Score:2

Server

Why is my DNS not propagating?

Slava Knyazev

8/4/24, 2:55 PM

Around a month ago, in anticipation of the demise of Google Domains, I migrated to porkbun.

The moment I did this, Google rug-pulled me and deleted all records of my domain from their side despite my domain's NS records still pointing to Google. Guh! (Note to self: copy DNS first, move domain second)

Anyways, after copying the DNS records over the porkbun, service was restored... Or was it?

The domain loads fine for me, but I started receiving emails saying that they couldn't.

This was a month ago.

It seems that many major DNS providers (Google, Cloudflare) have not picked up the new domain.

Here's some diagnostics I ran. The domain is bbss.dev

% dig @curitiba.ns.porkbun.com bbss.dev +short # Query A directly from registrar - correct!
155.138.128.203
% dig @1.1.1.1 bbss.dev +short # Query A from Cloudflare, no reply
% dig @8.8.8.8 bbss.dev +short # Query A from Google, no reply
% dig @8.8.8.8 bbss.dev NS +short # Query NS from Google, no reply
% dig @curitiba.ns.porkbun.com bbss.dev NS +short # Query NS from registrar, correct!
curitiba.ns.porkbun.com.
fortaleza.ns.porkbun.com.
maceio.ns.porkbun.com.
salvador.ns.porkbun.com.

Any advice is welcome, I'm at the end of my wits.

169

1 + 1

domain-name-system

tsc_chazz

8/4/24, 3:18 PM

It's not helpful, I'm pretty sure, but your "responsible mail addr" field in your SOA record contains `dns.cloudflare.com` ... might want to change that.

Score:4

Server

Esa Jokinen

8/4/24, 3:55 PM

(DNS is not propagating because DNS does not have a propagating architecture, but a cached one.)

Why was the DNS for `bbss.dev` not cached?

The domain had DNSSEC enabled, but the zone was not signed.

Your two options

Disable DNSSEC for bbss.dev at the registrar (typically on their web management).
Sign the bbss.dev zone with the key (tag 58006 algorithm RSA/SHA-256).

Debugging procedures used

There was a DS record at the parent zone (.dev).

$ dig bbss.dev DS +short
58006 8 2 4AE163D6F53B54DDD8BECDADAC2B59BCC9454E615D64908E74550105 8D32CB84

The DNSKEY & RRSIG records were missing from the authoritative server(s).

$ dig bbss.dev DNSKEY @curitiba.ns.porkbun.com +dnssec +short

$ dig bbss.dev @curitiba.ns.porkbun.com +dnssec +short
155.138.128.203

Whereas it should have shown (as it does now that it is fixed using a new key tag 2371 algorithm ECDSAP256SHA256):

$ dig bbss.dev DS +short
2371 13 2 F26B97569A01286E330928EADBE30FB136F34C99E8837554683C14A4 9DCDB66A

$ dig bbss.dev DNSKEY @curitiba.ns.porkbun.com +dnssec +short
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
DNSKEY 13 2 3600 20231003155124 20230803155124 2371 bbss.dev. J41q4bxPzWxQNBCjOXL3KaGLdQeM1XG7rc4jB0QUKVEEQ7kBLAdPNzDy odRDJVMVK0X5T6UHonSQNrDcuWdYxQ==

$ dig bbss.dev @curitiba.ns.porkbun.com +dnssec +short
155.138.128.203
A 13 2 600 20230805171103 20230803151103 34505 bbss.dev. oVo2BARrTNRk0uMw9pbEwCYjBSVP7Pt+HixVEg7McdJsISax/DIiQ4Sq GzYLG4azFTNea/HW6KFWN9477c68zg==

Both the Verisign DNSSEC Analyzer & the DNSViz showed the same problem:

+ 2

Slava Knyazev

8/4/24, 4:25 PM

I actually needed to _enable_ DNSSEC on my registrar.

Esa Jokinen

8/4/24, 4:33 PM

It was enabled, but with an old `DS` record. If it was disabled, the bogus RRSIG and DNSKEY records would not have been a problem.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why is my DNS not propagating?