I recently migrated a domain I own from Cloudflare to Netlify DNS, so I had to update my nameservers. When I run a recursive DNS lookup that bypasses DNS cache everything seems to be set up correctly:
$ dig howtogit.net +trace
(output truncated)
howtogit.net. 20 IN A 159.65.199.87
;; Received 57 bytes from 198.51.44.1#53(dns1.p01.nsone.net) in 18 ms
However, a regular DNS lookup fails:
$ nslookup howtogit.net
Server: 192.168.1.1
Address: 192.168.1.1#53
** server can't find howtogit.net: SERVFAIL
I assume that if caching was at fault, Cloudflare would still resolve the lookup which it doesn't. A lookup at 8.8.8.8 (Google's DNS) also fails:
$ dig @8.8.8.8 howtogit.net
; <<>> DiG 9.10.6 <<>> @8.8.8.8 howtogit.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63809
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;howtogit.net. IN A
;; Query time: 43 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 23 13:05:50 CEST 2018
;; MSG SIZE rcvd: 41
Since DNS records are cached, I also tried flushing Google's DNS cache for my NS and A records. I'm still getting the same result, despite the change having happened over 10 hours ago.
Is my configuration incorrect? How do I make sure my DNS can resolve properly again?
It would appear that the
howtogit.netzone used to he signed, and that after switching nameservers it is no longer signed.However, you have left the old
DSrecord in place, indicating that the zone must be signed with some specific key.Either remove the
DSrecord or sign the zone again and update theDSrecord as necessary (theDSrecord is managed through your registrar).If you look at the tail end of relevant
dig +traceoutput it's actually quite clear that this must be the case (DSas part of referral but noDNSKEYon the authoritative end, or just no signatures if you query some other type):