On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote:
> Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9
> etc) can't resolve this domain?
>
> $ dig pike-aviation.com @8.8.8.8
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15133
That's easy, the domain is delegated signed:
pike-aviation.com. IN DS 41388 7 1 fc9228e1b977dcd5c830a5c0101532e225e173cf
but a query for its zone apex DNSKEY RRset returns:
pike-aviation.com. IN SOA ns69.domaincontrol.com. [email protected].
2020010702 28800 7200 604800 600
so the entire domain is "bogus":
https://dnsviz.net/d/pike-aviation.com/dnssec/
so either publish a DNSKEY RRset that includes and is signed by a
key that matches the DS RRset, and then sign the rest of the zone
with one of the keys in that RRset, OR else ask your registrar to
request a drop of the DS RRset from the .com zone.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
