      ns02.webstekker.nl.
dwc-amsterdam.com.      86400   IN      DS      17739 7 1 05D720F7D200908C61631CD257A60F16ACE9D13D

However, the zone does not appear to be signed or have any keys for that matter.

$ dig @ns01.webstekker.nl. dwc-amsterdam.com. DNSKEY +norec

; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> @ns01.webstekker.nl. dwc-amsterdam.com. DNSKEY +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51308
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dwc-amsterdam.com.             IN      DNSKEY

;; AUTHORITY SECTION:
dwc-amsterdam.com.      14400   IN      SOA     ns01.webstekker.nl. nic.virtualregistrar.nl. 2015103001 28800 7200 604800 14400

;; Query time: 9 msec
;; SERVER: 85.158.251.251#53(85.158.251.251)
;; WHEN: Tue Nov 03 10:43:54 UTC 2015
;; MSG SIZE  rcvd: 121

$
Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Thank you Håkan. For my info the last of the three lines in the first block tells you that it is signed? and how did you query the first block? The domain was transferred to the hoster a while back, is it possible that they missed this, is this easily fixed? – paul Nov 03 '15 at 11:00
  • Yes, the `DS` record (part of the delegation data in the parent zone) indicates both that the zone is supposed to be signed and which key is the correct key. If the zone is not supposed to be signed, remove the `DS` record (through your registrar), if it is supposed to be signed, sign the zone and update the `DS` record as necessary to reflect the correct key. – Håkan Lindqvist Nov 03 '15 at 11:54
  • Although not yet resolved, the hosting companies are pointing at eachother, I assume this has to be the culprit so answer accepted, thanks Håkan. Is it possible to replace the domain name with some dummy name? – paul Nov 04 '15 at 15:41