google-public-dns-a.google.com can't find wordpress.puurlinden.nl

[ruud.zw...@gmail.com]

C:\Windows\system32>nslookup -debug wordpress.puurlinden.nl 8.8.8.8
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        8.8.8.8.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  8.8.8.8.in-addr.arpa
        name = google-public-dns-a.google.com
        ttl = 21599 (5 hours 59 mins 59 secs)

------------
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        wordpress.puurlinden.nl.ymere.local, type = A, class = IN
    AUTHORITY RECORDS:
    ->  (root)
        ttl = 86397 (23 hours 59 mins 57 secs)
        primary name server = a.root-servers.net
        responsible mail addr = nstld.verisign-grs.com
        serial  = 2017112200
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        wordpress.puurlinden.nl.ymere.local, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  (root)
        ttl = 86397 (23 hours 59 mins 57 secs)
        primary name server = a.root-servers.net
        responsible mail addr = nstld.verisign-grs.com
        serial  = 2017112200
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        wordpress.puurlinden.nl, type = A, class = IN

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        wordpress.puurlinden.nl, type = AAAA, class = IN

------------
*** google-public-dns-a.google.com can't find wordpress.puurlinden.nl: Server fa
iled

[Alex Dupuy]

Your domain has an unusual DNSSEC misconfiguration (congratulations! it gets boring telling people they have to remove their stale DS records).

http://dnsviz.net/d/wordpress.puurlinden.nl/WhWtEA/dnssec/ shows that you have a wildcard A record for the puurlinden.nl domain, and an NSEC3 record proving that wordpress.puurlinden.nl doesn't have a specific record, and can therefore use the wildcard A record. The problem is that this NSEC3 record proves that there is in fact nothing under puurlinden.nl (including the wildcard *.puurlinden.nl). Needless to say, when you have both a wildcard record and the proof that it doesn't exist, something is borked, and Google Public DNS will simply return a SERVFAIL.

You need to talk to your DNS operator at firstfind.nl to let them know there is a problem; as a short-term solution, you could remove the DS record for puurlinden.nl until they get their DNSSEC management working properly.

[Matt Nordhoff]

3 weeks ago, a different domain using the same DNS provider had a similar issue, or the same issue. It still isn't fixed.

My first guess is that firstfind.nl should try running "pdnsutil rectify-zone puurlinden.nl" but I'm not an NSEC3 or PowerDNS expert. :-/