This one’s going to get the least hits ever, I bet.
I transferred the authoritative nameserver of a domain from Godaddy to Cloudflare and things got stuck. The NS propagated pretty well, but it never got picked up by Google or Verisign’s public DNS (check with https://www.whatsmydns.net). Since my ISP uses Google’s 18.104.22.168 server for customer DNS, I couldn’t reach my sites and mail got goofy.
The problem turned out to be outdated DS records that lingered at Godaddy after I tried their DNSSEC product, had all sorts of problems and turned it off. DS records aren’t deleted automatically in that process — they need to be deleted manually on the Domain Details/Settings tab. Who knew? Why should I have to know??
Google (and Cloudflare, the destination authoritative server) saw the outdated DS records and ruled the domain bogus. In the case of Cloudflare, it never completed the setup process (constantly rescanning the nameservers and saying “Pending Nameserver Update”).
Google’s public DNS simply wouldn’t resolve the names and returned SERVFAIL. Here’s an example of the dig command when it was failing (note the period at the end of the command).
dig @22.214.171.124 www.example.com. ; <<>> DiG 9.8.3-P1 <<>> @126.96.36.199 www.example.com. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42587 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.example.com. IN A
Here’s the result of a query to DNSVIS.NET query of the name. It’s pretty incomprehensible but if you get a page that looks like this, you’ve probably got the same problem I had.
This was the page that cracked the case for me:
One last thing. Here’s the page where you can flush the Google DNS cache for a domain.