Gandi, glue records, digital ocean

Help with Setup/Upgrade
1

Hi, I recentlty installed MIAB latest version on Ubuntu 14.04.5 LTS (latest U14 on DO).
I’ve set up glue records +NS on gandi.

I’m still having (after 5-6 days) :
“”"
box.gayet.gg

Nameserver glue records are incorrect. The ns1.box.gayet.gg and ns2.box.gayet.gg nameservers must be configured at your domain name registrar as having the IP address 142.93.160.68. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.

This domain must resolve to your box’s IP address (142.93.160.68) in public DNS but it currently resolves to [Not Set]. It may take several hours for public DNS to update after a change. This problem may result from other issues listed above.
“”"

info:
DNSSEC in unavailable at gandi for .gg
on the box:
“”"
root@box:~# host box.gayet.gg
Host box.gayet.gg not found: 2(SERVFAIL)
root@box:~# host -t ns gayet.gg
Host gayet.gg not found: 2(SERVFAIL)
“”"
Installation went fine. Re-try doing mailinabox at prompt => same no problems at install, but DNS not properly set.
Already read the similar topics here.

I’m stuck. What can I do?
Thanks in advance,

Hubert

2

Hubert,

The first step would be to double check that your GLUE records are properly set at Gandi.

http://wiki.gandi.net/en/domains/management/change-glue

3

Hi alento,

Thanks for you answer.
I already double (triple) checked.
It seems to me to be good:

2018-08-15%2019-24-37
2018-08-15 19-24-37.png1106×387 14.8 KB

Name servers as well:

2018-08-15%2019-27-24
2018-08-15 19-27-24.png1113×320 17.4 KB

Am I wrong?

Best regards, Hubert

4

No, it certainly does not look like you are wrong. Sadly, I am weak in the subject of DNS but what I can see is that it looks like your glue records are not being properly identified to the root servers. I can only suggest to reach out to Gandi.

https://gwhois.org/gayet.gg+dns

Should look something like this:
https://gwhois.org/mailinabox.email+dns
However, it appears that root-servers.net is not resolving for tld gg perhaps?

5

I can see the (big) difference between the two results…
Unfortunately, I’m the weakest as far as DNS are concerned.

I’m gonna post a message to gandi support, and I’ll keep you and this thread informed.

6

As of today, Gandi is contacting the .gg registry.

7

I hope that they work with some urgency to resolve this for you. For now, it is just a waiting game unfortunately. :frowning:

Thanks for the update.

8

OMG. Basically, they’re saying it’s not gonna work.

“”"
This configuration is never going to work for at least two reasons.
Firstly, you must always have two nameservers.
Simply creating a second host name pointing to the same server will not provide the redundancy that the requirement for a minimum of two nameservers in RFC 1034 is designed to provide. It is a Really Bad Idea.

But more importantly, these hostnames are not in the gayet.gg domain anway!

On closer inspection I see they are apparently inside the box.gayet.gg domain. This is not the same thing.

The box.gayet.gg domain, however, relies upon the gayet.gg domain. And that cannot work as that is relian t on the box.gayet.gg domain working first.

If the box.gayet.gg domain it used the same nameservers (e.g. ns1.box.gayet.gg) it would need glue records that belong in it parent domain (i.e. whic is the gayet.gg zone, not the gg zone).

But that’s not working yet . .

Put simply, however, the nameserver records you are attempting to create not in-bailiwick thus will not be generated in the TLD zone.

On using DIG, I see this nameserver is authoritative for the gayet.gg zone.

But it is not authoritative for the box.gayet.gg zone and there are no NS records for that domain there.

box.gayet.gg therefore only exists as a hostname inside gayet.gg, not as a subdomain.

If you need the registry to create glue for any hostname, it has to be in bailiwick (e.g. ns1.gayet.gg).

I trust this helps rather than confuses?

To resolve the problem, we recommend you to delete the current glue records ns1.box.gayet.gg and ns2.box.gayet.gg and to create direct glues (for example ns1.gayet.gg and ns2.gayet.gg) pointing to different IP addresses.

You can then configure your domain name with the new glue records.
“”"

As far as I understand.
Point 1 : it’s a requirement to have two distinct NS. I can deal with it one way or another.
Point 2 : the way MIAB require the NS to be named (ns[12].box.domain.tld) is never going to work.

So:
a. why is it working (does it really -like 100% RFC compliant-) with other tld? Who’s right/wrong?
b. is there a documented way to make MIAB work with external DNS? for example copy/paste required configuration in provider’s DNS. I think I’ve read in the setup guide that it will not 100% work…
c. is there a “3rd way”: like creating ns[12].gayet.gg (not .box. like they recommend) and then configure something into MIAB to make it work?

Of course, not being a DNS expert, these questions may not be crystal clear…

Thanks in advance for your help, Hubert

9

Sigh … I am not certain that they have a clue what they just said even … who provided that reply? Gandi? or Island Networks? I do not see that they even addressed the issue of the root-server,net not returning the IP address of the glue record … which is the whole point of glue records. I cannot remember exactly what the gwhois dot org page looked like originally, but does it seem as though it has changed to you?

Point 1 - true but mostly unenforced.
Point 2 - not true - it works on most every other tld.

a - see point 1
b - yes, look at your system/external DNS page within your MiaB admin area … it is all covered there.
c - probably, but overcomplicating a normally simple issue.

10

Just a reminder, as I am not a DNS expert I could quite easily be missing something. I want to tear the response that you received to shreds, based on seeing it work repeatedly, but I am not competent enough with DNS to be articulate enough on the subject to do that properly.

@murgero - any thoughts?

11

Thanks for your help.

The answer is provided by the .gg registry. Gandi forwarded it to me without further explanations.
I think I’ll go with option b, unless @murgero tells me otherwise.

It’s weird though that it works usually, I’m going to ask gandi about it.

I’ll keep you informed, Hubert

12

Hubert,

Totally shifting gears here … if there is some obscure reason(s) that the gg ccTLD is not working out you can always register a .net or .com domain name and use it as the domain for the mail service.

Yes, emails addresses such as hubert@gayet,gg would be fully supported on your install of MiaB without any jumping through hoops! (By following the procedure for multiple domains)

13

I wonder if Island Networks (the tld registry for .gg and .je) require 2 separate nameservers such as .ca, .nl, and others do. Their response does not make it clear if that is a requirement …

or an opinion.

14

Nice idea the multiple domain thing!

Meanwhile, I’ve tried to put everything without .box. and it seems to be working…
(i.e. glue records and ns ns[12].gayet.gg)

Surprisingly admin panel is happy:
box.gayet.gg

Nameserver glue records are correct at registrar. [ns1/ns2.box.gayet.gg ↦ 142.93.160.68]
gayet.gg

Nameservers are set correctly at registrar. [ns1.box.gayet.gg; ns2.box.gayet.gg]

DNS Propagation Checker - Global DNS Testing Tool also tells me that my dns are ns[12].box.gayet.gg. notice the .box.

https://gwhois.org/gayet.gg+dns unhappy:
Failed to resolve the following nameservers: ns2.gayet.gg , ns1.gayet.gg

I’m a bit confused but it seems to work…
Is it really a viable solution?

Does not seem to be a requirement otherwise even witout .box. it wouldn’t work…

15

It probably needs time to propagate …

I believe that it will work insomuch as if you listed somethingstupid1.gayet.gg as the nameserver since the DNS inquiries are being sent to the IP address - the incoming name server likely would not care who they are addressed to (ns1.gayet.gg or ns1.box.gayet.gg or somethingstupid1.gayet.gg) just that they are arriving at the correct address of the authoritative name server for the (sub)domain being looked up (142.93.160.68).

DNSSEC may blow what I just said out of the water though … I do not know. But since Gandi does not support DNSSEC for .gg domains, it is a moot point - today anyways.

16
  1. For MIAB Nameservers MUST be ns1.box.gayet.gg & ns2.box.gayet.gg
  2. Nameservers look GOOD for me, albeit not fully propagated (takes 48 hours!)

image
image.png1292×584 53.9 KB

17

@murgero

Heh, perhaps ya missed the part where the nameservers were changed with Gandi to ns1 and ns2 NOT ns1.box and ns2.box?
So, is the boxes internal DNS settings sending the response that ns1.box and ns2.box are the namesevers? For it certainly should not be Gandi.

Whois.gg reports this…

Domain:
gayet.gg

Domain Status:
Active
Transfer Prohibited by Registrar

Registrant:
(not available)

Registrar:
Gandi SAS (http://www.gandi.net)

Relevant dates:
Registered on 01st March 2018
Registry fee due on 01st March each year

Registration status:
Registered until cancelled

Name servers:
ns1.gayet.gg
ns2.gayet.gg

WHOIS lookup made on Fri, 17 Aug 2018 at 23:27:28 UTC

18

My first sentence states the issue :wink:

MUST be ns[1|2].box.gayet.gg

19

Yes, but that is NOT how they are set — but they are reporting as being set that way.

How can that be remotely possible???

20

ns1.gayet.gg isn’t full propagated. :wink: OP needs to switch back to ns1.box.gayet.gg (same with ns2)

Remember: DNS can take up to 48 hours to fully propagate. There are 13 root DNS servers, plus tens of thousands of other DNS servers that these need to propagate to.