Strange Issue with nameservers and subdomains [solved]

I have an important client, a fairly large Family History Society, that I am having some serious DNS issues with.

For several years I had been using ClouDNS as a secondary nameserver but just recently I switched to puck.nether.net and set up a custom secondary nameserver. I cancelled the account with ClouDNS and removed all their nameservers/IPs from MIAB as well as the references to allow-notify and allow-transfer from the bind config options. I replaced those references with Puck’s IP addresses (A and AAAA). Every other domain I host through MIAB except this one and one other accepted the new secondary nameserver with no problems. I have tried any number of configurations to try and create new subdomains, but they refuse to propagate.

Digger.tools shows the following for berksfhs.org, the domain with the issues:

2025-02-01_digger.tools_berksfhs1899×4225 379 KB

Digger.tools shows the following for larleegenealogy.org, a domain that shows the correct nameservers:

2025-02-01_digger.tools_larleegenealogy1899×3849 352 KB

I have DNSSEC disabled for all the domains managed by MIAB. If I can’t resolve this issue, I may need to find another DNS solution at least for that client. Is there something I am missing? Any help would be appreciated. Thank you.

Hi Heather,

Hope that you’ve been well!

I am noticing a discrepancy at the domain registrar with the listed name servers.

WHOIS is returning: (for larleegenealogy.org)

Name Server: ns1.emmons.uniquelyyoursmail.com
Name Server: puck.nether.net
Name Server: ns3.goodine.uniquelyyoursmail.us

I think that you actually want:

Name Server: ns1.emmons.uniquelyyoursmail.com
Name Server: ns3.emmons.uniquelyyoursmail.com

But wait. I am confused now as that is the domain you said is working…

For the other domain, berksfhs.org I see that both puck and emmons are listing the names servers as being cloudns.

I think maybe I should look at this again tomorrow, but you’re likely looking for a discrepancy with WHOIS, or secondary NS as listed on the box.

IIRC you run just one mail server, right? So what is goodine? That subdomain doesn’t resolve. But again this is on the domain you said is ok …

Thanks for the reply Alento. Thank you for pointing out the discrepancy with larleegenealogy.org. I have corrected the nameservers at the registrar.

The issue is with berksfhs.org. That is the domain that I can’t add subdomains to in MIAB. To clarify, this is what ICANN shows for berksfhs.org:

2025-02-02_lookup.icann.org_berksfhs960×515 28.5 KB

However, this is what MIAB Status Checks shows for berksfhs.org:

2025-02-02_MIAB_Status_Berksfhs773×705 34 KB

Note the first line showing the nameservers. Those clouDNS nameservers are also what digger.tools and nslookup.io (citing both Cloudflare and Google) show for nameservers. THAT is what I don’t understand. I need to know why that is happening and what I can do to get MIAB to show the correct information. MIAB also intermittently show MX errors even though I have it set correctly at the registrar.

The client requires additional subdomains and the situation is becoming critical; however, when I create one is MIAB under custom DNS, it never propagates and remains unusable. This situation has been ongoing for some time and it really needs to be resolved.

I hate to ask the obvious, but well, let’s start there. Are you sure that the Secondary Nameservers have been updated on the Custom DNS page?

Next, check the custom.yaml file in /home/user-data/dns

Are there any entries that do not belong there for that domain? If so, clean it up and then run the management/dns_update.py script.

image1052×144 4.58 KB

image1173×257 15.1 KB

From bind named.conf.options:
allow-transfer { 204.42.254.5; 2602:fe55:5::5; };
also-notify { 204.42.254.5; 2602:fe55:5::5; };

I checked, but also ran the script. These are all the entries specific to berksfhs.org:
From custom.yaml:
Line 26: berksfhs.org:
Line 33: shop.berksfhs.org:
Line 34: CNAME: berksfhs.org.
Line 36: dev.berksfhs.org:
Line 40: k1._domainkey.berksfhs.org:
Line 52: nas.berksfhs.org:
Line 53: CNAME: berksfhs1.dsmynas.org.
Line 54: yourtrees.berksfhs.org:
Line 55: CNAME: berksfhs1.dsmynas.org.
Line 65: baptisms.berksfhs.org:
Line 66: CNAME: berksfhs1.dsmynas.org.
Line 67: burials.berksfhs.org:
Line 68: CNAME: berksfhs1.dsmynas.org.
Line 69: marriages.berksfhs.org:
Line 70: CNAME: berksfhs1.dsmynas.org.
Line 72: banns.berksfhs.org:
Line 73: CNAME: berksfhs1.dsmynas.org.
Line 78: em911022.berksfhs.org:
Line 80: s911022._domainkey.berksfhs.org:
Line 175: digistore.berksfhs.org:
Line 189: www.berksfhs.org: 139.59.174.176
Line 190: _dmarc.berksfhs.org:
Line 192: link.berksfhs.org:
Line 219: marrtemp.berksfhs.org: 139.59.174.176
Line 220: ‘*.berksfhs.org’: 139.59.174.176

I also decided to do some further record checking for dnskeys. Here is the info provided by powerdmarc.com:

2025-02-05_powerdmarc_berksfhs1212×1495 153 KB

I have some further information that I received from my Registrar, NetEarthOne, after I contacted them for help with this issue. The sent me a link to the following:
intoDNS: berksfhs.org - check DNS server and mail server health. That link shows the following errors:

image983×790 30.8 KB

The thing is, those nameservers are NOT anywhere at the registrar either on the uniquelyyoursmail.com domain (the primary MIAB domain), OR anywhere on berksfhs.org. All is as you can see in my screenshots above.

Can anyone please help me figure out what is going on?

I see at the registrar you have configured ns1.emmons.uniquelyyoursmail.com and ns3.emmons.uniquelyyoursmail.com. I assume this is what you want, and that your DNS server at ns1.emmons.uniquelyyoursmail.comshould only usens3.emmons.uniquelyyoursmail.com` as external DNS server.

It looks like your dns server at ns1.emmons.uniquelyyoursmail.com does not properly take over the configured secondary DNS servers, even though it looks ok in the screenshot.
Can you:

• Check custom.yaml for the line starting with _secondary_nameserver: (also include next lines if they are indented)
• Check the dns file /etc/nsd/zones/berksfhs.org.txt
• If you run sudo ./tools/dns_update --force do the contents of the /etc/ file change?
• If not, check the output of sudo journalctl -u mailinabox and look for reported errors.

If you still come up with nothing after running the steps that @KiekerJan suggested, how about letting me SSH in and poke around? @HeatherFeuer

This is like a 3 cent error in accounting. It surely is something obvious that just doesn’t stand out until a second set of eyes looks …

@HeatherFeuer took me up on my offer. @KiekerJan

After going through things I discovered that nsd was restarting, but not properly restarting as there was an error in creation of the DS records for the zone.txt.signed file. This error was preventing nsd from reloading with updated zone records when there was a change, and consequently it was not publishing the updated records.

I discovered this by running service nsd status. The output showed the error in specific lines of the zone.txt.signed file.

Here is the specific output:

Feb 15 21:55:37 emmons.uniquelyyoursmail.com nsd[128569]: [2025-02-15 21:55:37.182] nsd[128569]: error: berksfhs.org.txt.signed:343: CNAME and other data at the same name

The error output suggested that there was both an A record and a CNAME record present. I then discovered that this was indeed the case. One of the subdomains in use had both records.

Once the duplicate records were resolved, the zone file properly updated, and viola.

Thanks for the update. I assume this was caused by a custom DNS entry? Perhaps a nice check to add as validation when creating custom DNS entries…

I have had double custom entries but never this sort of issue. And duplicate entries are allowed, I mean they don’t produce an error.

Yes, MiaB allowed both an A record and a CNAME for the same subdomain.

In some cases that is fine … TXT records for instance, or NS records.

But a definite no no for A/CNAME records for the same subdomain.