DNS records of two domains not propagating

Website, Application, Performance DNS & Network
1

For two of our domains connected to Cloudflare DNS records are not propagating.

tygovito com
nono-kidswear nl

We therefore receive errrors like:

Server at XXX returned ‘550 5.4.312 Message expired, DNS query failed(ServerFailure)’
Server at nono-kidswear.nl (0.0.0.0) returned ‘450 4.4.312 DNS query failed [Message=ServerFailure] [LastAttemptedServerName=nono-kidswear.nl] XXX

What can we do to fix this issue?

Thanks and regards,
Thomas

2 
> # dig @1.1.1.1 ns [tygovito.com](http://tygovito.com)
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> @1.1.1.1 ns tygovito.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4628
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 74 79 67 6f 76 69 74 6f 2e 63 6f 6d 2e ("..no SEP matching the DS found for tygovito.com.")
> ;; QUESTION SECTION:
> ;tygovito.com. IN NS
> 
> ;; Query time: 12 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Sun Jan 01 23:48:38 UTC 2023
> ;; MSG SIZE rcvd: 93
> 
> # dig @1.1.1.1 mx tygovito.com
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> @1.1.1.1 mx tygovito.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52288
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 74 79 67 6f 76 69 74 6f 2e 63 6f 6d 2e ("..no SEP matching the DS found for tygovito.com.")
> ;; QUESTION SECTION:
> ;tygovito.com. IN MX
> 
> ;; Query time: 6 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Sun Jan 01 23:49:12 UTC 2023
> ;; MSG SIZE rcvd: 93
3

Looks like you’ve disabled DNSSEC on your domains while there is still a DS record in the parent.

https://dnsviz.net/d/nono-kidswear.nl/dnssec/

This causes DNSSEC validation to fail and therefore your query to fail. That’s also what

> ; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 74 79 67 6f 76 69 74 6f 2e 63 6f 6d 2e ("..no SEP matching the DS found for tygovito.com.")

indicates.

A newer version of dig would show it as follows:

; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for tygovito.com.)
1 Like
4

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.