Hi all,
I’m currently trying to setup our domain at deSEC as netcup has massive issues with their DNSSEC implementation.
However, I somehow got stuck. I already have the account at deSEC and entered all DNS records. However, when I try to change the nameservers at netcup to ns1.desec.io and ns2.desec.org, I get the error message, that the domain is not managed by ns1.desec.io.
What am I missing here?
Thanks, Carl
It’s not clear to me from the error message what exactly Netcup is checking to trigger this message. I would ask the Netcup support. Before, to be on the safe side, you can check that the DNS zone is working correctly without changing the name servers as follows (with dig as example):
# for a records
dig @ns1.desec.io <your-domain> a
# for soa records
dig @ns1.desec.io <your-domain> soa
# for mx records
dig @ns1.desec.io <your-domain> soa
The netcup webpage asks to fill out 3 fields, when changing to another NS:
Hostname
IPv4-Adresse
IPv6-Adresse
What did you set ?
Fell free to partly anonymize your data.
Hi markus, hi Lipahtla, thank you for your input! I’ll reach out to the netcup support.
These are my inputs:
yours look like
https://www.netcup-wiki.de/wiki/Domaininhaber#eigene_Nameserver_eintragen
except, they use IPv4, you use only IPv6.
Try to set an IPv4 as well.
You may also want to check the NS glue records in the parent domain.
For example if your domain is example.com. then figure out the name servers for the com. domain (dig +short com. ns) then ask one of them for e.g. dig @a.gtld-servers.net. example.com. ns. Does the result point to deSEC or to netcup?
If the answer is not deSEC then something went wrong when setting the NS for the domain. Maybe the missing IPv4 addresses are the cause, but actually IPs should not even be required here so this is a somewhat weird interface. Maybe leaving all IP fields empty would work?
HTH
fiwswe
I checked the DNS Zone as @markus suggested and the records look good to me:
I also checked the NS glue records as @fiwswe advised and all nameserves currently direct to netcup:
see next post
The netcup support returned with this message:
Your own name servers report back that they do not administer the domain. So these cannot be set.
In the case of .de domains, name servers can only be set if they comply with DENIC guidelines. Therefore, also check via nast.denic.de whether these can be used. Your name servers can only be stored if this tool does not return any errors.
At this point I think there is something wrong with my config at desec.io. Let me check it again. Thank you all for your help!
As is evident from the screenshot of the SOA query, you created the domain with the name www.readybill.de.
So the deSEC nameservers feel responsible for that name everything below, but not for anything above. But your registered domain name is readybill.de, without www.
In other words, the fix is to configure readybill.de as a domain in the deSEC interface, and create the www records via the subname field.
Stay secure,
Peter
Thank you Peter! That was indeed the problem!
