Problems using NS records pointing to deSEC

1

On by registrar, inwx.de I’ve set up two NS records pointing to deSEC. On deSEC I’ve createdan A record. Howeverafter waiting some days I still not able to resolve that A record.

I cross checked the configuration temporary pointing to another DNS provider, afraid.org which works fine, but on deSEC this fails for unknown reason.

dig  it-just-works.de

; <<>> DiG 9.20.3 <<>> it-just-works.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2395
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;it-just-works.de.              IN      A

;; AUTHORITY SECTION:
it-just-works.de.       895     IN      SOA     ns.inwx.de. hostmaster.inwx.de. 2024121606 10800 3600 1209600 3600

dig ns it-just-works.de

; <<>> DiG 9.20.3 <<>> ns it-just-works.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53448
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;it-just-works.de.              IN      NS

;; ANSWER SECTION:
it-just-works.de.       3275    IN      NS      ns2.desec.org.
it-just-works.de.       3275    IN      NS      ns1.desec.io.

;; ADDITIONAL SECTION:
ns2.desec.org.          347     IN      A       157.53.224.1
ns2.desec.org.          347     IN      AAAA    2607:f740:e00a:deec::2
ns1.desec.io.           357     IN      A       45.54.76.1
ns1.desec.io.           171     IN      AAAA    2607:f740:e633:deec::2


dig it-just-works.de @ns1.desec.io
;; BADCOOKIE, retrying.

; <<>> DiG 9.20.3 <<>> it-just-works.de @ns1.desec.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42327
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
; COOKIE: 893338ce35deb238010000006763ee00fffbafbbd0267991 (good)
;; QUESTION SECTION:
;it-just-works.de.              IN      A

;; ANSWER SECTION:
it-just-works.de.       3600    IN      A       111.112.113.114

Any idea what’s going on here?

Thanks

2

Hi jnko,

Thanks for your message, and welcome to deSEC! :slight_smile:

The registrar has not set the new NS records in the .de domain:

$ dig +noall +auth NS @a.nic.de it-just-works.de
it-just-works.de.	86400	IN	NS	ns.inwx.de.
it-just-works.de.	86400	IN	NS	ns2.inwx.de.
it-just-works.de.	86400	IN	NS	ns3.inwx.eu.

… so queries are answered by those nameservers, not deSEC. You’ll have to contact your registrar.

Stay secure,
Peter

1 Like
3

Hi jnko,
at INWX you should go to your domainlist then click on the gear wheel of the domain to edit and choose ‘externe Nameserver’
There you can fill in the desec Nameservers (see Screenshots below).

EXT-NS_1a
EXT-NS_1a726×446 16.8 KB

EXT-NS_2a
EXT-NS_2a726×650 26.5 KB

Doing so, it worked for me.

Greetings
Armin

4

Thanks for the hint.
That is what I already did. Just a couple of seconds I received an E-Mail from inwx

DOMAIN: it-just-works.de

REGISTRY-MESSAGE:

> RESULT: failed
> STID: 40b8fa24-bcf9-45fa-9612-991dc4a7131f
> ERROR: 53300102912 Nameserver error [ERROR: 118 Inconsistent set of NS RRs (found, nameserver, ip) (No NS records found in answer section, ns2.desec.org, 2607:f740:e00a:deec::2)]
> ERROR: 53300102912 Nameserver error [ERROR: 118 Inconsistent set of NS RRs (found, nameserver, ip) (No NS records found in answer section, ns2.desec.org, 157.53.224.1)]
> ERROR: 53300102912 Nameserver error [ERROR: 118 Inconsistent set of NS RRs (found, nameserver, ip) (No NS records found in answer section, ns1.desec.io, 2607:f740:e633:deec::2)]
> ERROR: 53300102912 Nameserver error [ERROR: 118 Inconsistent set of NS RRs (found, nameserver, ip) (No NS records found in answer section, ns1.desec.io, 45.54.76.1)]
> WARNING: 33300102912 Predelegation Check warning [WARNING: 110 Retry value out of range (expected, found, nameserver, ip) ([10800..28800], 3600, ns1.desec.io, 45.54.76.1)]


-----------------------------------------------------------------------------------
                               DOMAIN UPDATE FAILED                              
-----------------------------------------------------------------------------------

An other domain from me points to afraid.org which work. Also for testing purposes I added NS records for it-just-works.de to afraid which also worked after about 24h. Only deSEC seems to make trouble. I’ve created a ticket at inwx also but still no reply from them.

5

It appears that you have deleted the NS records in your domain at deSEC. That’s an invalid configuration.

Please create NS records with empty subname and values ns1.desec.io. and ns2.desec.org. in your domain at deSEC.

Stay secure,
Peter

2 Likes
6

@peter: Thanks a lot, that did the trick. Seems that other DNS-provider silently added the NS records. Lesson learned :wink: