Not propagating TXT record?

Managed DNS Hosting
1

Hi,

I’m facing an issue with the propagation of a DNS TXT record for my domain 7905lane.ddns.net.

Details:

  • Domain: 7905lane.ddns.net
  • TXT Record: _acme-challenge.7905lane.ddns.net
  • Value: oRkhltb3OtxNpmxvAp0glySGa33DrxI35alaMqvFm1M
  • Added the TXT record over 24 hours ago using the deSEC DNS management interface.

Problem: The domain name 7905lane.ddns.net shows up correctly, but the TXT record _acme-challenge.7905lane.ddns.net does not appear to be propagating. I’ve checked using multiple DNS tools (e.g., Google Admin Toolbox), but the record is still not visible.

Steps Taken:

  1. Verified that the TXT record was entered correctly in deSEC.
  2. Ensured the name and value are exactly as provided by Let’s Encrypt.
  3. Waited for 24 hours to allow for DNS propagation.

I would appreciate any guidance or insights on why the TXT record might not be propagating and how to resolve this issue.

Thank you!

2

Hi jeffep,
is 7905lane.ddns.net your actual domain name? It does not appear to be served by deSEC, but by no-ip.
To get the ACME challenge record served by deSEC, you’d need to make no-ip delegate the subdomain to deSEC (and I doubt they support that).
If that really is your domain, you’ll need to take the question to no-ip.

In general, deSEC requires less than 24 hours for a record to propagate. Usually not more than a minute. (However, when changing an existing record you’ll also need to consider the record’s TTL, since that is the time it may be cached by resolvers).

2 Likes
3

Here is an online tool https://unboundtest.com/ that does “Use this server to make DNS queries against an Unbound instance and get logs. The Unbound instance is configured very similarly to Let’s Encrypt’s production servers, and is started fresh for each query so there are no caching effects.”

It starts like this
image

But you want to select TXT like this
image

And then enter _acme-challenge.7905lane.ddns.net in the Domain Query box.

I get this result https://unboundtest.com/m/TXT/_acme-challenge.7905lane.ddns.net/YQBE3DPC

4

Hi @jeffep,

dig 7905lane.ddns.net NS +trace

$ dig 7905lane.ddns.net NS +trace

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> 7905lane.ddns.net NS +trace
;; global options: +cmd
. 7188 IN NS e.root-servers.net.
. 7188 IN NS j.root-servers.net.
. 7188 IN NS k.root-servers.net.
. 7188 IN NS b.root-servers.net.
. 7188 IN NS f.root-servers.net.
. 7188 IN NS m.root-servers.net.
. 7188 IN NS l.root-servers.net.
. 7188 IN NS c.root-servers.net.
. 7188 IN NS i.root-servers.net.
. 7188 IN NS a.root-servers.net.
. 7188 IN NS d.root-servers.net.
. 7188 IN NS g.root-servers.net.
. 7188 IN NS h.root-servers.net.
;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 0 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 37331 13 2 2F0BEC2D6F79DFBD1D08FD21A3AF92D0E39A4B9EF1E3F4111FFF2824 90DA453B
net. 86400 IN RRSIG DS 8 1 86400 20241225170000 20241212160000 61050 . VsUpZM/EUT78+QKJBycNB8NqnPjTs8kjn/tY9kO2N1tUn1T8fjMFM/9y Y4YnI48KWiFgQwOaAk83Dxvx3sAaMOu+gzbjE9CarBwbWzx/BuiKVaGC IzHUkstbPzCHrj5WAyhhIuasVPw4jeKOOCnzjLp/rgxFanUvvhs+ELhH pTq+IJC4LzvNl1WmbhsqymYYTolDH4+Dkjo+MO9J3lvH3oMWS+H7HIoZ kNzz4gPV3AgGjae+w7BZsAF4f6SLKBdEd6l+LlBrnAv7pVvC2iCbFIOK XPhZysD19MI5QCrCpQZxKlafTSbgLZtuwLnxkSJ1zGvaO1TpeOVClPvh 8XoknQ==
;; Received 1174 bytes from 199.7.91.13#53(d.root-servers.net) in 16 ms

ddns.net. 172800 IN NS nf1.no-ip.com.
ddns.net. 172800 IN NS nf2.no-ip.com.
ddns.net. 172800 IN NS nf3.no-ip.com.
ddns.net. 172800 IN NS nf4.no-ip.com.
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 1 1 0 - A1RTLNPGULOGN7B9A62SHJE1U3TTP8DR NS SOA RRSIG DNSKEY NSEC3PARAM
A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG NSEC3 13 2 900 20241218030541 20241211015541 31059 net. 95/AXILje3/q9qpnUOa4ciwD2W6gxUzXESLUCOqctprgh/tPQECVlzzR dA82A9I5PamG6Eul2YoNVXtHF5WEfw==
E51JQBMJA3CP91SA39O2RSF4M91A6OCU.net. 900 IN NSEC3 1 1 0 - E51PEEEEAJ4K8HQIM65HA9L4SEI317P8 NS DS RRSIG
E51JQBMJA3CP91SA39O2RSF4M91A6OCU.net. 900 IN RRSIG NSEC3 13 2 900 20241217025923 20241210014923 31059 net. DoJDPo/xp9+aHKLxRKDMYxlD68tjJb4yGlrtoni5hpeaIwVyzhIh8I29 lc9sSq5aIQnWC+xfYO76tWjfH+hWeA==
;; Received 484 bytes from 192.52.178.30#53(k.gtld-servers.net) in 33 ms

;; UDP setup with 2a07:dc00:1830::53#53(2a07:dc00:1830::53) for 7905lane.ddns.net failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2a07:dc00:1830::53#53(2a07:dc00:1830::53) for 7905lane.ddns.net failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2a07:dc00:1830::53#53(2a07:dc00:1830::53) for 7905lane.ddns.net failed: network unreachable.
;; UDP setup with 2607:f740:e626::53#53(2607:f740:e626::53) for 7905lane.ddns.net failed: network unreachable.
;; UDP setup with 2620:0:2e61::53#53(2620:0:2e61::53) for 7905lane.ddns.net failed: network unreachable.
ddns.net. 1800 IN SOA nf1.no-ip.com. hostmaster.no-ip.com. 2607758872 10800 1800 604800 1800
;; Received 106 bytes from 194.62.183.53#53(nf4.no-ip.com) in 11 ms

Show these are the authoritative Name Servers for 7905lane.ddns.net

$ dig 7905lane.ddns.net NS +trace | grep no-ip.com
ddns.net.               172800  IN      NS      nf1.no-ip.com.
ddns.net.               172800  IN      NS      nf2.no-ip.com.
ddns.net.               172800  IN      NS      nf3.no-ip.com.
ddns.net.               172800  IN      NS      nf4.no-ip.com.
ddns.net.               1800    IN      SOA     nf1.no-ip.com. hostmaster.no-ip.com. 2607759070 10800 1800 604800 1800
;; Received 106 bytes from 194.62.182.53#53(nf1.no-ip.com) in 18 ms

$ nslookup -q=any 7905lane.ddns.net nf1.no-ip.com.
Server:         nf1.no-ip.com.
Address:        194.62.182.53#53

Name:   7905lane.ddns.net
Address: 72.183.233.22

Looking at the TXT _acme-challenge.7905lane.ddns.net using nf1.no-ip.com. we find nothing. :frowning:

$ nslookup -q=any _acme-challenge.7905lane.ddns.net nf1.no-ip.com.
Server:         nf1.no-ip.com.
Address:        194.62.182.53#53

** server can't find _acme-challenge.7905lane.ddns.net: NXDOMAIN

ns1.desec.io. seems to believe that ns1.desec.io. and ns2.desec.org. are the name servers.

$ nslookup -q=any 7905lane.ddns.net ns1.desec.io.
Server:         ns1.desec.io.
Address:        45.54.76.1#53

7905lane.ddns.net       nameserver = ns1.desec.io.
7905lane.ddns.net       nameserver = ns2.desec.org.
7905lane.ddns.net       rdata_59 = 46898 13 2 EA9A0261D761B503C185C618ADE6C4A30C27AD343C7BD9710312A13B 9A079439
7905lane.ddns.net       rdata_59 = 46898 13 4 0B0F0B836B19ABCA0BD93D55DB7B4C72BDE0E72376FB3D65A6976CE2 A52599B64700A8B35411DC131571DE47DF125A19
7905lane.ddns.net       rdata_60 = 257 3 13 Q6W3lPRDhnbf4pdKDccKzeW/YDwD/E/pAfarp5mLgvkYAi9nAPV7CUt5 PkeHYMTzfX+u6IiC22EVNOPDgYylHA==
7905lane.ddns.net
        origin = get.desec.io
        mail addr = get.desec.io
        serial = 2024123969
        refresh = 86400
        retry = 3600
        expire = 2419200
        minimum = 3600

And looking at the TXT _acme-challenge.7905lane.ddns.net using ns1.desec.io.

$ nslookup -q=any _acme-challenge.7905lane.ddns.net ns1.desec.io.
Server:         ns1.desec.io.
Address:        45.54.76.1#53

_acme-challenge.7905lane.ddns.net       text = "oRkhltb3OtxNpmxvAp0glySGa33DrxI35alaMqvFm1M"

And results from ns2.desec.org.

$ nslookup -q=any 7905lane.ddns.net ns2.desec.org.
Server:         ns2.desec.org.
Address:        157.53.224.1#53

7905lane.ddns.net       nameserver = ns1.desec.io.
7905lane.ddns.net       nameserver = ns2.desec.org.

And with ns2.desec.org

$ nslookup -q=any _acme-challenge.7905lane.ddns.net ns2.desec.org.
Server:         ns2.desec.org.
Address:        157.53.224.1#53

_acme-challenge.7905lane.ddns.net       text = "oRkhltb3OtxNpmxvAp0glySGa33DrxI35alaMqvFm1M"

Thus it looks like to me that deSEC is propagating well; it is just no one knows to look there as it is not the authoritative Name Servers.

1 Like
5

Thanks to everyone who responded. I went to no-ip.com to change the Nameservers to point to deSec and i’m finding it very difficult. Probably requires account upgrade, just like hosting TXT required upgrade. Looks like I’ll have to go in a different direction.

1 Like
6

Hi @jeffep,

If you aren’t too picky about the domain name here is a free one How to setup DNS to here on nic.us.kg
But I find the User Interface quirky. But it’s free.

Edit

But DNSSEC doesn’t work since they don’t have any interface to take the DNSSEC keys that deSEC provides.

7

FYI - the 2 that come up when googling: freenom and dotTK both appear to be fake. Whatever domain you try to reserve, it fails and says but similar are available at a price.

8

Why not get a real domain at a normal registrar?

9

Actually they were real, but lost the “rights” to do it presently.

10

I’m not running a business, just wanted to be able to use certificates on my home server for IOT. So I didn’t want to pay for it.

11

Not sure if there are any free subdomains that offer DNSSEC.

You can get a real domain for around 15$ a year.

12

deSEC has a free DynDNS service. If you’re fine with a dedyn.io subdomain, that may be what you’re looking for.
It’s not currently open for registration, but I believe they’ll make it available again soonish. I think it supports TXT records and all the other goodies. However, I don’t personally use the DynDNS service for anything other than A/AAAA.

13

If you don’t mind a so-so TLD, you can get a domain that is 6 to 9 digits followed by .xyz for just a dollar per year.

1 Like