Issues with rolling NXDOMAIN errors

maxwellfire · May 17, 2026, 9:53am

I’m having trouble where the DNS responses for my site seem to return NXDOMAIN errors between once a day and once a week.

I have multiple subdomains configured as CNAME records to the same server record, but some of them seem to drop more than others.

I can confirm that the issue is with more than my network/client DNS settings, because when the domains are returning NXDOMAIN errors I also see similar results here: https://dnschecker.org, with a smattering of failing servers that seem to oscillate/change until a few minutes later the DNS is stable again.

I’m not sure how to diagnose this issue further. Is it possible there is something horribly wrong with my configuration, or is this an issue with the desec servers?

The base domain is max dot levymeister dot com and the subdomain that routinely fails even when other subdomains are working is nextcloud dot max dot levymeister dot com(put in this form so that it’s not immediately hit by a bunch of scraper traffic)

peter · May 17, 2026, 10:33am

Hi @maxwellfire,

Thanks for your message, and welcome to deSEC!

Your main domain is hosted on the following nameservers:

$ dig +short NS levymeister.com
dns1.registrar-servers.com.
dns2.registrar-servers.com.

There, the max subdomain is delegated to three nameservers:

$ dig +noall +auth NS max.levymeister.com @dns1.registrar-servers.com
max.levymeister.com.	1799	IN	NS	ns1.desec.io.
max.levymeister.com.	1799	IN	NS	ns1.dynv6.com.
max.levymeister.com.	1799	IN	NS	ns2.desec.org.

Resolvers therefore will sometimes send queries to ns1.dynv6.com. However, that nameserver doesn’t know your domain:

$ dig NS nextcloud.max.levymeister.com @ns1.dynv6.com
[...]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46581

In such cases, the result for your lookups will be NXDOMAIN. You can fix this by correcting the max.levymeister.com delegation.

Hope that helps!

Stay secure,
Peter

maxwellfire · May 17, 2026, 9:42pm

Wow thank you!

I hadn’t thought to check the upstream DNS since I was having issues mainly with particular subdomains.

That seems to have resolved the issue!

peter · May 17, 2026, 10:16pm

You’re welcome!

Please don’t forget to add the DS record for the max.levymeister.com delegation in your main domain, see DNSSEC Debugger - max.levymeister.com. <3

Stay secure,
Peter

maxwellfire · May 17, 2026, 10:44pm

Sadly my registrar (namecheap) doesn’t support DS record delegation for subdomains (only if I want to delegate the whole domain). I reached out to support previously and they said that they don’t plan to change things.

I would just switch the whole domain over to desec, but there are other people who have their own dns configurations for other subdomains that I’d need to coordinate with. I’ll see if I can convince them to manage the whole thing on desec.

peter · May 18, 2026, 11:27am

I found that a surprising limitation from an implementation perspective, so I verified with their Head of Customer Service and indeed it is correct. He advised that in order to configure a secure subdelegation, it is necessary to switch the main domain to a different DNS provider.

You’re of course welcome to move it to deSEC!

Stay secure,
Peter