Why Will Custom Nameservers Will Not Delegate?

2

Before I get told to "browse to google.com" I need to make it clear that I have a working setup, that I have resolved all the 'usual' issues, and that I have been researching this for upwards of six months and getting precisely nowhere. I have also spoken to Name.com support and they have told me that private / custom / vanity nameservers are not their problem and, in fairness to them, using their nameservers works but fails to advertise any A or AAAA records that I add through their control panel.

The issue, as outlined in the title, is that my nameservers will not delegate. - I use IPTables on the linux side (mod_sec and mod_evasive) and can confirm that the firewall on the router side is not the problem (IPv6 routing packets allowed, and no difference whether on, off, or on with strict rules).

Access to the webserver is via routed subnet on the IPv4 side, and IPv6 connectivity is established via a PPP connection using an address from my IPv6 subnet, so IPv6 connectivity works (verified) with no additional configuration, whilst my /29 IPv4 uses the first address as the gateway for the routed subnet with the remaining addresses attached to the linux ethernet adapter. This also works and, whilst this is intended to bypass NAT, I am still able to configure ports on the remaining (non-gateway) IPv4 addresses for the DNS addresses and have both ports 53 and 80 open to ensure DNS and HTTPD connectivity in both directions (TCP and UDP).

My named.conf (with rndc key removed), named.run, and named.insurgent.info (clear form, the version on my server DNSSEC formatted) files are as shown below. Please let me know if further details or clarification are required.

named.conf:

options {
    listen-on { any; };
    allow-query { any; };
    listen-on-v6 { any; };

    directory           "/var/named";
    dump-file           "/var/named/data/cache_dump.db";
    statistics-file     "/var/named/data/named_stats.txt";
    memstatistics-file  "/var/named/data/named_mem_stats.txt";

    recursion yes;
    // edns-udp-size 1432;
    // allow-new-zones yes;
    allow-transfer { none; };

    dnssec-enable yes;
    dnssec-validation yes;
    managed-keys-directory "/var/named/dynamic";

    version "Damned If I Know";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

controls {
    inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "insurgent.info" IN {
    type master;
    file "named.insurgent.info";
    auto-dnssec maintain;
    key-directory "/var/named/dynamic";
    update-policy local;
};

zone "46.102.204.in-addr.arpa" IN {
    type master;
    file "named.PTR4.insurgent";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.a.0.1.0.0.9.b.0.0.a.2.ip6.arpa" IN {
    type master;
    file "named.PTR6.insurgent";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

named.insurgent.info:

$TTL 1D
@                       IN  SOA    ns1.insurgent.info.    hostmaster.insurgent.info. (
                        110     ; serial
                        21600   ; refresh after 6 hours
                        3600    ; retry after 1 hour
                        604800  ; expire after 1 week
                        86400 ) ; minimum TTL of 1 day
;
                        IN  NS  ns1.insurgent.info.
                        IN  NS  ns2.insurgent.info.
;
                        IN  A       46.102.204.226
ns1                     IN  AAAA    2A00:B900:10A4:1::2
                        IN  A       46.102.204.227
ns2                     IN  AAAA    2A00:B900:10A4:1::4
;
insurgent.info.         IN  A       46.102.204.227
insurgent.info.         IN  AAAA    2A00:B900:10A4:1::4
;
insurgent.info.         IN  TXT     protonmail-verification=
;
www                     IN  A       46.102.204.227
www                     IN  AAAA    2A00:B900:10A4:1::4

named.run:

zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 04:09:01.695
reloading configuration succeeded
reloading zones succeeded
all zones loaded
running
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 05:09:01.695
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 06:09:01.696
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 07:09:01.696
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 08:09:01.696
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 09:09:01.696
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 10:09:01.696
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 11:09:01.697
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 12:09:01.697
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 13:09:01.697
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 14:09:01.697
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 15:09:01.697
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 16:09:01.698
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 17:09:01.698
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 18:09:01.698
FORMERR resolving 'ns-cnc1.qq.com/AAAA/IN': 182.254.49.112#53
FORMERR resolving 'ns-tel1.qq.com/AAAA/IN': 223.167.83.104#53
FORMERR resolving 'ns-cmn1.qq.com/AAAA/IN': 223.167.83.104#53
FORMERR resolving 'ns-os1.qq.com/AAAA/IN': 223.167.83.104#53
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 19:09:01.698
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 20:09:01.699
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 21:09:01.699
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 22:09:01.699
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 19-Aug-2018 23:09:01.699
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 00:09:01.699
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 01:09:01.700
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 02:09:01.700
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 03:09:01.700
_default: sending trust-anchor-telemetry query '_ta-4a5c-4f66/NULL'
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 04:09:01.700
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 05:09:01.700
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 06:09:01.701
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 07:09:01.701
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 08:09:01.701
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 09:09:01.701
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 10:09:01.701
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 11:09:01.702
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 12:09:01.702
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 13:09:01.702
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 14:09:01.702
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 15:09:01.702
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 16:09:01.703
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 17:09:01.703
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 18:09:01.703
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 19:09:01.703
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 20:09:01.703
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 21:09:01.704
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 22:09:01.704
received control channel command 'reload'
loading configuration from '/etc/named.conf'
unable to open '/etc/bind.keys'; using built-in keys instead
initializing GeoIP Country (IPv4) (type 1) DB
GEO-106FREE 20180327 Build 1 Copyright (c) 2018 MaxMind Inc All Rights Reserved
GeoIP Country (IPv6) (type 12) DB not available
GeoIP City (IPv4) (type 2) DB not available
GeoIP City (IPv4) (type 6) DB not available
GeoIP City (IPv6) (type 30) DB not available
GeoIP City (IPv6) (type 31) DB not available
GeoIP Region (type 3) DB not available
GeoIP Region (type 7) DB not available
GeoIP ISP (type 4) DB not available
GeoIP Org (type 5) DB not available
GeoIP AS (type 9) DB not available
GeoIP Domain (type 11) DB not available
GeoIP NetSpeed (type 10) DB not available
using default UDP/IPv4 port range: [32768, 60999]
using default UDP/IPv6 port range: [32768, 60999]
sizing zone task pool based on 9 zones
none:104: 'max-cache-size 90%' - setting to 6897MB (out of 7663MB)
automatic empty zone: 10.IN-ADDR.ARPA
automatic empty zone: 16.172.IN-ADDR.ARPA
automatic empty zone: 17.172.IN-ADDR.ARPA
automatic empty zone: 18.172.IN-ADDR.ARPA
automatic empty zone: 19.172.IN-ADDR.ARPA
automatic empty zone: 20.172.IN-ADDR.ARPA
automatic empty zone: 21.172.IN-ADDR.ARPA
automatic empty zone: 22.172.IN-ADDR.ARPA
automatic empty zone: 23.172.IN-ADDR.ARPA
automatic empty zone: 24.172.IN-ADDR.ARPA
automatic empty zone: 25.172.IN-ADDR.ARPA
automatic empty zone: 26.172.IN-ADDR.ARPA
automatic empty zone: 27.172.IN-ADDR.ARPA
automatic empty zone: 28.172.IN-ADDR.ARPA
automatic empty zone: 29.172.IN-ADDR.ARPA
automatic empty zone: 30.172.IN-ADDR.ARPA
automatic empty zone: 31.172.IN-ADDR.ARPA
automatic empty zone: 168.192.IN-ADDR.ARPA
automatic empty zone: 64.100.IN-ADDR.ARPA
automatic empty zone: 65.100.IN-ADDR.ARPA
automatic empty zone: 66.100.IN-ADDR.ARPA
automatic empty zone: 67.100.IN-ADDR.ARPA
automatic empty zone: 68.100.IN-ADDR.ARPA
automatic empty zone: 69.100.IN-ADDR.ARPA
automatic empty zone: 70.100.IN-ADDR.ARPA
automatic empty zone: 71.100.IN-ADDR.ARPA
automatic empty zone: 72.100.IN-ADDR.ARPA
automatic empty zone: 73.100.IN-ADDR.ARPA
automatic empty zone: 74.100.IN-ADDR.ARPA
automatic empty zone: 75.100.IN-ADDR.ARPA
automatic empty zone: 76.100.IN-ADDR.ARPA
automatic empty zone: 77.100.IN-ADDR.ARPA
automatic empty zone: 78.100.IN-ADDR.ARPA
automatic empty zone: 79.100.IN-ADDR.ARPA
automatic empty zone: 80.100.IN-ADDR.ARPA
automatic empty zone: 81.100.IN-ADDR.ARPA
automatic empty zone: 82.100.IN-ADDR.ARPA
automatic empty zone: 83.100.IN-ADDR.ARPA
automatic empty zone: 84.100.IN-ADDR.ARPA
automatic empty zone: 85.100.IN-ADDR.ARPA
automatic empty zone: 86.100.IN-ADDR.ARPA
automatic empty zone: 87.100.IN-ADDR.ARPA
automatic empty zone: 88.100.IN-ADDR.ARPA
automatic empty zone: 89.100.IN-ADDR.ARPA
automatic empty zone: 90.100.IN-ADDR.ARPA
automatic empty zone: 91.100.IN-ADDR.ARPA
automatic empty zone: 92.100.IN-ADDR.ARPA
automatic empty zone: 93.100.IN-ADDR.ARPA
automatic empty zone: 94.100.IN-ADDR.ARPA
automatic empty zone: 95.100.IN-ADDR.ARPA
automatic empty zone: 96.100.IN-ADDR.ARPA
automatic empty zone: 97.100.IN-ADDR.ARPA
automatic empty zone: 98.100.IN-ADDR.ARPA
automatic empty zone: 99.100.IN-ADDR.ARPA
automatic empty zone: 100.100.IN-ADDR.ARPA
automatic empty zone: 101.100.IN-ADDR.ARPA
automatic empty zone: 102.100.IN-ADDR.ARPA
automatic empty zone: 103.100.IN-ADDR.ARPA
automatic empty zone: 104.100.IN-ADDR.ARPA
automatic empty zone: 105.100.IN-ADDR.ARPA
automatic empty zone: 106.100.IN-ADDR.ARPA
automatic empty zone: 107.100.IN-ADDR.ARPA
automatic empty zone: 108.100.IN-ADDR.ARPA
automatic empty zone: 109.100.IN-ADDR.ARPA
automatic empty zone: 110.100.IN-ADDR.ARPA
automatic empty zone: 111.100.IN-ADDR.ARPA
automatic empty zone: 112.100.IN-ADDR.ARPA
automatic empty zone: 113.100.IN-ADDR.ARPA
automatic empty zone: 114.100.IN-ADDR.ARPA
automatic empty zone: 115.100.IN-ADDR.ARPA
automatic empty zone: 116.100.IN-ADDR.ARPA
automatic empty zone: 117.100.IN-ADDR.ARPA
automatic empty zone: 118.100.IN-ADDR.ARPA
automatic empty zone: 119.100.IN-ADDR.ARPA
automatic empty zone: 120.100.IN-ADDR.ARPA
automatic empty zone: 121.100.IN-ADDR.ARPA
automatic empty zone: 122.100.IN-ADDR.ARPA
automatic empty zone: 123.100.IN-ADDR.ARPA
automatic empty zone: 124.100.IN-ADDR.ARPA
automatic empty zone: 125.100.IN-ADDR.ARPA
automatic empty zone: 126.100.IN-ADDR.ARPA
automatic empty zone: 127.100.IN-ADDR.ARPA
automatic empty zone: 127.IN-ADDR.ARPA
automatic empty zone: 254.169.IN-ADDR.ARPA
automatic empty zone: 2.0.192.IN-ADDR.ARPA
automatic empty zone: 100.51.198.IN-ADDR.ARPA
automatic empty zone: 113.0.203.IN-ADDR.ARPA
automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
automatic empty zone: D.F.IP6.ARPA
automatic empty zone: 8.E.F.IP6.ARPA
automatic empty zone: 9.E.F.IP6.ARPA
automatic empty zone: A.E.F.IP6.ARPA
automatic empty zone: B.E.F.IP6.ARPA
automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
automatic empty zone: EMPTY.AS112.ARPA
automatic empty zone: HOME.ARPA
none:104: 'max-cache-size 90%' - setting to 6897MB (out of 7663MB)
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 22:11:23.537
reloading configuration succeeded
reloading zones succeeded
all zones loaded
running
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
no longer listening on ::#53
no longer listening on 127.0.0.1#53
no longer listening on 10.200.0.6#53
no longer listening on 46.102.204.226#53
no longer listening on 46.102.204.227#53
no longer listening on 46.102.204.228#53
no longer listening on 46.102.204.229#53
no longer listening on 46.102.204.230#53
exiting
managed-keys-zone: journal file is out of date: removing journal file
managed-keys-zone: loaded serial 24
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.a.0.1.0.0.9.b.0.0.a.2.ip6.arpa/IN: loaded serial 101
zone 46.102.204.in-addr.arpa/IN: loaded serial 101
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone insurgent.info/IN: loaded serial 113 (DNSSEC signed)
all zones loaded
running
zone 46.102.204.in-addr.arpa/IN: sending notifies (serial 101)
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.a.0.1.0.0.9.b.0.0.a.2.ip6.arpa/IN: sending notifies (serial 101)
zone insurgent.info/IN: sending notifies (serial 113)
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 22:11:53.608
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
resolver priming query complete
received control channel command 'reload'
loading configuration from '/etc/named.conf'
unable to open '/etc/bind.keys'; using built-in keys instead
initializing GeoIP Country (IPv4) (type 1) DB
GEO-106FREE 20180327 Build 1 Copyright (c) 2018 MaxMind Inc All Rights Reserved
GeoIP Country (IPv6) (type 12) DB not available
GeoIP City (IPv4) (type 2) DB not available
GeoIP City (IPv4) (type 6) DB not available
GeoIP City (IPv6) (type 30) DB not available
GeoIP City (IPv6) (type 31) DB not available
GeoIP Region (type 3) DB not available
GeoIP Region (type 7) DB not available
GeoIP ISP (type 4) DB not available
GeoIP Org (type 5) DB not available
GeoIP AS (type 9) DB not available
GeoIP Domain (type 11) DB not available
GeoIP NetSpeed (type 10) DB not available
using default UDP/IPv4 port range: [32768, 60999]
using default UDP/IPv6 port range: [32768, 60999]
sizing zone task pool based on 9 zones
none:104: 'max-cache-size 90%' - setting to 6897MB (out of 7663MB)
automatic empty zone: 10.IN-ADDR.ARPA
automatic empty zone: 16.172.IN-ADDR.ARPA
automatic empty zone: 17.172.IN-ADDR.ARPA
automatic empty zone: 18.172.IN-ADDR.ARPA
automatic empty zone: 19.172.IN-ADDR.ARPA
automatic empty zone: 20.172.IN-ADDR.ARPA
automatic empty zone: 21.172.IN-ADDR.ARPA
automatic empty zone: 22.172.IN-ADDR.ARPA
automatic empty zone: 23.172.IN-ADDR.ARPA
automatic empty zone: 24.172.IN-ADDR.ARPA
automatic empty zone: 25.172.IN-ADDR.ARPA
automatic empty zone: 26.172.IN-ADDR.ARPA
automatic empty zone: 27.172.IN-ADDR.ARPA
automatic empty zone: 28.172.IN-ADDR.ARPA
automatic empty zone: 29.172.IN-ADDR.ARPA
automatic empty zone: 30.172.IN-ADDR.ARPA
automatic empty zone: 31.172.IN-ADDR.ARPA
automatic empty zone: 168.192.IN-ADDR.ARPA
automatic empty zone: 64.100.IN-ADDR.ARPA
automatic empty zone: 65.100.IN-ADDR.ARPA
automatic empty zone: 66.100.IN-ADDR.ARPA
automatic empty zone: 67.100.IN-ADDR.ARPA
automatic empty zone: 68.100.IN-ADDR.ARPA
automatic empty zone: 69.100.IN-ADDR.ARPA
automatic empty zone: 70.100.IN-ADDR.ARPA
automatic empty zone: 71.100.IN-ADDR.ARPA
automatic empty zone: 72.100.IN-ADDR.ARPA
automatic empty zone: 73.100.IN-ADDR.ARPA
automatic empty zone: 74.100.IN-ADDR.ARPA
automatic empty zone: 75.100.IN-ADDR.ARPA
automatic empty zone: 76.100.IN-ADDR.ARPA
automatic empty zone: 77.100.IN-ADDR.ARPA
automatic empty zone: 78.100.IN-ADDR.ARPA
automatic empty zone: 79.100.IN-ADDR.ARPA
automatic empty zone: 80.100.IN-ADDR.ARPA
automatic empty zone: 81.100.IN-ADDR.ARPA
automatic empty zone: 82.100.IN-ADDR.ARPA
automatic empty zone: 83.100.IN-ADDR.ARPA
automatic empty zone: 84.100.IN-ADDR.ARPA
automatic empty zone: 85.100.IN-ADDR.ARPA
automatic empty zone: 86.100.IN-ADDR.ARPA
automatic empty zone: 87.100.IN-ADDR.ARPA
automatic empty zone: 88.100.IN-ADDR.ARPA
automatic empty zone: 89.100.IN-ADDR.ARPA
automatic empty zone: 90.100.IN-ADDR.ARPA
automatic empty zone: 91.100.IN-ADDR.ARPA
automatic empty zone: 92.100.IN-ADDR.ARPA
automatic empty zone: 93.100.IN-ADDR.ARPA
automatic empty zone: 94.100.IN-ADDR.ARPA
automatic empty zone: 95.100.IN-ADDR.ARPA
automatic empty zone: 96.100.IN-ADDR.ARPA
automatic empty zone: 97.100.IN-ADDR.ARPA
automatic empty zone: 98.100.IN-ADDR.ARPA
automatic empty zone: 99.100.IN-ADDR.ARPA
automatic empty zone: 100.100.IN-ADDR.ARPA
automatic empty zone: 101.100.IN-ADDR.ARPA
automatic empty zone: 102.100.IN-ADDR.ARPA
automatic empty zone: 103.100.IN-ADDR.ARPA
automatic empty zone: 104.100.IN-ADDR.ARPA
automatic empty zone: 105.100.IN-ADDR.ARPA
automatic empty zone: 106.100.IN-ADDR.ARPA
automatic empty zone: 107.100.IN-ADDR.ARPA
automatic empty zone: 108.100.IN-ADDR.ARPA
automatic empty zone: 109.100.IN-ADDR.ARPA
automatic empty zone: 110.100.IN-ADDR.ARPA
automatic empty zone: 111.100.IN-ADDR.ARPA
automatic empty zone: 112.100.IN-ADDR.ARPA
automatic empty zone: 113.100.IN-ADDR.ARPA
automatic empty zone: 114.100.IN-ADDR.ARPA
automatic empty zone: 115.100.IN-ADDR.ARPA
automatic empty zone: 116.100.IN-ADDR.ARPA
automatic empty zone: 117.100.IN-ADDR.ARPA
automatic empty zone: 118.100.IN-ADDR.ARPA
automatic empty zone: 119.100.IN-ADDR.ARPA
automatic empty zone: 120.100.IN-ADDR.ARPA
automatic empty zone: 121.100.IN-ADDR.ARPA
automatic empty zone: 122.100.IN-ADDR.ARPA
automatic empty zone: 123.100.IN-ADDR.ARPA
automatic empty zone: 124.100.IN-ADDR.ARPA
automatic empty zone: 125.100.IN-ADDR.ARPA
automatic empty zone: 126.100.IN-ADDR.ARPA
automatic empty zone: 127.100.IN-ADDR.ARPA
automatic empty zone: 127.IN-ADDR.ARPA
automatic empty zone: 254.169.IN-ADDR.ARPA
automatic empty zone: 2.0.192.IN-ADDR.ARPA
automatic empty zone: 100.51.198.IN-ADDR.ARPA
automatic empty zone: 113.0.203.IN-ADDR.ARPA
automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
automatic empty zone: D.F.IP6.ARPA
automatic empty zone: 8.E.F.IP6.ARPA
automatic empty zone: 9.E.F.IP6.ARPA
automatic empty zone: A.E.F.IP6.ARPA
automatic empty zone: B.E.F.IP6.ARPA
automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
automatic empty zone: EMPTY.AS112.ARPA
automatic empty zone: HOME.ARPA
none:104: 'max-cache-size 90%' - setting to 6897MB (out of 7663MB)
reloading configuration succeeded
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 22:12:07.578
reloading zones succeeded
all zones loaded
running
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
no longer listening on ::#53
no longer listening on 127.0.0.1#53
no longer listening on 10.200.0.6#53
no longer listening on 46.102.204.226#53
no longer listening on 46.102.204.227#53
no longer listening on 46.102.204.228#53
no longer listening on 46.102.204.229#53
no longer listening on 46.102.204.230#53
exiting
managed-keys-zone: loaded serial 26
zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.a.0.1.0.0.9.b.0.0.a.2.ip6.arpa/IN: loaded serial 101
addnode: NSEC node already exists
zone localhost.localdomain/IN: loaded serial 0
zone insurgent.info/IN: loaded serial 113 (DNSSEC signed)
zone 46.102.204.in-addr.arpa/IN: loaded serial 101
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
all zones loaded
running
zone insurgent.info/IN: sending notifies (serial 113)
zone insurgent.info/IN: reconfiguring zone keys
zone 46.102.204.in-addr.arpa/IN: sending notifies (serial 101)
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.4.a.0.1.0.0.9.b.0.0.a.2.ip6.arpa/IN: sending notifies (serial 101)
zone insurgent.info/IN: next key event: 20-Aug-2018 22:12:09.955
managed-keys-zone: Key 19036 for zone . acceptance timer complete: key now trusted
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
resolver priming query complete
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 20-Aug-2018 23:12:09.955
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 00:12:09.955
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 01:12:09.955
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 02:12:09.955
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 03:12:09.956
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 04:12:09.956
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 05:12:09.956
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 06:12:09.956
connection refused resolving 'researchscan541.eecs.umich.edu/A/IN': 141.213.15.4#53
connection refused resolving 'researchscan541.eecs.umich.edu/A/IN': 141.213.15.4#53
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 07:12:09.956
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 08:12:09.957
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 09:12:09.957
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 10:12:09.957
FORMERR resolving 'ns-os1.qq.com/AAAA/IN': 183.2.186.153#53
FORMERR resolving 'ns-cnc1.qq.com/AAAA/IN': 183.2.186.153#53
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 11:12:09.957
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 12:12:09.958
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 13:12:09.958
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 14:12:09.958
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 15:12:09.958
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 16:12:09.958
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 17:12:09.959
zone insurgent.info/IN: reconfiguring zone keys
zone insurgent.info/IN: next key event: 21-Aug-2018 18:12:09.959

9A4Sc6GW4LkvRD

Posted 2018-08-21T17:18:17.253

Reputation: 136

I'm not sure what you mean by "nameservers will not delegate". They are delegated just fine. Delegation from info to insurgent.info does not depend on your configuration, anyway. It is done solely by the registrar and the .info registry. – user1686 – 2018-08-21T18:22:30.137

Answers

3

The issue, as outlined in the title, is that my nameservers will not delegate.

"Will not delegate" can be interpreted in two ways:

  1. The info nameservers do not delegate insurgent.info to your nameservers.
  2. Your nameservers do not delegate <something>.insurgent.info to someone else's nameservers.

The second interpretation is unlikely, simply because you've shown that your zone doesn't have any 3rd-level delegations (NS records).

The first interpretation is the most likely, but it can be demonstrated to be false by checking the NS records on info nameservers, all of which contain correct information:

$ dnstracer -r1 -t1 -s. insurgent.info
Tracing to insurgent.info[a] via A.ROOT-SERVERS.NET, maximum of 1 retries
A.ROOT-SERVERS.NET [.] (2001:0503:ba3e:0000:0000:0000:0002:0030)
 |\___ a0.info.afilias-nst.info [info] (2001:0500:0019:0000:0000:0000:0000:0001)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) Got authoritative answer
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |      \___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) Got authoritative answer
 |\___ a0.info.afilias-nst.info [info] (199.254.31.1)
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |      \___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |\___ b2.info.afilias-nst.org [info] (2001:0500:0049:0000:0000:0000:0000:0001)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |      \___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |\___ b2.info.afilias-nst.org [info] (199.249.121.1)
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |      \___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |\___ c0.info.afilias-nst.info [info] (2001:0500:001b:0000:0000:0000:0000:0001)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |      \___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |\___ c0.info.afilias-nst.info [info] (199.254.49.1)
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |      \___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |\___ d0.info.afilias-nst.org [info] (2001:0500:001c:0000:0000:0000:0000:0001)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |      \___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |\___ d0.info.afilias-nst.org [info] (199.254.50.1)
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |      \___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |\___ b0.info.afilias-nst.org [info] (2001:0500:001a:0000:0000:0000:0000:0001)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |      \___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |\___ b0.info.afilias-nst.org [info] (199.254.48.1)
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
 |      \___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |\___ a2.info.afilias-nst.info [info] (2001:0500:0041:0000:0000:0000:0000:0001)
 |     |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
 |     |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
 |     |\___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *
 |      \___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
  \___ a2.info.afilias-nst.info [info] (199.249.113.1)
       |\___ ns2.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0004) (cached)
       |\___ ns2.insurgent.info [insurgent.info] (46.102.204.227) *
       |\___ ns1.insurgent.info [insurgent.info] (2a00:b900:10a4:0001:0000:0000:0000:0002) (cached)
        \___ ns1.insurgent.info [insurgent.info] (46.102.204.226) *

Examining an individual server via dig shows the same:

$ dig +nocmd +nostats insurgent.info. NS @a0.info.afilias-nst.info
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56401
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;insurgent.info.                        IN      NS

;; AUTHORITY SECTION:
insurgent.info.         86400   IN      NS      ns2.insurgent.info.
insurgent.info.         86400   IN      NS      ns1.insurgent.info.

;; ADDITIONAL SECTION:
ns1.insurgent.info.     86400   IN      AAAA    2a00:b900:10a4:1::2
ns2.insurgent.info.     86400   IN      AAAA    2a00:b900:10a4:1::4
ns1.insurgent.info.     86400   IN      A       46.102.204.226
ns2.insurgent.info.     86400   IN      A       46.102.204.227

$ dig +nocmd +nostats insurgent.info. DS @a0.info.afilias-nst.info
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28823
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;insurgent.info.                        IN      DS

;; ANSWER SECTION:
insurgent.info.         86400   IN      DS      29763 5 2 B5A75E0AE77392BB32F92943DCD9E086B8351CD32F30ECED2BCD3692 EA539934

As you can see, the delegation (the NS records, the glue A/AAAA records, and even the DNSSEC DS records) is correct – in that it exactly matches the IP addresses you provided in your own zone.

Querying the individual servers which the domain has been delegated to shows that they all return answers with the 'authoritative' flag, so the delegation is valid:

$ dig +nocmd +nostats insurgent.info. SOA @2a00:b900:10a4:1::2
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50734
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cc7cec751344643dd263565e5b7c5d3f1915af129394589c (good)
;; QUESTION SECTION:
;insurgent.info.                        IN      SOA

;; ANSWER SECTION:
insurgent.info.         86400   IN      SOA     ns1.insurgent.info. hostmaster.insurgent.info. 113 21600 3600 604800 86400

;; AUTHORITY SECTION:
insurgent.info.         86400   IN      NS      ns2.insurgent.info.
insurgent.info.         86400   IN      NS      ns1.insurgent.info.

;; ADDITIONAL SECTION:
ns1.insurgent.info.     86400   IN      AAAA    2a00:b900:10a4:1::2
ns2.insurgent.info.     86400   IN      AAAA    2a00:b900:10a4:1::4
ns1.insurgent.info.     86400   IN      A       46.102.204.227

$ dig +nocmd +nostats insurgent.info. DS @2a00:b900:10a4:1::4
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1061
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ffdb2d48b46554e4a6017bda5b7c5d0e3a07a163aa55d6d5 (good)
;; QUESTION SECTION:
;insurgent.info.                        IN      DS

;; ANSWER SECTION:
insurgent.info.         86255   IN      DS      29763 5 2 B5A75E0AE77392BB32F92943DCD9E086B8351CD32F30ECED2BCD3692 EA539934

However:

$ dig +nocmd +nostats insurgent.info. SOA @46.102.204.227
;; connection timed out; no servers could be reached

In the above logs you can see that your nameserver do not respond to DNS queries over UDP/IPv4, only accepting TCP/IPv4, UDP/IPv6, and TCP/IPv6.

While this has nothing to do with the issue "as outlined in the title", it will indeed cause problems when trying to actually resolve the domain name (because UDP—not TCP—is the default DNS transport and lack of UDP response will not cause TCP fallback).

user1686

Posted 2018-08-21T17:18:17.253

Reputation: 283 655

That is extremely helpful, and extremely informative, - thanks; so it would seem that the difficulties I am experiencing with some sites and services is likely to be as a result of failed UDP response. The open port on the router allows both TCP and UDP, so what might be causing this (bearing in mind that BIND does not need UDP to be explicitly allowed)? – 9A4Sc6GW4LkvRD – 2018-08-21T19:26:56.437

I have just disabled DoS Defence on my router and ran: dig +nocmd +nostats insurgent.info. SOA @46.102.204.227 - was this more the answer you were expecting? ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46343 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 276fbdf198c3d36d46a0f1e05b7c69031fb9c21fe57945c1 (good) – 9A4Sc6GW4LkvRD – 2018-08-21T19:34:25.763

I would guess either your iptables modules, or your ISP's "anti-DDoS measures" of some kind (i.e. preemptive block against open DNS resolvers). – user1686 – 2018-08-21T19:34:26.353

Got there before me and, yes, - it would appear that you were absolutely right again, - thanks. – 9A4Sc6GW4LkvRD – 2018-08-21T19:36:30.097

It was, but for the record, I still cannot get any response from 46.102.204.227 over UDP/IPv4. If disabling your router's "DoS Defence" made things work locally, it still means there is another layer of blocking between you and the internet. (Possibly ISP-level.) – user1686 – 2018-08-21T19:38:07.267

Not good, - I have been in touch with the ISP previously and they remain adamant that they have other customers with no problems and therefore there cannot be a problem with my connection or service (and, yes, I know, - that does not hold up; so I will have to contact them again, and with details of this post, to see if I can push them into making further checks). – 9A4Sc6GW4LkvRD – 2018-08-21T19:42:33.157

Then I'd suggest using tcpdump or something on your server and to check whether it receives any DNS/UDP/IPv4 queries. (Assuming you have an external host to send them from...) It could be your iptables modules (because it works over IPv6), or it could be your ISP lying by omission (they never said they have other customers with no problems hosting a DNS server, did they?) – user1686 – 2018-08-21T19:47:11.723

Good points, but I think that I can rule out the iptables modules because iptables have only just been installed in the past day (to support mod_evasive and mod_sec). I have also, now, sent a message to the ISP, and I will raise the issue of the DNS server if I need to, but I have directed them to this post, too, so I may not need to, as they should then be able to see for themselves that a DNS server is involved. – 9A4Sc6GW4LkvRD – 2018-08-21T19:55:57.207

Our ISP has now enabled inbound DNS, so hopefully the failed test will now work and our webserver will at last be fully visible. – 9A4Sc6GW4LkvRD – 2018-08-28T10:51:12.030

Asked: 2018-08-21T17:18:17.253

Viewed: 104 times

Active: 2018-08-21T19:43:26.177