CloudFlare DNS, Google DNS, and OpenDNS will not recognize domain's nameservers

Question

About 5 days ago I changed the nameservers on a domain (theswaffords.com) to AWS Route 53 nameservers. The domain is registered with iPage.

It worked, and the site is accessible on some browsers. But CloudFlare DNS, Google DNS, and OpenDNS are currently (as of June 25, 2022) not pulling up any records for that domain.

https://www.nslookup.io/domains/theswaffords.com/dns-records/

The authoritative records are there, but those three DNS services are not using them. This is a problem, because some browsers that use DNS-over-HTTPS are using those services. My Firefox defaults to using CloudFlare DNS, and when I disable it, the website loads fine.

The fact that it has been 5 days and that all three DNS services are having the same problem makes me think there is a misconfiguration somewhere. Does anyone know of any "gotchas" that can lead to other DNS servers not updating based on the authoritative DNS info? Thank you for any advice!

Answer 1

The delegation NS records appear to be correct but there appears to be a stray DS record.

The theswaffords.com zone hosted at Route53 does not appear to be signed, so having a DS record will cause any records in the zone to become invalid.
Presumably the cases where it works are cases where you use a non-validating resolver server.

You need to fix the DS records, by doing one of:

• Signing the zone at Route 53 and updating the DS record (through your registrar) to match the key.
• Removing the DS record (through your registrar) to indicate that the zone is unsigned.