I've been trying for months to verify my domain with Amazon Web Services so that I can use Amazon SES to send emails. Verification fails every time. I've retried about 35 times. Each time it fails.
I've added a TXT record to my DNS. It looks like:
When I run:
nslookup -type=ns redmatterapp.com
I see:
redmatterapp.com nameserver = ns-1546.awsdns-01.co.uk.
redmatterapp.com nameserver = ns-692.awsdns-22.net.
redmatterapp.com nameserver = ns-1471.awsdns-55.org.
When I run:
nslookup redmatterapp.com ns-692.awsdns-22.net
I see:
Server: ns-692.awsdns-22.net
Address: 205.251.194.180#53
Name: redmatterapp.com
Address: 52.27.95.103
When I run:
nslookup -type=TXT redmatterapp.com ns-692.awsdns-22.net
I see:
Server: ns-692.awsdns-22.net
Address: 205.251.194.180#53
*** Can't find redmatterapp.com: No answer
Shouldn't I be able to see the TXT record?
You're creating the DNS record in a place where nobody but you can actually see it... on a set of name servers that you aren't actually using to host the DNS for this domain.
Your domain is evidently registered with Register365, but your authoritative name servers are actually AWS Route 53 name servers (e.g. ns-692.awsdns-22.net).
Any entries you make in the registrar's DNS record management console will have no effect at all if the registrar's DNS servers aren't the ones your domain is actually using... and that appears to be the case here.
Registrars have, in my opinion, confused this issue for many people by bundling free authoritative DNS hosting with paid name regstration services, even though these are rightfully two independent service offerings.
At some point, you switched your DNS hosting over to Route 53, and for this reason, Route 53 is where you need to create this new record. In the Route 53 console, find the Hosted Zone for this domain with matching name servers, and add this record there.
Your nslookup should start working as expected and SES should have no trouble validating your record, after that.
In the interest of not confusing future readers, the reason this entry goes in Route 53 is not because of any necessary connection between SES and Route 53. The fact that these are both AWS services is coincidental. The reason this is the fix is simply because Route 53 is who you have already -- at some point in the past -- chosen as your authoritative DNS hosting provider.
Related
I registered domain with AWS and set Hosted Zone.
inside the hostedzone i have NS with 4 records and SOA as a record type
I added A record type and point it to EC2 public IP.
in browser i can not get response when type domain name.i got "This site can’t be reached"
search here and some people advice to check NS with dig command.
dig command answered when i run in on Ec2 Ubuntu command but didn't get response when run it on my laptop.
I have other sites on roure53 but new one doesn't work.
any thought?
How did you registered the domain? Did you purchase it from a website and paid for it?
From what you said, it seems the FIRST thing you did was creating a Hosted Zone in Route53. Let me explain.
Usually when we purchase a domain from another website, after paying for it and everything we will need to tell the Domain Registrar to use the Name Servers and input a value like ns1.abcdomain.com and ns2.abcdomain.com . The purchase of a domain name usually comes with a free DNS service, so it will already have a valid name servers defined.
If my guess is correct, you created a hosted zone in AWS Route 53 without actually paying and registering a domain with a registrar (AWS is also a registrar). Therefore the domain only exist in AWS world because you created a Hosted Zone.
This explains why running dig on your EC2 provided the expected IP, because somewhere along the line the EC2 reaches AWS internal Route53 DNS service before reaching the public internet for DNS result.
If you indeed paid AWS something like $12 to purchase a domain, you might have misunderstood their interface (which can be confusing sometimes) and missed appointing Route 53 to be the domain's Name Servers.
I have a DigitalOcean droplet with Dokku running on it. I also have an AWS Route 53 hosted zone (the domain was registered elsewhere, I changed the name servers to Route 53). In that hosted zone I have created an A record pointing to my droplet.
The A record seems to work fine (I can access my Dokku container from Postman by domain):
image.
I am now trying to issue a Let's Encrypt certificate for my domain. I'm using dokku-letsencrypt for this. However, I'm receiving the following error:
CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains' DNS entries, your host's network/firewall setup and your webserver config. If a domain's DNS entry has both A and AAAA fields set up, some CAs such as Let's Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let's Encrypt won't issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5705758732
Challenge validation has failed, see error log.
The link provided by the error contains this:
DNS problem: SERVFAIL looking up A for gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning
I performed a query on unboundtest.com and the response is kinda cryptic to me, but these are the last lines:
Jul 06 18:40:21 unbound[5640:0] info: Missing DNSKEY RRset in response to DNSKEY query.
Jul 06 18:40:21 unbound[5640:0] info: Could not establish a chain of trust to keys for bloberenober.dev. DNSKEY IN
Jul 06 18:40:21 unbound[5640:0] info: 127.0.0.1 gmail-bot.bloberenober.dev. A IN SERVFAIL 6.743746 0 44
full report
I did some research and found out that DNSKEY records are part of DNSSEC, and apparently it is not supported by Route 53 for existing domains:
Amazon Route 53 supports DNSSEC for domain registration. However, Route 53 does not support DNSSEC for DNS service, regardless of whether the domain is registered with Route 53. If you want to configure DNSSEC for a domain that is registered with Route 53, you must either use another DNS service provider or set up your own DNS server.
source
I have also tried running certbot manually and added a TXT record to my hosted zone, but received the similar error:
Failed authorization procedure. gmail-bot.bloberenober.dev (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up TXT for _acme-challenge.gmail-bot.bloberenober.dev - the domain's nameservers may be malfunctioning
The domain in question is gmail-bot.bloberenober.dev
What am I doing wrong? Can I even issue a Let's Encrypt certificate for this case?
I solved this issue by changing my DNS service provider to CloudFlare instead of Route 53. They provide DNSSEC support and a generic SSL certificate out of the box which was enough for my needs, so in the end I didn't need to issue a Let's Encrypt certificate at all.
It's been couple of days that I transferred my domain name from one AWS to another--dev environment to production. The problem is, the domain name isn't showing up in any DNS (Amazon or Google). I'm pretty sure I've configured the hosted zone correctly.
I'm also trying to verify SES which is failing and I also set MX records (Gmail) which don't work. The MX records and SES were set couple of days ago. Additionally, I created an A record to point to a elastic load balancer DNS name.
Any suggestions on what might be the problem? It's been couple of days and from past StackOverflow posts as well as past experience, DNS propagation on Amazon's server doesn't take more than 15 minutes.
EDIT:
Here is a timeline of events which can provide more information:
I had a domain abc.com on AWS account user1
The domain was transfered to AWS account user2
As of right now, the following hosted zone is created on user2's account:
The one thing this record set is missing is a CNAME to the load balancer which I had setup when the domain belonged to user1. However my understanding is that an A record should be good enough and it was a mistake on my part.
I'm using Windows and so I've flushed my DNS. I've tried looking up using AWS's DNS servers and Google's DNS server and nothing.
C:\>nslookup abc.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
*** google-public-dns-a.google.com can't find abc.com: Server failed
It's been a couple of days since the domain was transferred. MX records were something I setup immediately and so I haven't gotten an email. If the DNS doesn't have any clue about the domain name, something must be wrong.
NOTE: The domain name is obfuscated to abc.com.
As suggested by #michael-sqlbot, the name servers were different in the console and hosted zone. I updated the name servers to the NS of the hosted zone. I see DNS propagation.
I think I may have made a mistake when migrating my DreamHost registered domain to Amazon's Route 53 service. I didn't modify the DNS settings on DreamHost's end during the migration. So now, my DreamHost DNS panel says the following:
Change example.com's whois nameservers
To modify your domain's whois information, please visit the registrar you registered example.com with (looks like it's not us!)
Even though the domain is originally registered with them. Now Route 53 has (apparently) completely taken over the domain, and I have the following delegation set:
ns-567.awsdns-06.net
ns-1362.awsdns-42.org
ns-387.awsdns-48.com
ns-1717.awsdns-22.co.uk
But, I also get the following message:
Before the Domain Name System will start to route queries for this domain to Route 53 name servers, you must update the name server records either with the current DNS service or with the registrar for the domain, as applicable.
Amazon does their domain stuff through Gandi, but I am not given a handle to log in to their service. So who is this "registrar" the message tells me about? Is it Amazon or Dreamhost?
At the moment, if I whois example.com I get the following nameservers:
ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhost.com
What to do?
It looks like you properly told dreamhost (who is the registrar for your domain), that route53/aws will handle DNS traffic for you - that is 1/2 of what you need to do.
The other half is you need to setup your domain in route53(aws), not Gandi. Basically you told dreamhost that r53 will handle it, but you haven't yet told r53 how to handle it.
This document may help:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html
Since Godaddy went down for some hours my client and I are very upset and want to change everything to AWS.
Everything is done so far, only the domains (blablabla.com) are missing, I'm having a hard time trying to migrate from godaddy to Route 53, Do I have to remove from one and create from scratch from AWS?
Does anyone have any experience on how to do this?
the solution:
Login on your aws console;
Click on Route 53;
Create Hosted Zone;
Select your new created host title and click "Go to Record Sets", take note of the nameservers;
Login on your Godaddy account;
Select your domain;
Go to Nameservers and click SetNameservers;
paste all the four you took from "Go to Record Sets" Route 53;
and that's it..., you don't have to rely on this horrible service Godaddy provides anymore
You can transfer the domain registration to AWS Route 53.
You have to "unlock" the account.
Log On to Go Daddy.
Go to Domain Details Then Settings:
Lock: Set to Off
Authorization Code: Email My Code
Route 53 will need the authorization code to complete the transfer request.
Here are the steps to migrate your internet domain name to AWS route 53 (DNS Manager).
** Be careful where your mail server is hosted, either in the Godaddy mail service, Gmail (gsuite) or in your Cpanel server (VPS/Server).
** To empower your Domain DNS capabilities, you need to transfer the name servers, DNS records and domain name to AWS route53, thats why it's recommended to move to AWS Route 53. You can keep Godaddy to be owner of your yourdomain.com and manage your DNS by Route 53
STEPS:
Go to Godaddy DNS records and understand each of them and note them (Take a screenshot)
Go to AWS route 53, Crete a Public hosted Zone (Create your domain on AWS route 53). Here is a good tutorial about it:
https://www.clickittech.com/aws/migrate-godaddy-to-aws-route53/
Copy your Godaddy DNs records into your Public hosted zone previously created. Remember, each record needs to exist in the new aws zone.
Change your Name Servers to AWS Route 53. What does it means? In order to allow AWS route 53 to manage your domain, DNs records, etc. you need to change your actual Godadaddy Name server (NS) Records to AWS Records.
Go to Godaddy admin Panel and Login
Go to DNS Management
Under Name Servers Click on Change - > Custom - > Change Name Servers
You need to change from NSx.domaincontrol.com to the AWS Name servers.
More info: https://www.clickittech.com/aws/migrate-godaddy-to-aws-route53/
After 4-8 hours your Name Servers will be reflected and propagated around your country, world and networks.
Practically you are done with this.
Additionally, if you need to migrate your website or web app to AWS go to this tutorial, great explanation, see below:
https://www.clickittech.com/aws-migration/transfer-domain-aws-migrate-move-website-aws/
The answer from The Poet above is good for moving everything, but it will also kill your email service with GoDaddy. If you want to keep the email servers running at GoDaddy, you will also need to get your MX email servers and their priority numbers. Mine looked like this...
0 smtp.secureserver.net
10 mailstore1.secureserver.net
Take these over to your Route53 settings, click Create Record Set, choose a type of MX Mail Exchange, and paste these values in (with the number in the front as shown above). Save the record set.
Also PJT was correct; all domain info in Route53 ends with an extra period for some reason specific to AWS, but don't worry about it--it doesn't affect production behavior. When you copy your four from Route53 to paste in GoDaddy's Name Servers, you will need to do them one at a time and trim off the extra period at the end.
If you want to migrate your DNS records to Route 53, you'll need to export them from GoDaddy and recreate them manually in Route 53.
To do this in one automated step, consider a DNS migration tool such as DNSTools.ninja, as outlined here: https://dnstools.ninja/migrate-bind-aws-route53-safely-3-commands/
Be careful with google mx records if you have them.
Why switch to route 53?
AWS Route 53 doesn’t limit you to 64 subdomain.
AWS allows you to host buckets with route 53
It all comes at a 50 cent/month.
AWS Nameservers
Now to answer your question, you need move the name servers to route 53. That means in godaddy name server section should be filled with aws name servers.
See the steps here.
https://metamug.com/article/dns-migrate-godaddy-to-route-53.php
The detailed steps to transfer the domain registrar from GoDaddy to Route 53 is given at https://cloudopian.com/blog/how-to-transfer-domain-registrar-from-godaddy-to-amazon-route-53/
Remember, you first need to transfer your name servers by creating a hosted zone in Route 53 and pointing your godaddy hosted domain to use Route 53's name servers instead of it's own name servers.