Can't resolve website using Google's public dns

domain-name-system amazon-route53 dnssec
7,581

Your domain have DS record (at it's parent zone):

dig yippie.nl DS
;; ANSWER SECTION:
yippie.nl.      7181    IN  DS  47534 8 2 07DF0CFD5F01119819B8319F7FEE01F7B8121EA11AB5BDEA765F5396 BB5B9CD1

, and haven't DNSKEY record:

dig yippie.nl DNSKEY
(no answer section)

And, it is not signed with DNSSEC (no RRSIG records).

Google public DNS checks DNSSEC and since your domain claims to have DNSSEC (DS record), but really is not signed, any DNSSEC-aware resolver consider it bogus. Most DNS resolvers today still ignore DNSSEC but google is one of whose who already started to check DNSSEC.

Verisign provides a very handy DNSSEC-checking tool

To fix the situation, either

  1. Remove the DS record for your domain from the parent zone.

  2. Make the zone properly signed with DNSKEY that corresponds to the DS record you already have. (Amazon Route 53 does not support DNSSEC thus you will have to either host the zone on your own, or use another provider.) In any case, you can do it only if you posses a key that corresponds to the existing DS.

  3. Sign the zone with a new DNSKEY, and replace the curent DS record with the one which corresponds to the DNKSEY you use. See my video guide here (refers to a proprietary service I'm affiliated with.)

Share:
7,581

Related videos on Youtube

Maurice Kroon
Author by

Maurice Kroon

Updated on September 18, 2022

Comments

  • Maurice Kroon
    Maurice Kroon almost 2 years

    I can't seem to be able access my site: yippie.nl, using Google's public DNS 8.8.8.8. Other DNS's work fine.

    Could this be due to DNSKEY? Cause Route53 doesn't provide it.

    http://dnscheck.pingdom.com/?domain=yippie.nl shows:

    Inconsistent security for yippie.nl - DS found at parent, but no DNSKEY found at child.

    The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation.

    That's the only thing i could find.

    When i do dig +trace +add yippie.nl I do get the full thing: Ends:

    yippie.nl.      300 IN  A   94.75.224.2

    Any idea what could be the problem?

    Many thanks!

    • Maurice Kroon
      Maurice Kroon over 10 years
      @AlešKrajník, unsure how to do that on route 53. everything seems fine on that end, it really seems like dnssec issue.
  • Sandman4
    Sandman4 over 10 years
    @MauriceKroon probably what you do with your new provider is "option 3" in my list. (...you can do it (option 2), only if you posses a key that corresponds to the existing DS. And I guess you don't).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to block domains using Bind / Named for local protection?
Possible to resolve host name to an internal IP address from a central location?
AWS Route 53 DNS not resolving to subdomain
How can I troubleshoot a Route 53 hosted zone?
How can I give a user permissions to a Route 53 hosted domain by the command line?
AWS Route 53: How to migrate a hosted zone from one account to another completely?
DNS A record is not working with Amazon Route 53
How to set up an internal domain with Route53 on AWS?
DNSSEC broken in Windows 2016's DNS server?
BIND server has tons of "no valid RRSIG" errors