S53 Domain Name Service Does Not Propagate The DNS Records

0

I have transferred a Domain Name from Google Cloud to AWS. Following the AWS S53 document, I have created hosted zone and related records. And I have updated the Domain Name Service "Name servers" to ns-365.awsdns-45.com ns-1620.awsdns-10.co.uk ns-1514.awsdns-61.org ns-804.awsdns-36.net

After days waiting, If I use command dig @8.8.8.8 "my domain" The command "dig" returns empty A record

If I use command dig @ns-365.awsdns-45.com "my domain" The command "dig" returns ;; ANSWER SECTION: mydomain.com. 60 IN A 13.35.77.101 mydomain.com. 60 IN A 13.35.77.40 mydomain.com. 60 IN A 13.35.77.100 mydomain.com, 60 IN A 13.35.77.45

;; AUTHORITY SECTION: mydomain.com. 172800 IN NS ns-1514.awsdns-61.org. mydomain.com. 172800 IN NS ns-1620.awsdns-10.co.uk. mydomain.com. 172800 IN NS ns-365.awsdns-45.com. mydomain.com. 172800 IN NS ns-804.awsdns-36.net.

I check the "mydomain.com" from https://lookup.icann.org/en/lookup The web site check returns

Name: mydomain.com Registry Domain ID: 2791464376_DOMAIN_COM-VRSN Domain Status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited Nameservers: NS-1514.AWSDNS-61.ORG NS-1620.AWSDNS-10.CO.UK NS-365.AWSDNS-45.COM NS-804.AWSDNS-36.NET Dates Registry Expiration: 2025-06-19 00:46:50 UTC Updated: 2023-11-03 05:14:39 UTC Created: 2023-06-19 00:46:50 UTC

Registrar Information Name: Amazon Registrar, Inc. IANA ID: 468 Abuse contact phone: tel:+1.2067406200

DNSSEC Information Delegation Signed: Signed Delegation Signer Data: Key Tag:
13519 Algorithm:
8 Digest Type:
2 Digest:
00C45F13609CBA517FA8854DE8CA5FEC5DD5E9DEF8C693856B61595BA1EB01DD

Thank you for your comment/help in advance.

Best

mw888
已提問 5 個月前檢視次數 210 次
2 個答案
0

I find my error on AWS S53 "Domains" "Registered domains" DNSSEC.

To address my error, I update the DNSSEC and insert the hosted zone DNSSEC Key-signing keys (KSKs) public key into the "Domains" "Registered domains" DNSSEC.

mw888
已回答 5 個月前
0

I see that you have DNSSEC enabled on your domain. If you use DNSSEC with a domain and you transfer the domain registration to Route 53, you must disable DNSSEC at the former registrar first. Then, after you transfer the domain registration, take steps to set up DNSSEC for the domain in Route 53.

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-to-route-53.html

If you transfer a domain registration to Route 53 while DNSSEC is configured, the DNSSEC public keys are transferred, too and as a result the chain of trust is broken. You can confirm the DNSSEC issue on these platforms: [+] https://dnsviz.net/ [+] https://dnssec-analyzer.verisignlabs.com/

To resolve this issue, disable DNSSEC on the domain registrar level (which will remove the DS record from the parent) and then enable it again along with the Route 53 hosted zone.

To disable DNSSEC on the domain, you need to delete the DNSSEC keys from the domain. For instructions on how to delete public keys for a Route 53 domain please go through this document -

[+] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html#domain-configure-dnssec-deleting-keys

Once you disable the DNSSEC, you can unable it again following this article (Make sure DNSSEC signing is enabled on the hosted zone as well) -

[+] https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53/

profile pictureAWS
支援工程師
Rutba_Z
已回答 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南