Setting different NS records as authoritative on authoritative DNSBind is not resolving specific hostHow to test DNS glue record?Can't seem to resolve domain, but can dig itSwitching authoritative nameservers - how do you set the TTL?Advice on setting up my own DDNS serverAuthoritative DNS for other domain requirementsDNS referral / delegation: which DNS is responsible; How to delegate the right way?why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?how to find out who is managing my DNS records?DNS/Name server: Configure Bind as an Authoritative-Only DNS Server

What does "rf" mean in "rfkill"?

Asahi Dry Black beer can

Please, smoke with good manners

What is the difference between `a[bc]d` (brackets) and `ab,cd` (braces)?

Toggle Overlays shortcut?

Will tsunami waves travel forever if there was no land?

Can I get candy for a Pokemon I haven't caught yet?

How to figure out whether the data is sample data or population data apart from the client's information?

Examples of non trivial equivalence relations , I mean equivalence relations without the expression " same ... as" in their definition?

Can a creature tell when it has been affected by a Divination wizard's Portent?

Help, my Death Star suffers from Kessler syndrome!

Why was Germany not as successful as other Europeans in establishing overseas colonies?

Does a creature that is immune to a condition still make a saving throw?

How to stop co-workers from teasing me because I know Russian?

When did stoichiometry begin to be taught in U.S. high schools?

How to replace the "space symbol" (squat-u) in listings?

How deep to place a deadman anchor for a slackline?

Historically, were women trained for obligatory wars? Or did they serve some other military function?

Past Perfect Tense

Does jamais mean always or never in this context?

Minimum value of 4 digit number divided by sum of its digits

How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice?

Was it really necessary for the Lunar Module to have 2 stages?

What are the spoon bit of a spoon and fork bit of a fork called?



Setting different NS records as authoritative on authoritative DNS


Bind is not resolving specific hostHow to test DNS glue record?Can't seem to resolve domain, but can dig itSwitching authoritative nameservers - how do you set the TTL?Advice on setting up my own DDNS serverAuthoritative DNS for other domain requirementsDNS referral / delegation: which DNS is responsible; How to delegate the right way?why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?how to find out who is managing my DNS records?DNS/Name server: Configure Bind as an Authoritative-Only DNS Server






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








4















I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?










share|improve this question






















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39

















4















I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?










share|improve this question






















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39













4












4








4


1






I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?










share|improve this question














I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it. Some DNS servers are passing the request on merrily to the NS servers set in the zone file; however, some others (such as Google, Level 3 and OpenDNS' public DNS servers) aren't resolving the records properly. They return the proper NS records but requests for A records at the sub-delegated DNS server are not being returned. I have provided plenty of output below; but the gist of it is, the requests aren't being referred to the NS records I set at QUICKROUTEDNS.COM for the domain which are NS records pointing to Amazon's cloud DNS. Instead the requests are stopping at QUICKROUTEDNS.COM. So how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?



Here's an example:



The domain's DNS records at the registrar:



Name Server: NS1.QUICKROUTEDNS.COM
Name Server: NS2.QUICKROUTEDNS.COM
Name Server: NS3.QUICKROUTEDNS.COM


Pulling the NS records for the domain (the authoritative DNS, QUICKROUTEDNS.COM, has these servers set as the NS record):



$ host -t NS domain.com 
domain.com name server ns-1622.awsdns-10.co.uk.
domain.com name server ns-1387.awsdns-45.org.
domain.com name server ns-774.awsdns-32.net.
domain.com name server ns-48.awsdns-06.com.


An A record from the Amazon DNS servers hosting the domain:



$ host www.domain.com ns-1387.awsdns-45.org
Using domain server:
Name: ns-1387.awsdns-45.org.
Address: 205.251.197.107#53
Aliases:

www.domain.com has address 201.201.201.201


Yet, when I request it from any given nameserver:



$ host www.domain.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.domain.com not found: 3(NXDOMAIN)


This is consistent amongst almost every DNS server, although there are a FEW that will report the A record as expected.



Here is a dig +trace output when trying to pull the A record:



$ dig @8.8.8.8 www.domain.com A +trace 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.domain.com A +trace
; (1 server found)
;; global options: +cmd
. 1341 IN NS m.root-servers.net.
. 1341 IN NS j.root-servers.net.
. 1341 IN NS a.root-servers.net.
. 1341 IN NS d.root-servers.net.
. 1341 IN NS f.root-servers.net.
. 1341 IN NS c.root-servers.net.
. 1341 IN NS b.root-servers.net.
. 1341 IN NS e.root-servers.net.
. 1341 IN NS i.root-servers.net.
. 1341 IN NS h.root-servers.net.
. 1341 IN NS g.root-servers.net.
. 1341 IN NS l.root-servers.net.
. 1341 IN NS k.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 58 ms

net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
;; Received 503 bytes from 192.36.148.17#53(192.36.148.17) in 586 ms

domain.com. 172800 IN NS ns1.quickroutedns.com.
domain.com. 172800 IN NS ns2.quickroutedns.com.
domain.com. 172800 IN NS ns3.quickroutedns.com.
;; Received 153 bytes from 192.55.83.30#53(192.55.83.30) in 790 ms

domain.com. 3600 IN SOA cns1.atlantic.net. noc.atlantic.net. 2016033004 28800 7200 604800 3600
;; Received 88 bytes from 69.16.156.227#53(69.16.156.227) in 712 ms


As we can see, it's only getting to the QUICKROUTEDNS.COM nameservers and not going to request from the Amazon nameservers. So, how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?







domain-name-system bind nameserver dns-hosting dns-zone






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 31 '16 at 19:56









BrendanBrendan

316




316












  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39

















  • If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

    – Ward
    Apr 1 '16 at 4:39
















If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

– Ward
Apr 1 '16 at 4:39





If you want anyone to be able to help troubleshoot, you need to post the actual domain name. Since this is all your public domain name and addresses, there's no security implication to doing so.

– Ward
Apr 1 '16 at 4:39










2 Answers
2






active

oldest

votes


















4














There are really two questions being asked here, and they directly contradict each other:



  1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

  2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.




To illustrate, here are two example zone snippets:



$ORIGIN example.com
@ 2941 IN SOA ns1.example.com. someone.example.com. (
2015071001 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
7200000 ; expire (11 weeks 6 days 8 hours)
3600 ; minimum (1 hour)
)
@ IN NS ns1
@ IN NS ns2

sub IN NS ns1.contoso.com.
sub IN NS ns2.contoso.com.


On the contoso.com nameservers:



$ORIGIN sub.example.com.
@ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
2015071001 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
7200000 ; expire (11 weeks 6 days 8 hours)
3600 ; minimum (1 hour)
)
@ IN NS bagel.contoso.com.
@ IN NS bacon.contoso.com.


Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






share|improve this answer
































    1














    Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



    Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



    2 more things:



    1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

    2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f767408%2fsetting-different-ns-records-as-authoritative-on-authoritative-dns%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      4














      There are really two questions being asked here, and they directly contradict each other:



      1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

      2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

      Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



      What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.




      To illustrate, here are two example zone snippets:



      $ORIGIN example.com
      @ 2941 IN SOA ns1.example.com. someone.example.com. (
      2015071001 ; serial
      7200 ; refresh (2 hours)
      900 ; retry (15 minutes)
      7200000 ; expire (11 weeks 6 days 8 hours)
      3600 ; minimum (1 hour)
      )
      @ IN NS ns1
      @ IN NS ns2

      sub IN NS ns1.contoso.com.
      sub IN NS ns2.contoso.com.


      On the contoso.com nameservers:



      $ORIGIN sub.example.com.
      @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
      2015071001 ; serial
      7200 ; refresh (2 hours)
      900 ; retry (15 minutes)
      7200000 ; expire (11 weeks 6 days 8 hours)
      3600 ; minimum (1 hour)
      )
      @ IN NS bagel.contoso.com.
      @ IN NS bacon.contoso.com.


      Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



      We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



      Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



      It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






      share|improve this answer





























        4














        There are really two questions being asked here, and they directly contradict each other:



        1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

        2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

        Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



        What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.




        To illustrate, here are two example zone snippets:



        $ORIGIN example.com
        @ 2941 IN SOA ns1.example.com. someone.example.com. (
        2015071001 ; serial
        7200 ; refresh (2 hours)
        900 ; retry (15 minutes)
        7200000 ; expire (11 weeks 6 days 8 hours)
        3600 ; minimum (1 hour)
        )
        @ IN NS ns1
        @ IN NS ns2

        sub IN NS ns1.contoso.com.
        sub IN NS ns2.contoso.com.


        On the contoso.com nameservers:



        $ORIGIN sub.example.com.
        @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
        2015071001 ; serial
        7200 ; refresh (2 hours)
        900 ; retry (15 minutes)
        7200000 ; expire (11 weeks 6 days 8 hours)
        3600 ; minimum (1 hour)
        )
        @ IN NS bagel.contoso.com.
        @ IN NS bacon.contoso.com.


        Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



        We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



        Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



        It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






        share|improve this answer



























          4












          4








          4







          There are really two questions being asked here, and they directly contradict each other:



          1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

          2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

          Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



          What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.




          To illustrate, here are two example zone snippets:



          $ORIGIN example.com
          @ 2941 IN SOA ns1.example.com. someone.example.com. (
          2015071001 ; serial
          7200 ; refresh (2 hours)
          900 ; retry (15 minutes)
          7200000 ; expire (11 weeks 6 days 8 hours)
          3600 ; minimum (1 hour)
          )
          @ IN NS ns1
          @ IN NS ns2

          sub IN NS ns1.contoso.com.
          sub IN NS ns2.contoso.com.


          On the contoso.com nameservers:



          $ORIGIN sub.example.com.
          @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
          2015071001 ; serial
          7200 ; refresh (2 hours)
          900 ; retry (15 minutes)
          7200000 ; expire (11 weeks 6 days 8 hours)
          3600 ; minimum (1 hour)
          )
          @ IN NS bagel.contoso.com.
          @ IN NS bacon.contoso.com.


          Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



          We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



          Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



          It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.






          share|improve this answer















          There are really two questions being asked here, and they directly contradict each other:



          1. how do I instruct DNS servers to continue their query on to Amazon as its authoritative for the domain, without changing the DNS records at the registrar?

          2. how do I tell DNS servers to fetch its queries from the Amazon servers and NOT to stop at QuickRouteDNS.COM?

          Every delegation in the DNS hiearchy must be more specific than the last. In other words, you can delegate subdomains but you cannot re-delegate the exact same name that has been delegated to your server. The correct solution is to change the configuration at the registrar level, which you are trying to avoid.



          What you have right now is a common misconfiguration known as a NS record mismatch, which gives an incorrect impression that this design is achievable. Below is an explanation of what is happening, but it will be challenging to follow without a good grasp of DNS concepts. If I lose you, please take it for granted that correcting the registrar data is the proper way to address your issue.




          To illustrate, here are two example zone snippets:



          $ORIGIN example.com
          @ 2941 IN SOA ns1.example.com. someone.example.com. (
          2015071001 ; serial
          7200 ; refresh (2 hours)
          900 ; retry (15 minutes)
          7200000 ; expire (11 weeks 6 days 8 hours)
          3600 ; minimum (1 hour)
          )
          @ IN NS ns1
          @ IN NS ns2

          sub IN NS ns1.contoso.com.
          sub IN NS ns2.contoso.com.


          On the contoso.com nameservers:



          $ORIGIN sub.example.com.
          @ 2941 IN SOA ns1.sub.example.com. someone.contoso.com. (
          2015071001 ; serial
          7200 ; refresh (2 hours)
          900 ; retry (15 minutes)
          7200000 ; expire (11 weeks 6 days 8 hours)
          3600 ; minimum (1 hour)
          )
          @ IN NS bagel.contoso.com.
          @ IN NS bacon.contoso.com.


          Which NS records in the above two zones are authoritative for sub.example.com? If you thought it was ns1 and ns2.contoso.com, you would be mistaken. Contrary to popular belief, a nameserver which performs a delegation is not considered authoritative for the NS records used to define that delegation. The authoritative definition is instead owned by the zone on the receiving end of the delegation.



          We've established that bacon and bagel are authoritative. What isn't so obvious here is that namesevers aren't necessarily going to realize that immediately. Delegations are followed in good faith, and it will initially be assumed that the servers receiving the delegation are authoritative. It's only when those NS records are refreshed that the brain damage occurs. Refreshes can be triggered by any number of things, from TTL of the delegating NS records expiring to an explicit request for the value of those NS records. Once the NS records are overwritten, the new servers get used.



          Putting it all together, there is an initial period where your registrar defined nameservers are being used, followed by a period where the second set of nameservers are being used. During the first period, any records that only exist on the second set of servers will fail. During the second period, any records that only exist on the first set of servers will fail.



          It may sound like the problem will eventually fix itself (just wait for everything to refresh), but that will never happen. People will restart their nameservers, flush their cache, or stand up new nameservers. Your domain will exist in an inconsistent state of flux until the NS records become consistent. DNS gurus can do some interesting things with this, but the valid use cases for this type of configuration are few and far between. The average user should avoid conflicting nameserver definitions at all costs.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Apr 1 '16 at 8:09

























          answered Apr 1 '16 at 7:37









          Andrew BAndrew B

          25.9k875118




          25.9k875118























              1














              Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



              Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



              2 more things:



              1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

              2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





              share|improve this answer



























                1














                Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                2 more things:



                1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





                share|improve this answer

























                  1












                  1








                  1







                  Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                  Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                  2 more things:



                  1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                  2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you





                  share|improve this answer













                  Saying "I have DNS servers for a domain set to one set of authoritative DNS servers on the registrar. However, those DNS servers zone file for the domain have a different set of NS records for it." means that you created a lame delegation. You can stop there, as nothing will work correctly with this kind of setup, so do not do this!



                  Helpful tools to troubleshoot : http://dnsviz.net/ and https://www.zonemaster.net/



                  2 more things:



                  1. do not use host for troubleshooting, only dig (but @something and +trace are contradictory)

                  2. as said by @Ward, provide the true domain name you are asking about if you want to have good help back to you






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Apr 16 '17 at 19:34









                  Patrick MevzekPatrick Mevzek

                  2,99231225




                  2,99231225



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f767408%2fsetting-different-ns-records-as-authoritative-on-authoritative-dns%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                      Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                      Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020