DNS Glue Records - Route 53 Domain/Godaddy Reject

Question

We have a domain muzzard.com that is DNS hosted with AWS Route 53

AWS has give us the following nameservers

ns-1996.awsdns-57.co.uk,ns-1368.awsdns-43.org,ns-777.awsdns-33.net,ns-436.awsdns-54.com

These have been added to muzzard.com as its namesevers at MyDomain.com which is the ultimate registrar for muzzard.com

I can see them in the DNS:

> set querytype=all
> muzzard.com
Server:  ns-1996.awsdns-57.co.uk
Address:  205.251.199.204

muzzard.com     internet address = 54.194.110.136
muzzard.com     nameserver = ns-1368.awsdns-43.org
muzzard.com     nameserver = ns-1996.awsdns-57.co.uk
muzzard.com     nameserver = ns-436.awsdns-54.com
muzzard.com     nameserver = ns-777.awsdns-33.net
muzzard.com
        primary name server = ns-1996.awsdns-57.co.uk
        responsible mail addr = awsdns-hostmaster.amazon.com
        serial  = 1
        refresh = 7200 (2 hours)
        retry   = 900 (15 mins)
        expire  = 1209600 (14 days)
        default TTL = 86400 (1 day)
muzzard.com     MX preference = 10, mail exchanger = mail.muzzard.com
mail.muzzard.com        internet address = 159.8.131.164

In there I have added 2 A records into the route 53 control panel:

ns-primary.muzzard.com & ns-secondary.muzzard.com

These have Windows2012 DNS software loaded and will respond to requests.

We want to use muzzard.com as DNS Nameserver for another domain teachers-direct.co.uk, this is hosted at Godaddy.

I am trying to add ns-primary.muzzard.com & ns-secondary.muzzard.com at Godaddy control panel but is rejecting saying "You must enter a registered nameserver."

There are existing records for ns-americas,ns-emea and ns-apac.muzzard.com (that no longer exist)

When I add the new nameserver it fails with this error message:

And yet the nameservers are in the DNS if I ping them.

C:\Users\Karl>ping ns-primary.muzzard.com

Pinging ns-primary.muzzard.com [159.8.131.164] with 32 bytes of data:
Reply from 159.8.131.164: bytes=32 time=56ms TTL=115

Here is a screen capture of the DNS setting on ns-primary.muzzard.com

And ns-primary responds correctly using nslookup with the correct IP for the given hostname.

C:\Users\Karl>nslookup
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> lserver ns-primary.muzzard.com
Default Server:  ns-primary.muzzard.com
Address:  159.8.131.164

> www.teachers-direct.co.uk
Server:  ns-primary.muzzard.com
Address:  159.8.131.164

Name:    www.teachers-direct.co.uk
Address:  176.34.226.81

I believe this is due to missing "glue" records at muzzard.com

Where would I add these ns records?

Update 5 October 2016

I had to change the nameservers for this domain 'teachers-direct' to a set that worked as it is a live site with a lot of traffic.

Currently has mentioned in comment I have another domain in the same situation that I have not moved to working DNS servers.

This was the response from the tech team for that domain - 'carib.com'

"Our upper level domains team has further investigated and they have find out that the name servers ns-primary.muzzard.com and ns-secondary.muzzard.com do not exist at the registry. They have told me that the owner of the domain muzzard.com will need to add host entries for these. I think that you can pass this information to the support of muzzard.com registrar. Please let me know if more details are required and I will try to obtain more technical details. If there’s anything else at all I can do for you, please let me know and I’ll be very happy to help. Best wishes "

On a somewhat unrelated note, your authoritative DNS servers are [open resolvers](http://openresolver.com/?ip=ns-primary.muzzard.com), and [you should probably not be trying to host your own authoritative DNS](http://serverfault.com/questions/23744/should-we-host-our-own-nameservers). — Andrew B, Sep 12 '16 at 19:59
@HåkanLindqvist Can you run with this one? I suspect I have a knowledge gap when it comes to operation of registrars and registries. While no glue record should strictly be required for `co.uk` to delegate to nameservers inside of `com.`, the web interface isn't allowing this person's custom nameservers to be set here. — Andrew B, Sep 14 '16 at 20:48
Good tip. I've shut them off being recursive. Your other point about whether we should be bothering with this all or not - lol - well we have more than 2 geographic locations, and also need redundant mx servers - so works out pretty economic to do the lot (lots of domains), and we have more control. I have tried outsourcing DNS, but then they, for example, change their server IPs - making more work for me. This way we are control of our own destiny. — bendecko, Sep 15 '16 at 13:27

Andrew B · Answer 1 · 2016-09-12T20:07:24.377

I disagree with Florin. Glue is only needed to address chicken and egg scenarios in the DNS. In this case, no glue is required at all because you are attempting to use nameservers ending in com. for a co.uk. domain.

I've taken a look at ns-primary.muzzard.com and ns-secondary.muzzard.com. I can find nothing wrong with these A records, or the referrals leading up to them. Both of those nameservers are properly returning authoritative responses for teachers-direct.co.uk, and the NS records are set up properly. (pointing at the nameservers you are attempting to define in the control panel)

$ dig +noall +comments +norecurse @ns-primary.muzzard.com teachers-direct.co.uk SOA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59089
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

$ dig +noall +comments +norecurse @ns-secondary.muzzard.com teachers-direct.co.uk SOA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

$ dig +short +norecurse @ns-primary.muzzard.com teachers-direct.co.uk NS
ns-primary.muzzard.com.
ns-secondary.muzzard.com.

$ dig +short +norecurse @ns-secondary.muzzard.com teachers-direct.co.uk NS
ns-secondary.muzzard.com.
ns-primary.muzzard.com.

At this point, I'd encourage you to attempt applying these nameservers again. It's possible that you did not have everything properly configured during your initial attempt, which caused the recursive DNS servers used by GoDaddy's validation check to cache (or negative cache) responses that would cause this check to continue failing. If it still isn't working, the ever-reliable Håkan Lindqvist will probably find this question at some point and set matters right.

Thanks for the Answer. It seems there is something else amiss. I just tried to change the Nameservers - the cache must empty now - but it still errors. — bendecko, Sep 14 '16 at 19:21
I have another domain in limbo too. "carib.com" - That is with a different set of registrars. I raised a ticket with their support and was told "The nameservers will need to be verified at the registry. Can you please confirm the IP addresses for them so I can forward the request on your behalf?" I've asked them what registry they are refering too hopefully they will respond so I can re-post here. — bendecko, Sep 14 '16 at 19:23
Teachers direct is already registered somewhere as ```teachers-direct.co.uk. 3599 IN NS ns-emea.kbytes.net.``` and ```teachers-direct.co.uk. 3599 IN NS ns-americas.kbytes.net.``` — Tricky, Sep 22 '16 at 17:00
@Tricky yeah I had to change the nameservers to ones that worked - the site was down! — bendecko, Oct 05 '16 at 18:31

DNS Glue Records - Route 53 Domain/Godaddy Reject

1 Answers1