One of my domains keeps having a nameserver Not Set error in MIAB

If I check my domain on Pingability its fine

Zone Info: mydomain.com
Information mydomain.com./123.199.911.111 is located in Shantytown.
Information www.mydomain.com is a CNAME record pointing to mydomain.com.
Information 7 seconds to complete zone checks.

If I check it on Dig Men & Mice it resolves fine too

; <<>> DiG 9.8.1-P1 <<>> @ns1.box.mybox.com mydomain.com A +m
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35578
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;mydomain.com. IN A
;; ANSWER SECTION:
mydomain.com. 1800 IN A 123.199.911.111
;; AUTHORITY SECTION:
mydomain.com. 1800 IN NS ns1.box.mybox.com.
mydomain.com. 1800 IN NS ns2.box.mybox.com.
;; Query time: 256 msec

But the status page in MIAB tells me this:

“Nameserver glue records are incorrect. The [ns1] and [ns2] nameservers must be configured at your domain name registrar as having the IP address [IP]. They currently report addresses of [Not Set]/[Not Set]. It may take several hours for public DNS to update after a change.”

and

The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s control panel to set the nameservers to [ns1]; [ns2]

I have not used DNSSEC before and several times removed all the records and tried setup several times. Even wiped all the DNS records and used a script to configure all my domains via CURL. Every domain works fine except for one!

As its just a personal domain i have let this be for months so system has gone through several upgrades and many restarts.

Have tried anything I could think off but this domain is now unused and I would like to start using it.

Any help is much appreciated.

How long is (was) the TTL sent before you made the change? It might be that MIAB DNS has some old info cached?

As I said this started months ago, personally made no changes except for installing new updates of MIAB.

Can’t see how the cache has anything to do since its has been happening for months but happy to try.

Flushed DNS cache on several clients and server without any change to the problem

Does MIAB work? Can you send/receive mail on the domain in question?

I know that I had the same error for several days with Status Check, but it worked fine anyway.

I don’t know where Status Check gets all of its information but maybe it is via some DNS server that seems to have cached your info for that domain for a long time.

Assuming you are using external DNS, have you tried using a different NameServer? Where did you set the glue records? (Maybe they have to be done at the registry level for the domain?)

Unless you tell us the domain name, I don’t think there is much anyone can do to help sort this out.

The domain is ‘devoer.com’ but as I said above all the external services can see the nameservers and IP only MIAB says they are not set so all enquiries die at the DNS level. MIAB is where my DNS is hosted and the registrar points correctly to my nameserver.

Since the domain cannot be resolved it is impossible to send email to it or connect a website.

The key I think is to find out why devoer.com won’t resolve. Are you hosting it on the same box as the mail server?

What is the name of your mail server? Is it box.businesspalz.com? Does mail for that work?

Your A record points at http://businesspalz.com as does your MX record.

Where is businesspalz.com hosted?

I set up a Linode web server and a Linode mail server as opposed having my mail server do other things besides mail. Since your mail server is handling the DNS for devoer.com there must be some setting or record somewhere that you are missing.

MIAB works for all my domains except for the one with the error.

With the domain name unable to be resolved it is obviously impossible to access mail for the devoer.com domain but all other domains and mail servers on MIAB work fine.

I obviously run my own DNS and mail servers on the same box which is the reason to use MIAB in the first place.

Where my box or websites are hosted has no relevance. Besides this DNS issue everything runs fine.

Only thing I can think of is that MIAB has some error/problem with its DNSSEC record for the devoer.com domain as my registrar only forwards to the MIAB nameservers and holds no other records for devoer.com.

So @RobDeVoer, nsd isn’t serving dns for devoer.com

dig @NS1.BOX.BUSINESSPALZ.COM devoer.com results in SERVFAIL.

I’d check /etc/nsd/zones/ to see if devoer.com.txt exists there.

Also, is there an email user or alias for devoer.com? If not, MIAB won’t generate the zone file for that domain, afaik.

That is correct @Cromulus all the leads point back to an issue in the NSD records that are being created and maintained by MIAB.

/etc/nsd/zone contains all the excepted relevant files: devoer.com.txt, devoer.com.txt.ds and devoer.com.txt.signed.

Yep email addresses are also defined.

Have removed and recreated domain several times through admin interface and via CURL but it has never become active.

Currently the DNS entries for the devoer.com are set via MIAB following the addition of an email address…

Have you tried to re-run the setup utility: sudo mailinabox ?

When things get misconfigured or are not working for an unknown reason, I usually try this.

Many times, this domain has been non-functional for a year and MIAB has gone through several upgrades in that time.

There’s no longer a SERVFAIL error when you run:
dig @NS1.BOX.BUSINESSPALZ.COM devoer.com

And from what I can see, looks okay? Is it perhaps working now?

No, as i showed in my first post for this, the domain looks perfectly configured from the outside world.

The MIAB status check however remains to look like this:

devoer.com
:heavy_multiplication_x:
This domain’s DNSSEC DS record is incorrect. The chain of trust is broken between the public DNS system and this machine’s DNS server. It may take several hours for public DNS to update after a change. If you did not recently make a change, you must resolve this immediately by following the instructions provided by your domain name registrar and provide to them this information:

:heavy_multiplication_x:
The nameservers set on this domain are incorrect. They are currently [Not Set]. Use your domain name registrar’s control panel to set the nameservers to ns1.box.businesspalz.com; ns2.box.businesspalz.com.

:heavy_multiplication_x:
This domain’s DNS MX record is not set. It should be ‘10 box.businesspalz.com’. Mail will not be delivered to this box. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.


Postmaster contact address exists as a mail alias. [postmaster@devoer.com ↦ administrator@box.businesspalz.com]


Domain is not blacklisted by dbl.spamhaus.org.

:heavy_multiplication_x:
This domain should resolve to your box’s IP address (A 128.199.131.120) if you would like the box to serve webmail or a website on this domain. The domain currently resolves to [Not Set] in public DNS. It may take several hours for public DNS to update after a change. This problem may result from other issues listed here.

Yes, security conscious people may note that I am showing my IP and my domain name and my nameservers, I want to get this solved however and all of this is publicly listed info anyhow.

First off, your nameservers, IP address and domain are all public anyway. Posting that info here poses no more of a security risk than registering the domain in the first place.

So, it appears that the ssl certificate for devoer.com uses the wrong hostname: box.businesspalz.com instead of devoer.com. Try renewing the certificate in the admin panel.

Secondly, https://devoer.com produces a 404, which likely means something about your install is off. There should be an index.html file there.

Thirdly, http://dnssec-debugger.verisignlabs.com/devoer.com and http://dnsviz.net/d/devoer.com/dnssec/ indicate that your dnssec is incorrect. Likely due to the incorrect ssl cert being used, as above.

Can you ssh into the machine? Post the results of:
dig devoer.com
and
dig @8.8.8.8 devoer.com

I’m seeing correct responses from your nameserver on my end, but it could be the local configuration of your machine preventing the MX and nameserver checks from being successfull.

There is no cert as it cannot be generated with devoer.com responding with a SERVFAIL.

Surprised you got a 404 on https://devoer.com, there is no cert and browsing to the domain always results in a DNS_RESOLUTION_ERROR for http and https. There is no site there yet so I am hoping to get a 404!

Yes, the DNSSEC gives an error (see above in MIAB status). I think the problem may have something to do with the DNSSEC error but do not know how to wipe it and recreate.

Dig results are identical.

$ dig devoer.com

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> devoer.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4689
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;devoer.com. IN A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 16 15:28:07 EST 2017
;; MSG SIZE rcvd: 39

$ dig @8.8.8.8 devoer.com

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> @8.8.8.8 devoer.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45362
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;devoer.com. IN A

;; Query time: 14 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 16 15:28:49 EST 2017
;; MSG SIZE rcvd: 39

Opendns: dig @208.67.222.222 devoer.com returns 128.199.131.120
Google DNS: dig @8.8.8.8 devoer.com returns SERVFAIL

Seems like your dns hasn’t propagated yet.

Additionally, it’s strange that your local dns on your MIAB server isn’t resolving devoer.com.
dig @128.199.131.120 devoer.com returns 128.199.131.120.

what is in /etc/resolv.conf?
Please paste cat /etc/resolv.conf

Also, have you modified /etc/hosts or anything in /etc/bind/

In the last hour have again deleted the mailboxes from MIAB and removed all traces of the domain, all DNS records were wiped, zone files deleted. The created mailbox so MIAB recreated DNS. Same problem remains but yes the records should be propagating again.

I leave it up to MIAB to configure my domains so have not changed those files directly.


Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

nameserver 127.0.0.1

Yes, your nameservers have yet to propagate:
https://www.whatsmydns.net/#NS/devoer.com

However, everything else looks good:
http://mxtoolbox.com/domain/devoer.com/

perhaps your upstream dns servers haven’t yet gotten the propagated nameservers? Looks like google’s 8.8.8.8 and 8.8.4.4 are particularly slow on the uptake.

Beyond that, I’m at a loss.

All propagated but still not working. The SERVFAIL still happens.

Thanks for your help.