Setting different NS records as authoritative on authoritative DNSBind is not resolving specific hostHow to test DNS glue record?Can't seem to resolve domain, but can dig itSwitching authoritative nameservers - how do you set the TTL?Advice on setting up my own DDNS serverAuthoritative DNS for other domain requirementsDNS referral / delegation: which DNS is responsible; How to delegate the right way?why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?how to find out who is managing my DNS records?DNS/Name server: Configure Bind as an Authoritative-Only DNS Server

What does "rf" mean in "rfkill"?

Asahi Dry Black beer can

Please, smoke with good manners

What is the difference between `a[bc]d` (brackets) and `ab,cd` (braces)?

Toggle Overlays shortcut?

Will tsunami waves travel forever if there was no land?

Can I get candy for a Pokemon I haven't caught yet?

How to figure out whether the data is sample data or population data apart from the client's information?

Examples of non trivial equivalence relations , I mean equivalence relations without the expression " same ... as" in their definition?

Can a creature tell when it has been affected by a Divination wizard's Portent?

Help, my Death Star suffers from Kessler syndrome!

Why was Germany not as successful as other Europeans in establishing overseas colonies?

Does a creature that is immune to a condition still make a saving throw?

How to stop co-workers from teasing me because I know Russian?

When did stoichiometry begin to be taught in U.S. high schools?

How to replace the "space symbol" (squat-u) in listings?

How deep to place a deadman anchor for a slackline?

Historically, were women trained for obligatory wars? Or did they serve some other military function?

Past Perfect Tense

Does jamais mean always or never in this context?

Minimum value of 4 digit number divided by sum of its digits

How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice?

Was it really necessary for the Lunar Module to have 2 stages?

What are the spoon bit of a spoon and fork bit of a fork called?



Setting different NS records as authoritative on authoritative DNS


Bind is not resolving specific hostHow to test DNS glue record?Can't seem to resolve domain, but can dig itSwitching authoritative nameservers - how do you set the TTL?Advice on setting up my own DDNS serverAuthoritative DNS for other domain requirementsDNS referral / delegation: which DNS is responsible; How to delegate the right way?why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?how to find out who is managing my DNS records?DNS/Name server: Configure Bind as an Authoritative-Only DNS Server






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








4















I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?






domain-name-system bind nameserver dns-hosting dns-zone







share|improve this question






















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39

















4















I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?






domain-name-system bind nameserver dns-hosting dns-zone







share|improve this question






















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39













4












4








4


1






I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?






domain-name-system bind nameserver dns-hosting dns-zone







share|improve this question














I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?






domain-name-system bind nameserver dns-hosting dns-zone




domain-name-system bind nameserver dns-hosting dns-zone






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 31 '16 at 19:56









BrendanBrendan

316




316












  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39

















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39
















If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

– Ward
Apr 1 '16 at 4:39





If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

– Ward
Apr 1 '16 at 4:39










2 Answers
2






active

oldest

votes


















4














There are really two questions being asked here, and they directly contradict each other:



  1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

  2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.



To illustrate, here are two example zone snippets:



$ORIGIN example.com
@ 2941 IN SOA ns1.example.com. someone.example.com. (
 2015071001 ; serial
 7200 ; refresh (2 hours)
 900 ; retry (15 minutes)
 7200000 ; expire (11 weeks 6 days 8 hours)
 3600 ; minimum (1 hour)
 )
@ IN NS ns1
@ IN NS ns2

sub IN NS ns1.contoso.com.
sub IN NS ns2.contoso.com.


On the contoso.com nameservers:



$ORIGIN sub.example.com.
@ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
 2015071001 ; serial
 7200 ; refresh (2 hours)
 900 ; retry (15 minutes)
 7200000 ; expire (11 weeks 6 days 8 hours)
 3600 ; minimum (1 hour)
 )
@ IN NS bagel.contoso.com.
@ IN NS bacon.contoso.com.


Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






share|improve this answer
































    1














    Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



    Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



    2 more things:



    1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

    2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f767408%2fsetting-different-ns-records-as-authoritative-on-authoritative-dns%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      4














      There are really two questions being asked here, and they directly contradict each other:



      1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

      2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

      Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



      What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.



      To illustrate, here are two example zone snippets:



      $ORIGIN example.com
      @ 2941 IN SOA ns1.example.com. someone.example.com. (
       2015071001 ; serial
       7200 ; refresh (2 hours)
       900 ; retry (15 minutes)
       7200000 ; expire (11 weeks 6 days 8 hours)
       3600 ; minimum (1 hour)
       )
      @ IN NS ns1
      @ IN NS ns2

      sub IN NS ns1.contoso.com.
      sub IN NS ns2.contoso.com.


      On the contoso.com nameservers:



      $ORIGIN sub.example.com.
      @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
       2015071001 ; serial
       7200 ; refresh (2 hours)
       900 ; retry (15 minutes)
       7200000 ; expire (11 weeks 6 days 8 hours)
       3600 ; minimum (1 hour)
       )
      @ IN NS bagel.contoso.com.
      @ IN NS bacon.contoso.com.


      Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



      We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



      Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



      It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






      share|improve this answer





























        4














        There are really two questions being asked here, and they directly contradict each other:



        1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

        2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

        Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



        What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.



        To illustrate, here are two example zone snippets:



        $ORIGIN example.com
        @ 2941 IN SOA ns1.example.com. someone.example.com. (
         2015071001 ; serial
         7200 ; refresh (2 hours)
         900 ; retry (15 minutes)
         7200000 ; expire (11 weeks 6 days 8 hours)
         3600 ; minimum (1 hour)
         )
        @ IN NS ns1
        @ IN NS ns2

        sub IN NS ns1.contoso.com.
        sub IN NS ns2.contoso.com.


        On the contoso.com nameservers:



        $ORIGIN sub.example.com.
        @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
         2015071001 ; serial
         7200 ; refresh (2 hours)
         900 ; retry (15 minutes)
         7200000 ; expire (11 weeks 6 days 8 hours)
         3600 ; minimum (1 hour)
         )
        @ IN NS bagel.contoso.com.
        @ IN NS bacon.contoso.com.


        Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



        We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



        Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



        It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






        share|improve this answer



























          4












          4








          4







          There are really two questions being asked here, and they directly contradict each other:



          1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

          2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

          Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



          What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.



          To illustrate, here are two example zone snippets:



          $ORIGIN example.com
          @ 2941 IN SOA ns1.example.com. someone.example.com. (
           2015071001 ; serial
           7200 ; refresh (2 hours)
           900 ; retry (15 minutes)
           7200000 ; expire (11 weeks 6 days 8 hours)
           3600 ; minimum (1 hour)
           )
          @ IN NS ns1
          @ IN NS ns2

          sub IN NS ns1.contoso.com.
          sub IN NS ns2.contoso.com.


          On the contoso.com nameservers:



          $ORIGIN sub.example.com.
          @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
           2015071001 ; serial
           7200 ; refresh (2 hours)
           900 ; retry (15 minutes)
           7200000 ; expire (11 weeks 6 days 8 hours)
           3600 ; minimum (1 hour)
           )
          @ IN NS bagel.contoso.com.
          @ IN NS bacon.contoso.com.


          Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



          We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



          Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



          It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






          share|improve this answer















          There are really two questions being asked here, and they directly contradict each other:



          1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

          2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

          Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



          What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.



          To illustrate, here are two example zone snippets:



          $ORIGIN example.com
          @ 2941 IN SOA ns1.example.com. someone.example.com. (
           2015071001 ; serial
           7200 ; refresh (2 hours)
           900 ; retry (15 minutes)
           7200000 ; expire (11 weeks 6 days 8 hours)
           3600 ; minimum (1 hour)
           )
          @ IN NS ns1
          @ IN NS ns2

          sub IN NS ns1.contoso.com.
          sub IN NS ns2.contoso.com.


          On the contoso.com nameservers:



          $ORIGIN sub.example.com.
          @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
           2015071001 ; serial
           7200 ; refresh (2 hours)
           900 ; retry (15 minutes)
           7200000 ; expire (11 weeks 6 days 8 hours)
           3600 ; minimum (1 hour)
           )
          @ IN NS bagel.contoso.com.
          @ IN NS bacon.contoso.com.


          Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



          We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



          Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



          It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Apr 1 '16 at 8:09

























          answered Apr 1 '16 at 7:37









          Andrew BAndrew B

          25.9k875118




          25.9k875118























              1














              Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



              Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



              2 more things:



              1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

              2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





              share|improve this answer



























                1














                Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                2 more things:



                1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





                share|improve this answer

























                  1












                  1








                  1







                  Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                  Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                  2 more things:



                  1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                  2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





                  share|improve this answer













                  Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                  Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                  2 more things:



                  1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                  2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 16 '17 at 19:34









                  Patrick MevzekPatrick Mevzek

                  2,99231225




                  2,99231225



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f767408%2fsetting-different-ns-records-as-authoritative-on-authoritative-dns%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                      Image
                      centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
                      Read more

                      Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

                      Image
                      AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
                      Read more

                      What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

                      Image
                      When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
                      Read more