Delegated DNS not working with all providers

We’ve followed the steps here Delegating Subdomains Outside of Cloudflare – Cloudflare Help Center for regionofwaterloo.9802690.ca, but we’re seeing certain DNS resolvers fail to resolve.

For instance, grtivr-prod.regionofwaterloo.9802690.ca should resolve, but Cloudflare isn’t serving up NS records for regionofwaterloo.9802690.ca

Debugging:

[email protected] ~> dig regionofwaterloo.9802690.ca ns +trace @1.1.1.1                                                                                            

; <<>> DiG 9.10.6 <<>> regionofwaterloo.9802690.ca ns +trace @1.1.1.1
;; global options: +cmd
.			513224	IN	NS	a.root-servers.net.
.			513224	IN	NS	b.root-servers.net.
.			513224	IN	NS	c.root-servers.net.
.			513224	IN	NS	d.root-servers.net.
.			513224	IN	NS	e.root-servers.net.
.			513224	IN	NS	f.root-servers.net.
.			513224	IN	NS	g.root-servers.net.
.			513224	IN	NS	h.root-servers.net.
.			513224	IN	NS	i.root-servers.net.
.			513224	IN	NS	j.root-servers.net.
.			513224	IN	NS	k.root-servers.net.
.			513224	IN	NS	l.root-servers.net.
.			513224	IN	NS	m.root-servers.net.
.			513224	IN	RRSIG	NS 8 0 518400 20210620170000 20210607160000 14631 . lLdun/zAbmMCAXiAUoPbwE5Kh8fx7K9nbhUyxAQugblpdjjgq31EBrzM xX0k5G0wSgML+WtxW2fCp2PZyJhHQZjbgnydSbV9p+Bw8opgm3MV4FuO tCZb3UmOuqt5ElXcyxEFqkJLaPPYFxdEz8VV0LSxBf1/iL2WNoeTe3J6 1c6lZWbExuWbuCaWFsuC/+kIfFHdA4rHFz6LxgBzRwQ7moelu6d5/t8h 3mpmtB6BPHEyROgdzOoNDvfpdCV1hSfzqwSCLjOw6FdTSdtoUwPLYRKP bsyDGpFtk5OAg1FDLu3VDGWMo/QKMPMLBFwYyy6bGL//7ma4C9NN9GS5 kJUHlA==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 184 ms

ca.			172800	IN	NS	c.ca-servers.ca.
ca.			172800	IN	NS	j.ca-servers.ca.
ca.			172800	IN	NS	x.ca-servers.ca.
ca.			172800	IN	NS	any.ca-servers.ca.
ca.			86400	IN	DS	2134 8 2 4B8475C0C0FE2AFDFEE1A71A237C91059098D12FC18265B290EDB238 A5F63582
ca.			86400	IN	RRSIG	DS 8 1 86400 20210620170000 20210607160000 14631 . B8Qn7AhHdIXh/AD0VV+1tPWtZhJ5DHiJmK++FhOtDW/w5vzDkwcT/KhT WprTj5QemdB2BcS+jtm25xIlYzx281Vv3b4E6q7rfssQnPP/ThBxCuS5 tXZpmh2TynFsVi+CIDd/qqmiuWrlNVSSHYlqPlzUNvxIPqmB9Yn/arrk I5HcP5veqj6Oy68RMvny99fmfUPY5fC5LjVJW89CyHIPZn+/EPJmwwEg ebAkmf/yNrk6Y3pjXmpphTc903IikDnThb47IIRXrBWWM5uJi9swqbit o4/rXCnQ27QbYkrx8TcNJGT13PxLOQtP4l5oIYotm1w52RwJ1ZnjXSXZ zVw68w==
;; Received 644 bytes from 199.7.83.42#53(l.root-servers.net) in 49 ms

9802690.ca.		86400	IN	NS	uma.ns.cloudflare.com.
9802690.ca.		86400	IN	NS	hugh.ns.cloudflare.com.
t8k75i4tj36jf102o518ir5q4l99kmqm.ca. 3600 IN NSEC3 1 1 5 - T8M1UC6TIL2UFI0RBGM0I9U6PO9HL5UU  NS SOA RRSIG DNSKEY NSEC3PARAM
80qsgeo9a34d3d3gi3htdq5j4mm4igog.ca. 3600 IN NSEC3 1 1 5 - 80SH64THSEE2J66FJ98P2SEIFC565SHV  NS DS RRSIG
t8k75i4tj36jf102o518ir5q4l99kmqm.ca. 3600 IN RRSIG NSEC3 8 2 3600 20210613084712 20210606153853 6810 ca. daob+EeQDHS6XMjQ3VU1pG+W9qbEooLc0g0gQ2ORQ43mu7YNMBQVMoCf dn2N9f7Ls0+9WvugGZbzIJKVoqPhMXwzeytcvggGqytSVbjm0rgDzd4W 0xjtx3lSfm2/2YcGbOjXf+TmM/gXI1KqExCtNiu2mAGbO1dOqIQb9hoP kPA=
80qsgeo9a34d3d3gi3htdq5j4mm4igog.ca. 3600 IN RRSIG NSEC3 8 2 3600 20210612182037 20210605133852 6810 ca. vdKpah7b384K2ZU0AuKv6r2vZbMY8Tbna+cGZBWpOdfqg6REqBnzAda2 kAZ5VaU8Ep7LsILWExMwBfHcpEE54HiQ4D/awrgxDh4nSH6dMwiPmots DJmEw6GXR5i7yjc8fDIPSzsJyDBf3AVHbuqSUgpBPLl6tX6GKCl2snoy /ls=
;; Received 593 bytes from 185.159.196.2#53(c.ca-servers.ca) in 32 ms

regionofwaterloo.9802690.ca. 300 IN	NS	ns-1916.awsdns-47.co.uk.
regionofwaterloo.9802690.ca. 300 IN	NS	ns-264.awsdns-33.com.
regionofwaterloo.9802690.ca. 300 IN	NS	ns-733.awsdns-27.net.
regionofwaterloo.9802690.ca. 300 IN	NS	ns-1504.awsdns-60.org.
;; Received 196 bytes from 172.64.32.146#53(uma.ns.cloudflare.com) in 50 ms

regionofwaterloo.9802690.ca. 172800 IN	NS	ns-1504.awsdns-60.org.
regionofwaterloo.9802690.ca. 172800 IN	NS	ns-1916.awsdns-47.co.uk.
regionofwaterloo.9802690.ca. 172800 IN	NS	ns-264.awsdns-33.com.
regionofwaterloo.9802690.ca. 172800 IN	NS	ns-733.awsdns-27.net.
;; Received 196 bytes from 205.251.194.221#53(ns-733.awsdns-27.net) in 55 ms


[email protected] ~> dig grtivr-prod.regionofwaterloo.9802690.ca a +trace @1.1.1.1                                                                                            

; <<>> DiG 9.10.6 <<>> grtivr-prod.regionofwaterloo.9802690.ca a +trace @1.1.1.1
;; global options: +cmd
.			513222	IN	NS	a.root-servers.net.
.			513222	IN	NS	b.root-servers.net.
.			513222	IN	NS	c.root-servers.net.
.			513222	IN	NS	d.root-servers.net.
.			513222	IN	NS	e.root-servers.net.
.			513222	IN	NS	f.root-servers.net.
.			513222	IN	NS	g.root-servers.net.
.			513222	IN	NS	h.root-servers.net.
.			513222	IN	NS	i.root-servers.net.
.			513222	IN	NS	j.root-servers.net.
.			513222	IN	NS	k.root-servers.net.
.			513222	IN	NS	l.root-servers.net.
.			513222	IN	NS	m.root-servers.net.
.			513222	IN	RRSIG	NS 8 0 518400 20210620170000 20210607160000 14631 . lLdun/zAbmMCAXiAUoPbwE5Kh8fx7K9nbhUyxAQugblpdjjgq31EBrzM xX0k5G0wSgML+WtxW2fCp2PZyJhHQZjbgnydSbV9p+Bw8opgm3MV4FuO tCZb3UmOuqt5ElXcyxEFqkJLaPPYFxdEz8VV0LSxBf1/iL2WNoeTe3J6 1c6lZWbExuWbuCaWFsuC/+kIfFHdA4rHFz6LxgBzRwQ7moelu6d5/t8h 3mpmtB6BPHEyROgdzOoNDvfpdCV1hSfzqwSCLjOw6FdTSdtoUwPLYRKP bsyDGpFtk5OAg1FDLu3VDGWMo/QKMPMLBFwYyy6bGL//7ma4C9NN9GS5 kJUHlA==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 29 ms

ca.			172800	IN	NS	any.ca-servers.ca.
ca.			172800	IN	NS	j.ca-servers.ca.
ca.			172800	IN	NS	x.ca-servers.ca.
ca.			172800	IN	NS	c.ca-servers.ca.
ca.			86400	IN	DS	2134 8 2 4B8475C0C0FE2AFDFEE1A71A237C91059098D12FC18265B290EDB238 A5F63582
ca.			86400	IN	RRSIG	DS 8 1 86400 20210620170000 20210607160000 14631 . B8Qn7AhHdIXh/AD0VV+1tPWtZhJ5DHiJmK++FhOtDW/w5vzDkwcT/KhT WprTj5QemdB2BcS+jtm25xIlYzx281Vv3b4E6q7rfssQnPP/ThBxCuS5 tXZpmh2TynFsVi+CIDd/qqmiuWrlNVSSHYlqPlzUNvxIPqmB9Yn/arrk I5HcP5veqj6Oy68RMvny99fmfUPY5fC5LjVJW89CyHIPZn+/EPJmwwEg ebAkmf/yNrk6Y3pjXmpphTc903IikDnThb47IIRXrBWWM5uJi9swqbit o4/rXCnQ27QbYkrx8TcNJGT13PxLOQtP4l5oIYotm1w52RwJ1ZnjXSXZ zVw68w==
;; Received 656 bytes from 192.33.4.12#53(c.root-servers.net) in 36 ms

9802690.ca.		86400	IN	NS	uma.ns.cloudflare.com.
9802690.ca.		86400	IN	NS	hugh.ns.cloudflare.com.
t8k75i4tj36jf102o518ir5q4l99kmqm.ca. 3600 IN NSEC3 1 1 5 - T8M1UC6TIL2UFI0RBGM0I9U6PO9HL5UU  NS SOA RRSIG DNSKEY NSEC3PARAM
80qsgeo9a34d3d3gi3htdq5j4mm4igog.ca. 3600 IN NSEC3 1 1 5 - 80SH64THSEE2J66FJ98P2SEIFC565SHV  NS DS RRSIG
t8k75i4tj36jf102o518ir5q4l99kmqm.ca. 3600 IN RRSIG NSEC3 8 2 3600 20210613084712 20210606153853 6810 ca. daob+EeQDHS6XMjQ3VU1pG+W9qbEooLc0g0gQ2ORQ43mu7YNMBQVMoCf dn2N9f7Ls0+9WvugGZbzIJKVoqPhMXwzeytcvggGqytSVbjm0rgDzd4W 0xjtx3lSfm2/2YcGbOjXf+TmM/gXI1KqExCtNiu2mAGbO1dOqIQb9hoP kPA=
80qsgeo9a34d3d3gi3htdq5j4mm4igog.ca. 3600 IN RRSIG NSEC3 8 2 3600 20210612182037 20210605133852 6810 ca. vdKpah7b384K2ZU0AuKv6r2vZbMY8Tbna+cGZBWpOdfqg6REqBnzAda2 kAZ5VaU8Ep7LsILWExMwBfHcpEE54HiQ4D/awrgxDh4nSH6dMwiPmots DJmEw6GXR5i7yjc8fDIPSzsJyDBf3AVHbuqSUgpBPLl6tX6GKCl2snoy /ls=
;; Received 605 bytes from 199.253.250.68#53(x.ca-servers.ca) in 124 ms

9802690.ca.		3600	IN	SOA	hugh.ns.cloudflare.com. dns.cloudflare.com. 2035960390 10000 2400 604800 3600
;; Received 130 bytes from 172.64.32.146#53(uma.ns.cloudflare.com) in 26 ms
1 Like

Hi Joshi.a

Checking here I can see the NS records being returned for regionofwaterloo.9802690.ca :

Your subdomain grtivr-prod.regionofwaterloo.9802690.ca seems to be resolving for me when I check here:

Also when I run a dig:

$ dig A grtivr-prod.regionofwaterloo.9802690.ca +short @1.1.1.1
3.96.91.121
99.79.170.89

$ dig A grtivr-prod.regionofwaterloo.9802690.ca +short @8.8.8.8
99.79.170.89
3.96.91.121

Are you still seeing errors?

2 Likes

Unfortunately, yes:

> dig grtivr-prod.regionofwaterloo.9802690.ca A @8.8.8.8                                                                                                   

; <<>> DiG 9.10.6 <<>> grtivr-prod.regionofwaterloo.9802690.ca A @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62090
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;grtivr-prod.regionofwaterloo.9802690.ca. IN A

;; AUTHORITY SECTION:
9802690.ca.		1799	IN	SOA	hugh.ns.cloudflare.com. dns.cloudflare.com. 2035960390 10000 2400 604800 3600

;; Query time: 49 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 08 08:37:54 EDT 2021
;; MSG SIZE  rcvd: 130

> dig grtivr-prod.regionofwaterloo.9802690.ca AAAA @8.8.8.8                                                                                                

; <<>> DiG 9.10.6 <<>> grtivr-prod.regionofwaterloo.9802690.ca AAAA @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55318
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;grtivr-prod.regionofwaterloo.9802690.ca. IN AAAA

;; AUTHORITY SECTION:
9802690.ca.		1799	IN	SOA	hugh.ns.cloudflare.com. dns.cloudflare.com. 2035960390 10000 2400 604800 3600

;; Query time: 49 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 08 08:38:01 EDT 2021
;; MSG SIZE  rcvd: 130

Doing some debugging, it looks like Cloudflare isn’t returning the right SOA for my subdomain.

> dig grtivr-prod.regionofwaterloo.9802690.ca soa @hugh.ns.cloudflare.com.                                                                                 

; <<>> DiG 9.10.6 <<>> grtivr-prod.regionofwaterloo.9802690.ca soa @hugh.ns.cloudflare.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52284
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;grtivr-prod.regionofwaterloo.9802690.ca. IN SOA

;; AUTHORITY SECTION:
9802690.ca.		3600	IN	SOA	hugh.ns.cloudflare.com. dns.cloudflare.com. 2035960390 10000 2400 604800 3600


;; Query time: 46 msec
;; SERVER: 108.162.193.117#53(108.162.193.117)
;; WHEN: Tue Jun 08 08:44:19 EDT 2021
;; MSG SIZE  rcvd: 130

Authority section should read regionofwaterloo.9802690.ca. This works fine with DNS providers where my records do resolve:

> dig grtivr-prod.regionofwaterloo.9802690.ca soa @9.9.9.9                                                                                            

; <<>> DiG 9.10.6 <<>> grtivr-prod.regionofwaterloo.9802690.ca soa @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1319
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;grtivr-prod.regionofwaterloo.9802690.ca. IN SOA

;; AUTHORITY SECTION:
regionofwaterloo.9802690.ca. 900 IN	SOA	ns-1504.awsdns-60.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 50 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Jun 08 08:45:35 EDT 2021
;; MSG SIZE  rcvd: 153
1 Like

And of course, just after I said that, it starts to work again.

@joshi.a glad to hear its working again. This is most likely due to the default TTL that was set for the SOA record. This is unfortunately only configurable for Enterprise customers at this time. Once the TTL expired the query result updated.