0

I have a SimpleHosting instance at gandi.net, connected with a domain at Gandi, mygandidomain.org, and another domain, myrootdomain.name registered somewhere else.

I successfully added a CNAME entry in my myrootdomain.name's DNS records to let one subdomain, subdomain.myrootdomain.name point to my SimpleHosting instance at Gandi, i.e.:

subdomain 10800 IN CNAME mygandidomain.org.

When I now go to subdomain.myrootdomain.name with Google Chrome I get an error message: "Error 404 Vhost unknown." This error message comes from Gandi, not from my other domain name registrar. So I conclude that the CNAME entry has taken effect.

However, to resolve this error, I only read the instructions afterwards. The instructions given by Gandi tell me I should do the following:

The instructions at Gandi say I should point it to gpaas12.dc2.gandi.net., i.e.

Add a CNAME line

subdomain 10800 IN CNAME gpaas12.dc2.gandi.net.

instead of

subdomain 10800 IN CNAME mygandidomain.org.

... and, to authorize myself as the owner of the domain, Should I delete any of them? Which one should I keep, to be in line with Gandi's instructions to add:

@ 10800 IN TXT "test=s0m3r4nD0mG!bB3ri$hStr1nG" I should also add a TXT entry:

@ 10800 IN TXT "test=s0m3r4nD0mG!bB3ri$hStr1nG"

with some gibberish random string provided by Gandi.

So I did that. Since I cannot enter these lines directly but have to use some input web interface, I entered the TXT entry value once with and once without quotation marks, and both for the subdomain (entered subdomain.myrootdomain.name. into the "host" input field) and for the root domain (entered myrootdomain.name. into the "host" input field), just to be sure, because I am not allowed to enter "@" or "*" in that input field.

I changed the TTL for all added and changed DNS entries to 300. So they should have been updated long ago. But here is what still happens when digging:

$ dig txt subdomain.myrootdomain.name

; <<>> DiG 9.10.3-P4-Ubuntu <<>> txt subdomain.myrootdomain.name
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50813
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;subdomain.myrootdomain.name.   IN  TXT

;; ANSWER SECTION:
subdomain.myrootdomain.name. 3599   IN  CNAME   mygandidomain.org
mygandidomain.org.  10799   IN  TXT "v=spf1 include:_mailcust.gandi.net ?all"

;; Query time: 52 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Jul 11 05:42:59 CEST 2018
;; MSG SIZE  rcvd: 85

So the CNAME still points to mygandidomain.org, it seems, as I set it in the very beginning (before changing it to gpaas12.dc2.gandi.net.)

I don't know if that's bad, because mygandidomain.org in turn supposedly points to the hosting instance at gpaas12.dc2.gandi.net, if I understand correctly. (And I can actually access my Gandi-hosted site through mygandidomain.org)

However, I thought I should see any of the TXT entries I added for subdomain.myrootdomain.name by now.

If I understand these lines correctly:

;; QUESTION SECTION:
;subdomain.myrootdomain.name.   IN  TXT

... this means that there is a TXT entry for subdomain.myrootdomain.name which is, however, empty?

It seems there is only a non-empty TXT entry present in the Gandi domain's DNS entries here:

;; ANSWER SECTION:
subdomain.myrootdomain.name. 3599   IN  CNAME   mygandidomain.org
mygandidomain.org.  10799   IN  TXT "v=spf1 include:_mailcust.gandi.net ?all"

..., which has nothing to do with the TXT entry I was supposed to add to myrootdomain.name.

I did add the specified TXT entry with the provided string value, once with and once without quotation marks, both for myrootdomain.name and for subdomain.myrootdomain.name.

Same result regarding TXT entries for digging myrootdomain.name (where I think the TXT entry is supposed to be, as per the instructions by Gandi):

;; QUESTION SECTION:
;myrootdomain.name.     IN  TXT

Just one empty TXT entry? Should the changs not have taken effect by now?

I also flushed CNAME and TXT entries several times in Google's public DNS (8.8.8.8), through the interface at https://developers.google.com/speed/public-dns/cache, for both myrootdomain.name and subdomain.myrootdomain.name. And I am using the Google DNS server as my primary DNS on this machine.

When I go to subdomain.myrootdomain.name with Google Chrome, I still get the Error "Error 404 Vhost unknown." - which is probably to be expected, judging from the DNS digging results. This error message comes from Gandi, so at least the CNAME (either to gpaas12.dc2.gandi.net or still to mygandidomain.org) has taken effect there. Only the TXT entry, which should help to authorize domain ownership, is still not recognized, I guess.

Strangely, though, when I go to subdomain.myrootdomain.name with Firefox, I still get the older error message from my non-Gandi domain provider: "No website is configured under this address."

Is there something wrong with my TXT entry inputs? As I said, I added them with both subdomain.myrootdomain.name (which is probably not in line with Gandi's instructions) as well as to myrootdomain.name (which would probably be in line with Gandi's instructions), simply because I could not enter "@" or "*" instead, and wanted to be sure that I included the entry that is expected. And I also added them both twice, once with quotation marks included and once with quotation marks excluded, assuming that only the correct entry would be picked up by Gandi.

Should I delete any of them? Which one should I keep, to be in line with Gandi's instructions to add:

@ 10800 IN TXT "test=s0m3r4nD0mG!bB3ri$hStr1nG"

I cannot see how my inputs actually translate into these text lines.

But none of them seem to show up when doing $ dig .... until now anyway. Should I not see them appearing when doing $ dig ...? As I said, TTL is 300 (was longer at first), and I did the Google DNS flush thing.

Thanks for any hints and tips about how to interpret what's happening here.

EDIT: It works now. Not quite sure, but my hunch is that the extra TXT entry that I added for subdomain.mydomain.name. was somehow in conflict with the CNAME for subdomain.mydomain.name.. The manual said to add the TXT only for mydomain.name. and not subdomain.mydomain.name., but as I explained, I did both "just to be sure". I'm not quite sure that this was what did the trick, but this was the last thing I changed, and now it works.

anonymous ape
  • 111
  • 1
  • 5
  • 2
    Yes, hostname will be the subdomain (either plain `foo` or `foo.example.com`, depending on how they've set up their UI), text will be `test=s0mer4nd0mg1bB3r!$h` (or potentially `"test=s0mer4nd0mg1bB3r!$h"`), and TTL is up to you. A lower TTL lets you make changes and have them take effect more rapidly - try 300 until you get it working, then bump it up. Do `dig txt foo.example.com` after you set up the record to see if it worked. – ceejayoz Jul 11 '18 at 01:59
  • Thanks. I did that now for quite a long time, and think I've tried all reasonable possibilities. The TXT entries don't show up when `dig`ging. I changed TTLs for all added or changed entries to 300. But at first, I set TTL to longer times. Could it be that no update I did later on can take effect until the initially set TTL is expired? – anonymous ape Jul 11 '18 at 04:58
  • If you just gave the true names without all this useless and confusing obfuscation, that does not even follow standards (RFC2606)... – Patrick Mevzek Jul 13 '18 at 01:37
  • @Patrick Mevzek: If you just stated what exactly about the confusing obfuscation was making the question apparently illegible, or quoted which part of RFC2606 my entries contradicted, maybe that would have helped... But I can't be sure. Thanks for being so constructive. – anonymous ape Jul 13 '18 at 03:13
  • Do you know the DNS is public? What do you gain exactly by hiding the names? If you had read RFC2606 I think it is quite clear which parts (all of them in fact) you contradicted. With the true names people would have been able to do tests by themselves and provide you better answers. Your question would have been shorter and simpler. Especially since you provide it later in a comment... you should have done so right at the beginning, less hops and speculations. – Patrick Mevzek Jul 13 '18 at 06:52
  • Hoping that it is constructive enough for you: never use `dig` like you did, always specify the nameserver you query with `@`. When troubleshooting DNS problems, first query relevant authoritative nameservers and then recursive ones if needed. – Patrick Mevzek Jul 13 '18 at 06:54
  • Thanks. _"When troubleshooting DNS problems, first query relevant authoritative nameservers and then recursive ones if needed."_ That seems helpful and important to know. Thanks. I don't know anything about DNS. Never heard of an "authoritative nameserver" or a "recursive" one before. This is all new to me. But I'm glad someone actually tried to help me anyway. _"If you had read RFC2606 ..."_ - But I have not read RFC2606 and have no time for that. JFYI: This is a Q&A site. Omnipotent beings will probably not ask questions. See also: https://xkcd.com/1386/ – anonymous ape Jul 13 '18 at 18:21

1 Answers1

4

This quite long question is a collection of common misunderstandings seen on Server Fault many times. Also, questions like this will usually get more detailed answers with actual domains we could test with. I hope you'll have a better understanding on what's going on here after reading these:

  • When I go to subdomain.myrootdomain.name with Google Chrome, I still get the Error "Error 404 Vhost unknown." - which is probably to be expected, judging from the DNS digging results.

    This has nothing to do with DNS: the fact that you can see Gandi's page tells that the DNS has been point to their servers, but their web servers aren't configured to recognize it. To link a domain, you first need to Add a virtual host to your instance from the instance control panel.

    The second step for domains not at Gandi is adding the CNAME for the subdomain and the TXT at the domain apex: @ IN TXT is equivalent to myrootdomain.name. IN TXT. As you could see from the manual, the form of this TXT record seems to be subdomain=hash. If your given record literally had test=s0m3r4nD0mG!bB3ri$hStr1n, it was probably ment for test.myrootdomain.name instead of your subdomain.myrootdomain.name. In that case you need to start from the beginning by adding the exact subdomain you are planning to use.

  • ;; QUESTION SECTION:
;subdomain.myrootdomain.name.   IN  TXT

    ... this means that there is a TXT entry for subdomain.myrootdomain.name which is, however, empty?

    No, this is question section displaying what you were looking for. It's not empty, it just doesn't have the results. The results are in the answer section. And it's not empty:

    ;; ANSWER SECTION:
subdomain.myrootdomain.name. 3599   IN  CNAME   mygandidomain.org
mygandidomain.org.  10799   IN  TXT "v=spf1 include:_mailcust.gandi.net ?all"

  • I changed the TTL for all added and changed DNS entries to 300. So they should have been updated long ago.

    The query is cached for the TTL seconds. If you change the TTL time afterwards, it doesn't affect already cached queries. It was originally cached for 10800 seconds i.e. 3 hours, of which this 3599 seconds was left when last editing your question.

    If you need to check whether the record is updated at your authoritative name servers, you must perform the query directly against them (replace with an actual NS of your domain):

    dig subdomain.myrootdomain.name A @authoritative1.example.com
dig myrootdomain.name TXT @authoritative1.example.com

  • If you add a TXT record on a subdomain that already has CNAME record, it's normal that it doesn't work: it'll show the TXT from the canonical name, instead, just like in your results. If a hostname has a CNAME record, it must not have other resource records of other type. Care to know why? I have an answer, and AndrewB even more detailed on a canonical question.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thank you very much for taking the time to give such a detailed reply. So, to be clearer, the subdomain I'd like to point to Gandi hosting is `test.accesstoinsight.eu`. An authoritative name server, if I understand correctly would be ns1.teuto.net. The TXT entry should be added for the root domain (i.e. accesstoinsight.eu), but I have added it for both rootdomain and subdomain (test.accesstoinsight.eu). However, digging for either (`dig txt [[test.]]accesstoinsight.eu @ns1.teuto.net`), I get no info about the added TXT entries back. I guess I should see the TXT entries when doing this? – anonymous ape Jul 11 '18 at 15:08
  • No TXT entry info as in the example you pointed out: ;; ANSWER SECTION: subdomain.myrootdomain.name. 3599 IN CNAME mygandidomain.org mygandidomain.org. 10799 IN TXT "v=spf1 include:_mailcust.gandi.net ?all" I get no such answer section with TXT entries at all when doing `dig txt accesstoinsight.eu @ns1.teuto.net` or `dig txt test.accesstoinsight.eu @ns1.teuto.net` Does this mean for all intents and purposes the TXT entries I added do not exist? In that case this seems to be an error with my domain provider at teuto.net – anonymous ape Jul 11 '18 at 15:13
  • 1
    Now `dig TXT accesstoinsight.eu @ns1.teuto.net +short` gives `"test=2031964390624855b645ffa6ddea816e"`. Based on the SOA one can speculate that many edits are happening, so depending on how you test you may it stale values fro caches. `test.accesstoinsight.eu` is a `CNAME` so you can not have a `TXT` record for the same label. – Patrick Mevzek Jul 13 '18 at 06:57
  • Also, `test.accesstoinsight.eu.` with its `CNAME gpaas12.dc2.gandi.net.` now gives a HTTP basic authentication login. As it doesn't give `Error 404 Vhost unknown.`, I suppose the problem is now solved. The root cause might have simply been impatience. – Esa Jokinen Jul 13 '18 at 08:14