I have two domains pointing at the same IP address with A records. Both domains use the same two nameservers, and still I am having big connection issues for many, but not all of the customers coming to the site. IntoDNS reports that the nameservers do not agree on a SOA serial, but this only happens for one of the domains.
So some testing later I found that Google public DNS servers don't even respond to ping from the domain that doesn't work, but other public DNS servers do, and they serve the web page as well. I have tested 4.2.2.1, 4.2.2.2 and 208.67.222.222, all public DNS servers. When visiting the web site it throws an error:
ERR_NAME_NOT_RESOLVED
Does anyone have any idea what this could mean? The nameservers serials fail on one domain and not the other while they both point to the same address? And that google DNS does not index it while others do?
I think I have passed the update time limit as it has been like this for over a week.
dig results from google DNS:
; <<>> DiG 9.8.5-P1 <<>> @8.8.8.8 woolland.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44011
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;woolland.se. IN A
;; Query time: 97 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Sep 14 12:39:15 BST 2013
;; MSG SIZE rcvd: 29
dig results from 4.2.2.1:
; <<>> DiG 9.8.5-P1 <<>> @4.2.2.1 woolland.se
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62739
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;woolland.se. IN A
;; ANSWER SECTION:
woolland.se. 3253 IN A 91.207.159.238
;; Query time: 46 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Sat Sep 14 12:40:27 BST 2013
;; MSG SIZE rcvd: 45
Best Answer
I suspect, without you mentioning it, that the connection issues might indeed be caused by DNS resolution problems.
I am not sure why it is exactly that 8.8.8.8 behaves in the way that it does when resolving your name, but you may find some interesting results when you investigate DNSSEC problems.
First, let's do a trace (I'll remove lots of stuff for brevity):
You may notice that at the end of recursion, we don't get an RRSIG for your zone. However, it happens that we do get a DS record (delegation of signing) from the .se TLD servers:
The presence of the DS record indicates that your zone is signed, but it isn't.
What you must do is either get the DS record out of the .se root somehow, or update it and set up DNSSEC on your domain.
Level3's DNS servers are not (yet?) fully set up to do DNSSEC; you may notice that even if you set AD and unset CD on your queries to them, you will never get a reply with the AD flag back. Similarly, google's DNS server 8.8.8.8 does fully support DNSSEC, and so queries for your domain with the CD flag set will give your address (this flag stands for "checking disabled"):
The differing serial has nothing at all to do with this, though it does indicate that your two DNS servers may be out of sync. Check that they are replicating properly; if the serial on the master is lower than that on the slave, bump the one on the master up to a higher value than both.