Resolution failures on some nameservers

We received a report yesterday that my-netdata.io was not being resolved. After some investigation we see that despite nothing having been changed from our side and the registrar still pointing to the correct Cloudflare name servers, we still see some nameservers not responding. We’re at a loss as to what the root cause could be and when it might be resolved. Any ideas? See the following:

0 ~ $ dig SOA +nocmd +noall +answer my-netdata.io @8.8.8.8
0 ~ $ dig SOA +nocmd +noall +answer my-netdata.io @208.67.222.222
0 ~ $ dig SOA +nocmd +noall +answer my-netdata.io @77.88.8.8
my-netdata.io.		3600	IN	SOA	barbara.ns.cloudflare.com. dns.cloudflare.com. 2038651240 10000 2400 604800 3600

That implies you don’t have DNS records for my-netdata.io and www. Do those records exist in your DNS settings page at dash.cloudflare.com? And the bottom of that DNS page shows Barbara and Major as your assigned name servers?

I also see this status on your domain registration:
https://icann.org/epp#clientRenewProhibited

They work just fine, depending on which nameserver you query. The following is a hypothesis from a colleague:

The issue here is probably that the SOA records are/were invalid or failed to resolve for some reason. That would explain why full recursive resolution ( dig +trace ) works, but some public caching recursive resolvers (such as 8.8.8.8 ) do not currently.

If the upstream SOA issue was just a transient error (reasonably likely given that not all public resolvers are having issues), we should see things start to work again everywhere within the next six or so hours.

I may have confused things with the last answer.
So some nameservers (like 8.8.8.8) consistently fail to resolve anything related to my-netdata.io, not just it’s basic version. So it has nothing to do with the records in the zone, but with the SOA records.

One thing another colleague just noticed was a change in the whois results from a pipe-delimited format to a newline-delimited format that happened yesterday:

Your nameserver setup is all right. You have a DNSSEC issue.

https://dnsviz.net/d/my-netdata.io/dnssec/

Update the values at your registrar with what Cloudflare provided and that should get fixed.

1 Like

I’ve seen this kind of behavior (8.8.8.8 failing, some other DNS resolvers working fine) in the past due to DNSSEC misconfigurations. This is not my area of expertise, but could be worth a quick look.

https://dnsviz.net/d/my-netdata.io/dnssec/

Thanks, we just figured out someone messed with it yesterday. We’ll do that!

Happens to the best :slight_smile:

Just copy the values from the DNS screen over to your registrar and once that is live it should work fine again.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.