Problem with nameservers

Discussion in 'Installation/Configuration' started by tonytroy, Oct 16, 2019.

  1. tonytroy

    tonytroy Member

    Hi there,

    I've just install a fresh new server with Debian 10 and ISPConfig following https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/

    I added DNS zones for my websites and tried to change their DNS conf in the registrar setup to attach them to my new server. It works fine with .com TLD's but with .fr TLD's I get an error message saying "NAMESERVERS VALIDATION FAILED - The nameserver doesn't exist".

    The DNS is sd-133392.dedibox.fr and if I try a host on this, i get the good IP address. If I try a host on the IP address i get the good nameserver. So i'm kind of lost.

    Does someone has an idea to fix this? Or a starting point to look for?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. tonytroy

    tonytroy Member

    Hey Taleman,

    Thanks for your answer.
    As I said, the host command returns good informations on the IP address and on the nameservers.
    Bind is active and running, dig with @localhost on the domain name returns the good nameservers & IP address, the reverse is set so as /etc/hosts and /etc/hostname (server was rebooted after that).

    I'm asking help here because I've already test all that things with no clue. I can't find the origin of the problem.
    The only idea I have left is, as the reverse was set yesterday morning, maybe it still need time (but 24 hours should be more than enough).
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Not sure if I remember correctly, the .fr registry might enforce dnssec?
     
    Last edited: Oct 16, 2019
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    At what point do you get that error message "NAMESERVERS VALIDATION FAILED - The nameserver doesn't exist"?
    If you have two name servers and use same nameservers for all your domains, how could it not work?
    Are you using hostname or IP-number when giving the name server for the registration?
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I tested myself:
    Code:
    $ host sd-133392.dedibox.fr
    sd-133392.dedibox.fr has address 195.154.104.120
    [email protected]:/tmp
    $ host dedibox.fr sd-133392.dedibox.fr
    Using domain server:
    Name: sd-133392.dedibox.fr
    Address: 195.154.104.120#53
    Aliases:
    
    Host dedibox.fr not found: 5(REFUSED)
    [email protected]:/tmp
    $ dig @sd-133392.dedibox.fr dedibox.fr
    
    ; <<>> DiG 9.10.3-P4-Debian <<>> @sd-133392.dedibox.fr dedibox.fr
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61083
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;dedibox.fr.            IN    A
    
    ;; Query time: 63 msec
    ;; SERVER: 195.154.104.120#53(195.154.104.120)
    ;; WHEN: Wed Oct 16 11:14:26 EEST 2019
    ;; MSG SIZE  rcvd: 39
    
    [email protected]:/tmp
    
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    According to https://www.afnic.fr/fr/produits-et-services/services/dnssec-21.html
    it seems DNSSEC is not mandatory yet, but AFNIC promotes it heavily.
    Same thing with Finnish authority, in September they started encouraging adoption of DNSSEC. I'm thinking to either set up my nameservers differently or wait for ISPConfig 3.2 to start using DNSSEC.
     
  8. tonytroy

    tonytroy Member

    I get the error message saying sd-133392.dedibox.fr nameservers doesn't exist when I try to change DNS for a .fr domain name in my registrar's interface (internetbs). When I change DNS for a .com domain name, it works.

    For all my domain names I use sd-133392.dedibox.fr as NS1 and nssec.online.net as NS2 (because I cannot add only one DNS, it requires 2 at least). It works with .com but not with .fr.

    sd-133392.dedibox.fr is my second server, my first one sd-59739.dedibox.fr works the same way (ISPConfig 3), except .fr are passing through validation on this one (with sd-59739.dedibox.fr as NS1 and nssec.online.net as NS2).
    What I need to do, is migrate all websites from my old server (sd-59739) to my new one (sd-133392) but I can't because I'm not able to modify DNS of domains with .fr TLD's.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The error message is correct. That name server does not answer to queries about dedibox.fr.
    Code:
    $ host dedibox.fr sd-133392.dedibox.fr
    Using domain server:
    Name: sd-133392.dedibox.fr
    Address: 195.154.104.120#53
    Aliases:
    
    Host dedibox.fr not found: 5(REFUSED)
    
    Does the host command return answer if you query for your something.com domain?
     
  10. tonytroy

    tonytroy Member

    Im' not sure dedibox.fr is supposed to answer. If you try "host dedibox.fr sd-59739.dedibox.fr" you'll have the same error, however sd-59739.dedibox.fr works perfectly with adding DNS of .fr domain names on internetbs as I said.

    $host something.com
    returns
    something.com mail is handled by 10 spam.lanline.com.

    I also tried on both servers (sd-59739 and sd-133392) this command :
    $host sd-133392.dedibox.fr
    results
    sd-133392.dedibox.fr has address 195.154.104.120

    And this one (still on both servers) :
    $host 120.104.154.195
    returns
    120.104.154.195.in-addr.arpa domain name pointer sd-133392.dedibox.fr.

    I'm totally lost...
     
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You wrote in #1:
    That made me assume you are setting up sd-133392.dedibox.fr as your name server. However, that name server does not answer to queries about dedibox.fr domain. So it does not work as name server, at least not for that domain. Why this is the case, I do not know.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The name sd-133392.dedibox.fr seems to be a generic name assigned by your ISP. Personally, I never use these names and assign a hostname which belongs to my own domain. Might be related to your issue or not, just as a hint.
     
  13. tonytroy

    tonytroy Member

    Thx to you both.

    @Taleman : When I try a host on sd-59739.dedibox.fr (my other server), I get the same error for dedibox.fr domain "Host dedibox.fr not found: 5(REFUSED)" (you can try it). Though sd-59739.dedibox.fr works perfectly for adding .com or .fr domain names from their DNS. So what would be the difference between those 2 servers ? I can't find an answer to that..

    @till : sd-133392.dedibox.fr is the name of the machine (server) and it was indeed provided by my ISP. When you talk about assigning a hostname that belongs to a domain, you mean a domain name ? In this case, which one do i choose ? I have more than 20 domains on a server. If this can be a solution I'm ready to try.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    A hostname is normally a subdomain. something like server.yourdomain.tld or when its a nameserver only, name it ns.yourdomain.tld or ns1.yourdomain.tld. Of course, you have to choose one of your domains for this, I would use the domain that matches your company name. This subdomain must point to the server in dns with a dns a-record and the reverse record of your IP should be adjusted as well. As mentioned above, this might be unrelated but that's how I set up systems.
     
  15. tonytroy

    tonytroy Member

    It sounds like a possible plan.

    So if I choose example.fr and I use ns1 as subdomain, I have to change the reverse of the server by ns1.example.fr ? I also will need a second DNS, I still use dnssec.online.net ?
    To attach example.fr to the server, i don't use DNS but only a redirect with A record ? With internetbs, if I use their DNS and I add an A record, that doesn't work as they have an SOA record pointing to ns-canada.topdns.com. I'm not familiar with this kind of settings. Any idea of how i should proceed ?
     
  16. tonytroy

    tonytroy Member

    It took time but finally the A record was accepted and the domain .fr is pointing to the server.

    Now I have another problem, as the DNS is no longer managed by the server, I cannot use the Let's Encrypt function to add SSL protocol to the website. Do you have an idea of how I can fix this ?

    I'm going to use the domain .fr to give a new name to the server and change the reverse, i'll let you know if everything work after that.
     
  17. Jesse Norell

    Jesse Norell Well-Known Member

    Just check the checkboxes for ssl and Let's Encrypt and save, it does not rely on dns validation.
     
  18. tonytroy

    tonytroy Member

    Thx Jesse, you're right, I thought the Let's Encrypt option was on the DNS settings, but it's on the website settings.

    To add the nameserver, I just have to create a A-record with ns as subdomain pointing on the IP address of the server ? Nothing to setup on the server ?
    Can I also create a DNSSEC on my server or should I use dnssec.online.net as I used to do.
     

Share This Page