Dns stopped working, related to glue records?

cliff1976 · August 22, 2020, 6:26am

About 12 or 13 hours ago I stopped receiving mail at my box.cmail.xyz machine. It handles a couple different domains (cmail.xyz and cliff1976.com). I host the VPS at digitalocean.com with MIAB v.047 working great for years. The registrar is Gandi and I have glue records properly set up there from what I can see. Also DNSSEC looks correct to me when I compare data in the Gandi glue records control panel to what my MIAB tells me.

	box.cmail.xyz
	Nameserver glue records are incorrect. The ns1.box.cmail.xyz and ns2.box.cmail.xyz nameservers must be configured at your domain name registrar as having the IP address 46.101.237.35. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.
	This domain must resolve to your box’s IP address (46.101.237.35 / 2a03:b0c0:3:d0::fb:8001) in public DNS but it currently resolves to [Not Set] / [Not Set]. It may take several hours for public DNS to update after a change. This problem may result from other issues listed above.

Glue record settings:

Nameserver settings:

I can’t get box.cmail.xyz to resolve to my Digital Ocean VPS’s IP. I can only get into the control panel via the IP number.

Further complicating things: my Digital Ocean contact email address is set to an email on the cliff1976.com domain – which means I can’t receive their email with a verification code to login and check stuff through the Digital Ocean management console. That is a dumb mistake on my part.

I’ve rebooted the VPS several times (ssh’ing in through the IP number) and tried to run the upgrade/install mailinabox script. No errors during the (re-)installation. But so far, no luck. I can only reach box.cmail.xyz via its IP on SSH or the webserver miab admin pages. So I am sure I’m not receiving mail for any of the domains it hosts as long as box.cmail.xyz is not resolvable via its FQDN.

What else can I try to get box.cmail.xyz DNS working again so that I can get email working again?

alento · August 22, 2020, 6:59am

Contact Gandi.

For some reason they have removed your Glue records. Or something has happened that your Glue records are no longer listed.

$ dig NS xyz

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> NS xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60001
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xyz.				IN	NS

;; ANSWER SECTION:
xyz.			129932	IN	NS	z.nic.xyz.
xyz.			129932	IN	NS	generationxyz.nic.xyz.
xyz.			129932	IN	NS	x.nic.xyz.
xyz.			129932	IN	NS	y.nic.xyz.

;; Query time: 54 msec
;; SERVER: 10.9.0.1#53(10.9.0.1)
;; WHEN: Sat Aug 22 08:59:57 CEST 2020
;; MSG SIZE  rcvd: 112

$ dig NS cmail.xyz @y.nic.xyz

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> NS cmail.xyz @y.nic.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10282
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cmail.xyz.			IN	NS

;; AUTHORITY SECTION:
xyz.			3600	IN	SOA	ns0.centralnic.net. hostmaster.centralnic.net. 3000560815 900 1800 6048000 3600

;; Query time: 92 msec
;; SERVER: 185.24.64.42#53(185.24.64.42)
;; WHEN: Sat Aug 22 09:01:55 CEST 2020
;; MSG SIZE  rcvd: 103

cliff1976 · August 22, 2020, 7:09am

Thanks! A ticket is open with them now.

alento · August 22, 2020, 7:17am

More info from your domain’s WHOIS. @cliff1976

https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en#serverHold

From experience, you may want to switch your MiaB to be on the other domain, which can be done by setting glue records for it at the registrar, then rerunning sudo mailinabox and entering the proper information.

cliff1976 · August 22, 2020, 8:04am

Thank you @alento

From experience, you may want to switch your MiaB to be on the other domain,

Can you elaborate on why I should switch my MiaB to the other domain and switch the glue records after it was working for like 5 years? Is it a Gandi thing (are they unreliable?)?

My other domain, cliff1976.com, is registrar’d through nearlyfreespeech.net. Should I do my glue records through them?

alento · August 22, 2020, 5:33pm

I’m sorry … I should have elaborated more when I posted this comment. If there is some strange odd issue ocurring that caused your domain to be put into serverHold status, it either will be solved immediately upon contating Gandi, or it will take several days of back and forth between the registrar and the registry. Otherwise, Gandi is an excellent registrar.

There is even the option to use a third party DNS service temporarily such as Cloudflare.

cliff1976 · August 22, 2020, 6:25pm

Thanks for the details! It’s been about a day now, but a weekend. I don’t like not getting my mail, but if it might be fixed soon, I’d rather not mess with it more. I’ll sleep on it, I guess.

cliff1976 · August 26, 2020, 4:17am

Following up, since this is apparently a solved issue now (however, I still don’t know the root cause).

@alento was right on the money. Thank you!

I have two domains served by MiaB. The primary one, cmail.xyz, stopped working on a Friday evening. I opened a ticket with gandi (my registrar). They didn’t respond until Tuesday morning. And even then, their only response was to forward the results of their own inquiry to gen.xyz:

If you have submitted a .xyz domain that you believe to be abusive, our team will investigate the domain and take action if we find it to be in violation of our anti-abuse policies.

If you have questions about why your .xyz domain has been suspended or need help unsuspending your domain, please follow the 3 easy steps on My Account | .xyz | For every website, everywhere®. If you have completed these steps, please respond to this ticket with evidence of delisting by ALL blacklists and we will confirm once your domain has been unsuspended.

Heck yeah I had questions about my .xyz domain that had been suspended! I followed their “3 easy steps,” most of which was taking screenshots or printing blacklist providers’ webpages to PDF and submitting that to gen.xyz, saying “see? I’m not on any blacklists!”

I waited over a day and heard back nothing, so I renamed my box.cmail.xyz VPS at Digital Ocean over to box.cliff1976.com (the secondary domain) and set up glue records at that domain’s registrar (nearlyfreespeech.net) so that at least the cliff1976.com domain email would start working again, which it, quickly, after re-running sudo mailinabox and putting in the new box name. Just like @alento recommended.

It’s now Wednesday morning and my ticket with gen.xyz still has the status “open,” but my domain cmail.xyz is now working again. It still has the domain status “serverHold” when I do a whois lookup on it as of this writing, but that’s not keeping it from working anymore.

I’m all green checkmarks on the MiaB status checks now, for both domains. I still have no idea about how/who/why/when my cmail.xyz domain got flagged for abuse (presumably) leading to its suspension. If I find out, I may post it here, if I think it could help someone else.

alento · August 26, 2020, 4:23am

The serverHold status apparantly only restricts the use of glue records on the domain. Hence, my suggestion to switch DNS either by reconfiguring the box and switching the domain serving it, or using an external DNS provider was what was needed to get mail flowing on both domains. I am just sorry that I didn’t make that clearer.

Anyways, glad to hear that you are back up and am looking forward to the explanation you get … someday.

cliff1976 · August 27, 2020, 9:09am

I got a weak explanation from gen.xyz, the registry behind my cmail.xyz domain.

Hello Cliff,

Thank you for your message. This domain has been unsuspended and is now active. This domain was flagged by Spamhaus and has since dropped off due to the site being inactive. Please check Spamhaus DBL after 24 hrs to ensure delisting.

Please note that it will be added to a watch list for any potential violations of our anti-abuse policies, and we will continue to monitor this domain.

Also note, it can take up to 24 hours for the WHOIS information to update.

Please submit a new support ticket at My Account | .xyz | For every website, everywhere® if you have any further evidence or information.

Kind Regards,

XYZ Anti-Abuse Team
xyz_abuse@gen.xyz
M-F 9am-5pm PT

To which I replied with:

Thanks. Do you have some proof that it was ever flagged by Spamhaus? I had to show proof it’s not listed now, and that was ineffective because it was not flagged after you took it down and Gandi my registrar took a couple days to answer my ticket with them. Seems only logical that you would record some proof that it was flagged. Please let me know how I can see that.

Thanks!
Cliff

I think if I have to prove it’s not listed by Spamhaus, they should have to prove it is – or was, at the time of suspension – by Spamhaus. Or anyone else. I don’t really expect a meaningful response here, and I plan to move the domain away from Gandi thanks to their slow support response time shortly before it expires in 2023. That might still not get me away from the gen.xyz registry, though.

I’d love to hear anyone else’s experiences on the topic of Spamhaus-related domain suspensions from gen.xyz or anyone else for that matter.