Terrible trouble with DNSSEC and GoDaddy
joliver at john-oliver.net
Sun Oct 13 21:34:45 UTC 2013
I've been trying for three weeks to get GoDaddy to add a DS record for
one of my zones. Some of the excuses they've given as to why the fact
this hasn't happened is actually my fault:
"At this time, the issue is due to one or more nameservers associated
with the domain are not being configured correctly. Once the
configuration issues with the nameservers has been resolved, you will be
able to add a DS record to the domain without issue."
What's the configuration issue? Turn sout to be a missing NS record.
OK, now you can add the DS record, right?
"We pinged the nameserver, puck.nether.net and it did reply. However,
when we pinged NS2.SDSITEHOSTING.NET, the request timed out. We ask that
you review this matter with your current host to ensure that the
nameserver is properly configured."
Flamethrower opened on low, just enough to singe a bit.
"This has been reviewed by our administrators and has been determined to
be an issue with the nameserver NS2.SDSITEHOSTING.NET itself. Your
hosting provider will need to review this nameserver to determine if it
is properly configured on their end."
What is the 'issue'?
"Thank you for your reply. This issue has been reviewed by our
Administrators and Advanced Technical Support. They have reviewed the
records for that are being pulled up for the nameserver
NS2.SDSITEHOSTING.NET and have found that there is a issue with the
nameserver itself. If you created the nameserver yourself, you will need
to review the configuration that you have created for the nameserver."
What is the issue?
"Thank you for your reply. Our system will not accept the format that
you have in place. We will only accept nameservers with the standard
IPv4 format and to appears you have the nameserver NS2.SDSITEHOSTING.NET
setup with IPv6."
Flamethrower opened a little more. Asked how any of these 'issues' has
anything to do with them adding a record into the com. zone (a question
which has never been responded to)
"This requirements are something we have in place internally. We are not
suggesting your nameservers are bad to use, but rather, the nameservers
are not formatted to meet our system requirements. If our system picks
up a IPv6 record, it will not work with our system. I do apologize for
the inconvenience. "
I block all traffic from 2607:F208::/32 You aren't getting any "IPv6
records" now, so the problem is fixed, right?
"Thank you for your reply. I have reviewed your issue and show that the
server name NS2.SITEHOSTING.NET is using
2600:3C01:0:0:F03C:91FF:FE96:BBEC . The IP address is what is causing
the problem. You would need to remove this before continuing."
Well, they've got me there... I am, in fact, using that IPv6 address,
and unless I want to go back to IPv4 and nothing else, that's probably a
pretty good excuse for them to just stop right there!
So... what is it? Is GoDaddy really so antiquated that the fact that
one of their customers is using IPv6 actually breaks them? Is it just
that their "Advanced Technical Support" staff isn't very advanced, very
technical, or very good at support? Or have we slid into an alternate
universe where this is all my fault, and I should abandon IPv6 because
it just doesn't work with DNSSEC?
Venting aside, does anyone have a contact at GoDaddy that doesn't suffer
from a terminal case of rectal-cranial invesrion? I'm mainly
experimenting with DNSSEC, and don't want to move all of my domains over
this one issue. But then, if this is the level of technical support I
can expect, maybe I should bite the bullet and go.
* John Oliver http://www.john-oliver.net/ *
More information about the bind-users