I’m having a bizarre issue setting up a new install. We’re moving from hosted to self-hosting our installation, and are using the domain www.pidforum.org. I have spun up an Ubuntu server, and am using the standard install. Domain is currently pointing at the IP of the server with @, *, and www. all set as A names.
installation appears to go without a hitch…everything looks like it’s working. Initial domain check says it’s ok, installation proceeds and completes. But it doesn’t work. Server isn’t listening on 443 or 80, and when i discourse doctor it says:
Discourse version at www.pidforum.org: NOT FOUND
Discourse version at localhost: NOT FOUND
Now here’s the weird thing…if i redo discourse-setup, and change ONLY the domain name to another domain i control (discourse.xxxxxxx.yyy) it works fine. Everything else is the same…same server, same everything, ONLY changing the domain name.
What could cause this? Help, I’m going insane trying to sort this out.
Are you sure the DNS records are set up correctly? When I check from here, neither address is resolving:
~ ❯ host www.pidforum.org
Host www.pidforum.org not found: 2(SERVFAIL)
~ ❯ host pidforum.org
Host pidforum.org not found: 2(SERVFAIL)
i can ping it
up might want to wait for the dns records to update.
yes, your dns records have not been updated yet. so you have to wait.
For what it’s worth: it’s been at least 36 hours since i made any change to the DNS. Those failures are persistent.
well, check your TTL on your dns. that might be set to high
Pretty sure, just set them up as a standard @ and www A names pointing at the IP, and then a * as a CNAME reconciling to the www
TTL are set to 600, for specifically that reason.
I’ve been futzing with this since Thursday of last week…i’m increasingly thinking it’s something with the Domain name specifically, but that makes NO sense at all (and also has no effective troubleshooting steps).
Is there anything I can test/try to narrow my problem scope? I’m comfortable as a sysadmin, but this has me questioning my life.
your NS is set to DO. so maybe reach out to DO support ?
Did you recently change your nameserver to Digital Ocean? It looks like you have DNSSEC enabled for pidforum.org, but the Digital Ocean nameservers are not returning any signatures. Therefore, DNS servers like 220.127.116.11 are detecting the broken chain of trust, and refusing to return the records.
You can see more information using tools like this:
If you want to disable/modify DNSSEC, you should be able to do that via your domain registrar.
(thanks @supermathie for the tip on DNSSEC - it’s not something I’d investigated before)
Ok, so the DNSSEC thing is weird, and not something I’d ever dealt with either, so thanks for the pointer.
I’ve tried to uncomplicate things by removing the digital ocean nameserver jump from the equation, and am now just using network solutions as both registrar and nameserver to try and eliminate possible errors/issues. That is propagating now (but i have tested this setup, and it doesn’t work either for reasons i don’t understand).
I’ll check the DNSSEC stuff after the nameserver change has some time to happen. But I am betting there’s something else going on as well.
your domain is still looking for the dnssec
contact your registrar and ask them to disable secureDNS
I confirmed with my registrar that they are not using DNSSEC. I am at such a loss as to what is going on here.
And they were no help at all.
Going to try moving to a different host (from MediaTemple to Digital Ocean) and see if the DNSSEC errors move with me.
Does anyone have any idea what 18.104.22.168 is? Why is that in this response loop at all? It’s not my server…
after some research, the DS record needs to be removed from your domain.
…Network solutions has assured me that DNSSEC is off, and there is no interface for adding or removing a DS record in the admin interface for my domain.
Thanks for tracking this down, but i have no freaking clue where it’s living.
are you using cloudflare by any chance ?
I am not, but a friend just suggested i move my DNS there so that I have DNSSEC controls.