1

A week ago I've set up my domain (rentools.pl) and pointed it to AWS nameservers.

Despite it's been over a week, it seems the domain isn't working in all DNSes.

I'm looking it up in the dig tool and I'm getting a SERVFAIL response:

→ dig @8.8.8.8 rentools.pl

; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 rentools.pl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57048
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rentools.pl.                   IN      A

;; Query time: 60 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 26 08:38:23 CEST 2021
;; MSG SIZE  rcvd: 40

My domain is set up, so the domain registrar points to the following name servers

And here's what my records look like in Route53

Am I making some obvious mistake somewhere? As I don't see why it wouldn't work for some DNSes (on my home broadband it works fine), but on for some DNSes (like for my mobile network), it doesn't work at all.

Appreciate any input

Konrad
  • 15
  • 2

1 Answers1

1

The DS record for rentools.pl specifies a different key than what is used to sign the zone.

The DS record specifies a key with tag 9414 which does not exist in the zone. The existing KSK has tag 42488.

See eg dnsviz output

You should update the DS through your registrar to match the existing KSK.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • That exactly was the problem - I contacted my registrar and it seems that when I added NS records for AWS, the registrar didn't remove their own DNSSEC keys automatically. They've removed them now so it should be fixed soon. Thanks :) – Konrad May 26 '21 at 08:02