Why are many DNS servers not returning the namservers for my domain correctly?
I had a quick look and the main problem with your zone seems to be that the delegation from the parent zone (photo
) indicates that markfisher.photo
is supposed to be signed (DS
record present).
markfisher.photo
however is not signed at all. The result of this is that any validating resolver will consider all answers bogus and discard them.
To my knowledge Route53 still does not support DNSSEC, which means that if you want to use that DNS service you need to remove any DS
records from the delegation (done through your registrar).
Demonstration of the problem in two steps:
$ dig @ns1.uniregistry.net markfisher.photo +norec +dnssec
; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns1.uniregistry.net markfisher.photo +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55361
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 60e53f6e7a4d79f37a0879a75e14e274510b02d97b10da1c (good)
;; QUESTION SECTION:
;markfisher.photo. IN A
;; AUTHORITY SECTION:
markfisher.photo. 900 IN NS ns-1478.awsdns-56.org.
markfisher.photo. 900 IN NS ns-1953.awsdns-52.co.uk.
markfisher.photo. 900 IN DS 2371 13 2 B1FB8D1E60D7B54027829321A64B612251F95A41C0F10C912FA9FC6A 9EECEEA5
markfisher.photo. 900 IN RRSIG DS 5 2 900 20200206185213 20200107185213 21795 photo. AN2TWw41LL15uX55vfNaQlHvidlpngYb629gSlEyP+A3JiS77NHO5TvJ gI5QF4si5/haBEoABpuVU8opxxC0Jmv3aD09NkwjZXoqikxDqwjzO/PD wNlvHKOb25fgb1+gKj3JaGvqtAD8m+m2xotmxRo74xPmb2XOvEsGUS25 Cxc=
;; Query time: 94 msec
;; SERVER: 2620:57:4000:1::1#53(2620:57:4000:1::1)
;; WHEN: Tue Jan 07 19:56:36 UTC 2020
;; MSG SIZE rcvd: 358
$
(referral with DS
record, indicating that the markfisher.photo
zone is signed with the matching key)
$ dig @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec
; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54714
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;markfisher.photo. IN DNSKEY
;; AUTHORITY SECTION:
markfisher.photo. 900 IN SOA ns-893.awsdns-47.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 79 msec
;; SERVER: 2600:9000:5305:c600::1#53(2600:9000:5305:c600::1)
;; WHEN: Tue Jan 07 19:58:44 UTC 2020
;; MSG SIZE rcvd: 129
$
(response from the authoritative server, showing that there are no DNSKEY
records, nor are there any signatures)
For a quick overview of DNS delegation as well as DNSSEC health, I can recommend Dnsviz.