Symptoms
You may see the wrong IP, or a SERVFAIL error when digging the domain.
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...
You may see an error like the following in AutoSSL.
The domain “domain.tld” resolved to an IP address “198.51.100.0” that does not exist on this server.
Description
This can be due to a mismatch in the domain's NS records and the top-level domain's NS record for the domain. Digging the domain at the top-level domain's nameserver and the nameserver specified there will show different nameserver. For example:
# dig domain.com @a.gtld-servers.net.|grep -A2 "AUTHORITY SECTION"
;; AUTHORITY SECTION:
domain.com. 172800 IN NS ns1.domain.com.
domain.com. 172800 IN NS ns2.domain.com.
# dig +short NS domain.com @ns1.domain.com.
domain.com. 86400 IN NS ns1.nameserver.com.
domain.com. 86400 IN NS ns2.nameserver.com.
Workaround
You will first need to determine where the DNS should be hosted. Then you will need to update the incorrect records. If the top-level domain nameserver's NS records are incorrect, you will need to set them at the registrar for the domain. If the domain's nameserver NS records are incorrect, you will need to update them where the domain's DNS is hosted.