google dns - can't find www.moverall.com: Server failed

[ramon...@gmail.com]

Hi all,

Google DNS fails to resolve our domain www.moverall.com

My DNS is hosted by Gandi.net

nslookup google

    nslookup -type=any www.moverall.com 8.8.8.8

    Server:  google-public-dns-a.google.com

    Address:  8.8.8.8

    *** google-public-dns-a.google.com can't find www.moverall.com: Server failed

nslookup gandi

    nslookup -type=any www.leadstomove.com 173.246.97.2

    Server:  UnKnown

    Address:  173.246.97.2

    www.leadstomove.com     canonical name = moveu.cloudapp.net

    leadstomove.com nameserver = a.dns.gandi.net

    leadstomove.com nameserver = c.dns.gandi.net

    leadstomove.com nameserver = b.dns.gandi.net

nslookup opendns

    nslookup -type=any www.leadstomove.com 208.67.222.222

    Server:  resolver1.opendns.com

    Address:  208.67.222.222

    Non-authoritative answer:

    www.leadstomove.com     canonical name = moveu.cloudapp.net

http://www.intodns.com/moverall.com

    ERROR: I could not get any A records for www.moverall.com! (I only do a cache request, if you recently added a WWW A record, it might not show up here.)

These are my records in the current zone file:

    @ 600 IN A 23.97.131.195

    www 3600 IN CNAME moveu.cloudapp.net.

What is strange is that www.leadstomove.com works as it should and is configured the same CNAME record.

    nslookup -type=any www.leadstomove.com 8.8.8.8

    Server:  google-public-dns-a.google.com

    Address:  8.8.8.8

    Non-authoritative answer:

    www.leadstomove.com     canonical name = moveu.cloudapp.net

Any idea what is happening here? OpenDNS seems to work, so is Gandi and so it my internal DNS but Google is giving an error and IntoDNS is acknowledging this in its report.

-- Ramon

[Miek Gieben]

This is because of a DNSSEC failure. There exsits a DS for moverall.com.

moverall.com. 86318 IN DS 45605 8 1 8AD93C4863B97BCEA0B565E9CE96C2E05730D947

But moverall.com. does no appear to be signed.

Remove the DS for this domain and it should be working again.

--
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to
public-dns-disc...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================

---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

   - Miek Gieben (miek), London Traffic/Edge SRE.

[doliv...@gmail.com]

I had similar issues with my domain: yamatonetwork.net

Only way I fixed it since my domains use DNSSEC is to turn DNSSEC on the domains affected and then turn DNSSEC back on.

public-dns-discuss+unsub...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================

---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Ramon Smits]

Hi Miek,

Im not familiar with DNSSEC. Where did you retrieve this DS record?

We are using Gandi for DNS and their management interface says that I cannot manage DNSSEC with their DNS servers.

-- Ramon

[Shen Wan]

You need to ask the organization that created the DS record to remove it. It may be the previous hosting service of your domain.

[Ramon Smits]

Is there anything I can do myself?

I contacted Gandi which we use for DNS hosting/management but it seems they are not really able to solve the issue.

I really don't know how I can remove those DS/RRSIG records or where they are located.

http://dnssec-debugger.verisignlabs.com/www.moverall.com

moverall.com

Found 1 DS records for moverall.com in the com zone Found 1 RRSIGs over DS RRset RRSIG=56657 and DNSKEY=56657 verifies the DS RRset No DNSKEY records found www.moverall.com is a CNAME to moveu.cloudapp.net No RRSIGs found

http://dnstoolkit.net/nslookup/www.moverall.com?nameserver=a.dns.gandi.net

This does not show those records. How are those resolved? Are those stored somewhere else? I'm trying to 'read' the information by showing all info (clicken more[+] a couple of times).

Is it correct to say that the DS and RRSIG records are stored on the servers of the .com domain (g.gtld-servers.net) and not on the servers of Gandi? 

-- Ramon

[Ramon Smits]

The issue has been resolved. The DS record is removed by Gandi.

The problem was that the domain had been transfered. It seems that this does not change the DNSSEC related data.