S53 Domain Name Service Does Not Propagate The DNS Records


I have transferred a Domain Name from Google Cloud to AWS. Following the AWS S53 document, I have created hosted zone and related records. And I have updated the Domain Name Service "Name servers" to ns-365.awsdns-45.com ns-1620.awsdns-10.co.uk ns-1514.awsdns-61.org ns-804.awsdns-36.net

After days waiting, If I use command dig @ "my domain" The command "dig" returns empty A record

If I use command dig @ns-365.awsdns-45.com "my domain" The command "dig" returns ;; ANSWER SECTION: mydomain.com. 60 IN A mydomain.com. 60 IN A mydomain.com. 60 IN A mydomain.com, 60 IN A

;; AUTHORITY SECTION: mydomain.com. 172800 IN NS ns-1514.awsdns-61.org. mydomain.com. 172800 IN NS ns-1620.awsdns-10.co.uk. mydomain.com. 172800 IN NS ns-365.awsdns-45.com. mydomain.com. 172800 IN NS ns-804.awsdns-36.net.

I check the "mydomain.com" from https://lookup.icann.org/en/lookup The web site check returns

Name: mydomain.com Registry Domain ID: 2791464376_DOMAIN_COM-VRSN Domain Status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Nameservers: NS-1514.AWSDNS-61.ORG NS-1620.AWSDNS-10.CO.UK NS-365.AWSDNS-45.COM NS-804.AWSDNS-36.NET Dates Registry Expiration: 2025-06-19 00:46:50 UTC Updated: 2023-11-03 05:14:39 UTC Created: 2023-06-19 00:46:50 UTC

Registrar Information Name: Amazon Registrar, Inc. IANA ID: 468 Abuse contact phone: tel:+1.2067406200

DNSSEC Information Delegation Signed: Signed Delegation Signer Data: Key Tag:
13519 Algorithm:
8 Digest Type:
2 Digest:

Thank you for your comment/help in advance.


2 réponses

I find my error on AWS S53 "Domains" "Registered domains" DNSSEC.

To address my error, I update the DNSSEC and insert the hosted zone DNSSEC Key-signing keys (KSKs) public key into the "Domains" "Registered domains" DNSSEC.

répondu il y a 5 mois

I see that you have DNSSEC enabled on your domain. If you use DNSSEC with a domain and you transfer the domain registration to Route 53, you must disable DNSSEC at the former registrar first. Then, after you transfer the domain registration, take steps to set up DNSSEC for the domain in Route 53.

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-to-route-53.html

If you transfer a domain registration to Route 53 while DNSSEC is configured, the DNSSEC public keys are transferred, too and as a result the chain of trust is broken. You can confirm the DNSSEC issue on these platforms: [+] https://dnsviz.net/ [+] https://dnssec-analyzer.verisignlabs.com/

To resolve this issue, disable DNSSEC on the domain registrar level (which will remove the DS record from the parent) and then enable it again along with the Route 53 hosted zone.

To disable DNSSEC on the domain, you need to delete the DNSSEC keys from the domain. For instructions on how to delete public keys for a Route 53 domain please go through this document -

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html#domain-configure-dnssec-deleting-keys

Once you disable the DNSSEC, you can unable it again following this article (Make sure DNSSEC signing is enabled on the hosted zone as well) -

[+] https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/

profile pictureAWS
répondu il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions