Route53 stopped resolving DNS entries

Question

As per the title. Last week, my TXT and other DNS records on Route53 stopped resolving:

The entries are set like:

What else could be missing here? As far as I'm aware, nothing has changed since 2018. The domain was automatically extended earlier September if that makes a difference.

Can anyone tell me what the issue might be or point me in the right direction?

score 3 · Accepted Answer · answered Oct 01 '19 at 02:19

The nameservers at your registrar are not configured to point to your Route53 servers:

~ $ dig ns thuijls.net

;; ANSWER SECTION:
thuijls.net.        172799  IN  NS  dns1.registrar-servers.com.
thuijls.net.        172799  IN  NS  dns2.registrar-servers.com.

Instead of dns1.registrar-servers.com. it should be something like ns-123.awsdns-99.net. and similar.

Go to your registrar (apparently that's Route53 Domain Registration) and make sure that the list of nameservers there matches the list of NS in your Route53 Hosted Zone thuijls.net.

"dig ns thuijls.net" you need to use the `@` option to dig otherwise your command just asks for the default recursive nameserver of your system (which do not shoz), which is in no way authoritative on the reply. — Patrick Mevzek, Oct 01 '19 at 05:22

score 3 · Answer 2 · answered Oct 01 '19 at 05:32

You probably forgot to renew the domain name (since the registry shows its expiration date to be 2020-09-04T23:33:05Z) and when that happens many registrars will either suspend the domain (put the domain on EPP clientHold) status) or change the domain name nameservers, which will provide different answsers.

Why I think so?

you said everything was working since 2018 and you did not change anythin
you posted today saying "last week", which makes the problem around the the 23, or 20 days after the expiration date
"The domain was automatically extended earlier September" is ambiguous: yes, technically in gTLD domains are automatically renewed at expiration... but that holds only if you pay your registrar at some point, otherwise the domain will get deleted; but before that, and as soon as expiration date is reached, the registrar can change the resolution of your domain for various reasons including making sure you are finally alerted that you need to act.

Based on @MLu answer, we see the nameservers which are the one of your registrar (Amazon), as they were cached by some recursive nameservers.

But if we ask the registry right now, it publishes the correct nameservers:

$ dig @a.gtld-servers.net thuijls.net NS | grep -E 'IN\s+NS\s+\S'
thuijls.net.        172800  IN  NS  ns-975.awsdns-57.net.
thuijls.net.        172800  IN  NS  ns-1151.awsdns-15.org.
thuijls.net.        172800  IN  NS  ns-1600.awsdns-08.co.uk.
thuijls.net.        172800  IN  NS  ns-29.awsdns-03.com.

So I guess you went to your registrar to renew the domain by paying for it, which put it back on its previous nameservers.

Both 1.1.1.1, 8.8.8.8 and 9.9.9.9 now also have this set of nameservers for your domain, so your problem seems solved:

$ for ns in 1.1.1.1 8.8.8.8 9.9.9.9 ; do echo $ns; dig @$ns thuijls.net TXT +short; done
1.1.1.1
"protonmail-verification=da168308ef062c75001796f57700ee75473bb0dd"
"v=spf1 include:_spf.protonmail.ch mx ~all"
8.8.8.8
"protonmail-verification=da168308ef062c75001796f57700ee75473bb0dd"
"v=spf1 include:_spf.protonmail.ch mx ~all"
9.9.9.9
"protonmail-verification=da168308ef062c75001796f57700ee75473bb0dd"
"v=spf1 include:_spf.protonmail.ch mx ~all"

I just fixed up the name servers, which AWS approved, and I'm waiting for my mail provider to re-read the required DNS entries. My AWS account is set up with automatic billing though so I'm not sure why the renewal would not have occurred. However, the timing is suspicious! — Jorg, Oct 01 '19 at 05:36
@ Jorg, ask your registrar. Based on @MLu diagnosis, nameservers for your domain were changed. If you did not do this change yourself, then your registrar did and indeed timing is suspicious based on your domain expiration date. At which point only your registrar can tell you full details about your domain name history, so you need to contact it. — Patrick Mevzek, Oct 01 '19 at 05:39
Thanks for the background info, I'll give it a shot. AWS is not easy to contact if you don't pay for support. — Jorg, Oct 01 '19 at 05:40
You have many other registrars, and you can transfer your domain between them without loosing neither your DNS configuration, nor your remaining time. You can use AWS DNS hosting without the domain being registered with them. Compare registrars not only on their facial prices but for other points, like support. Good support is like good backups: you never see you need it... until you need it and when you need it, it can not be bad or average without major problems. Good luck anyway. — Patrick Mevzek, Oct 01 '19 at 05:46

Route53 stopped resolving DNS entries

2 Answers2