<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Kevin,<div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="">===========>%

===========</div><div class="">C:\Users\kolbrich>nslookup -q=CNAME _<a href="http://91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de/" class="">91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de</a>. 8.8.8.8<br class="">Server:  <a href="http://dns.google" class="">dns.google</a><br class="">Address:  8.8.8.8<br class=""><br class="">Nicht autorisierende Antwort:<br class="">_<a href="http://91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de/" class="">91867ab3c77f152ba4ab0cceeabb3666.expose.graf-borstar.de</a>        canonical name = _c09668a36b3b6665549a795863f30b9b.olprtlswtu.acm-validations.aws<br class=""></div><div class=""><br class=""></div></div></div></blockquote><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="">My NS has a catch-all zone using "." including SOA to be authoritative for all new domains that do not yet have a zone (async processing).</div><div class="">This allows us to be responsive for zones we actually did not yet create or have not been replicated.</div></div></div></blockquote><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class=""><br class=""></div><div class="">It's seems, that AWS uses the same authoritative NS to resolv it's own CNAME (which does not resolve at all in public):</div></div></div></blockquote><div><br class=""></div><div>I doubt that’s the problem (and note that acm-validations.aws is a valid domain name and points to AWS).</div><div><br class=""></div><div>I believe the problem might be here:</div><div><br class=""></div><div><div>~ ❯❯❯ dig SOA <a href="http://expose.graf-borstar.de" class="">expose.graf-borstar.de</a></div><div><br class=""></div><div>; <<>> DiG 9.10.6 <<>> SOA <a href="http://expose.graf-borstar.de" class="">expose.graf-borstar.de</a></div><div>;; global options: +cmd</div><div>;; Got answer:</div><div>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58518</div><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1</div><div><br class=""></div><div>;; OPT PSEUDOSECTION:</div><div>; EDNS: version: 0, flags:; udp: 1280</div><div>;; QUESTION SECTION:</div><div>;<a href="http://expose.graf-borstar.de" class="">expose.graf-borstar.de</a>.<span class="Apple-tab-span" style="white-space:pre">         </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>SOA</div><div><br class=""></div><div>;; ANSWER SECTION:</div><div><a href="http://expose.graf-borstar.de" class="">expose.graf-borstar.de</a>.<span class="Apple-tab-span" style="white-space:pre"> </span>3593<span class="Apple-tab-span" style="white-space:pre">        </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>CNAME<span class="Apple-tab-span" style="white-space:pre">       </span><a href="http://fae31f3b-08a0-4b3c-8767-7f1b1baec2af.iexendpoints.de" class="">fae31f3b-08a0-4b3c-8767-7f1b1baec2af.iexendpoints.de</a>.</div><div><br class=""></div><div>;; AUTHORITY SECTION:</div><div><a href="http://iexendpoints.de" class="">iexendpoints.de</a>.<span class="Apple-tab-span" style="white-space:pre">       </span>293<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre">  </span>SOA<span class="Apple-tab-span" style="white-space:pre"> </span><a href="http://ns-660.awsdns-18.net" class="">ns-660.awsdns-18.net</a>. <a href="http://awsdns-hostmaster.amazon.com" class="">awsdns-hostmaster.amazon.com</a>. 1 7200 900 1209600 86400</div><div><br class=""></div><div>;; Query time: 19 msec</div><div>;; SERVER: 192.168.2.1#53(192.168.2.1)</div><div>;; WHEN: Thu Sep 26 12:20:56 CEST 2019</div><div>;; MSG SIZE  rcvd: 199</div><div><br class=""></div><div><br class=""></div><div>You have a CNAME in place for <a href="http://expose.graf-borstar.de" class="">expose.graf-borstar.de</a>. Does that belong there? This might cause issues.</div><div><br class=""></div><div>Could you also clarify the problem you are having? It’s not 100% clear to me at this point. </div><div><br class=""></div><div>Kind Regards,</div><div><br class=""></div><div>Frank</div></div></div></div><div class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: "Avenir Next"; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Frank Louwers<br class="">PowerDNS Certified Consultant @ <a href="http://Kiwazo.be" class="">Kiwazo.be</a><br class=""><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: "Avenir Next"; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br class=""></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div></body></html>