What is a Parent Nameserver?
Artist
FAIL: The following nameservers are listed at your nameservers as
nameservers for your domain, but are not listed at the parent
nameservers (see RFC2181 5.4.1). You need to make sure that these
nameservers are working. If they are not working ok, you may have problems!
ns1.example.info
What is a parent nameserver? Is this at the domain name's registrar or
my website's server where Bind9 is running?
--
If you desire to respond directly remove the "sj." from the domain name
part of my email address. It is a spam jammer.
Mike Easter
> What is a parent nameserver?
A parent/root nameserver is like d.gtld-server.net.
You should probably be reading about DNS and glue.
--
Mike Easter
Bill Marcum
> I have this error message at http://www.intodns.com:
>
> FAIL: The following nameservers are listed at your nameservers as
> nameservers for your domain, but are not listed at the parent
> nameservers (see RFC2181 5.4.1). You need to make sure that these
> nameservers are working. If they are not working ok, you may have problems!
> ns1.example.info
>
> What is a parent nameserver? Is this at the domain name's registrar or
> my website's server where Bind9 is running?
>
--
"Never underestimate the power of a small tactical nuclear weapon."
Doug Freyburger
> I have this error message at http://www.intodns.com:
>
> FAIL: The following nameservers are listed at your nameservers as
> nameservers for your domain, but are not listed at the parent
> nameservers (see RFC2181 5.4.1). You need to make sure that these
> nameservers are working. If they are not working ok, you may have problems!
> ns1.example.info
The RFC in question - http://www.faqs.org/rfcs/rfc2181.html
I suspect this is the application paragraph:
"Glue" above includes any record in a zone file that is not properly
part of that zone, including nameserver records of delegated sub-zones
(NS records), address records that accompany those NS records (A, AAAA,
etc), and any other stray data that might appear.
> What is a parent nameserver? Is this at the domain name's registrar or
> my website's server where Bind9 is running?
The parent zone should be one level in the hierarchy so that's how your
domain is registered at the root, which is not quite the same thing as
at the registrar.
I think you have more hosts acting as authoritative nameservers than you
have registered. So your SOA points to one of more of your systems and
you have additional ones. If that's how you've set up you're fine.
David W. Hodgins
> FAIL: The following nameservers are listed at your nameservers as
> nameservers for your domain, but are not listed at the parent
> nameservers (see RFC2181 5.4.1). You need to make sure that these
> What is a parent nameserver? Is this at the domain name's registrar or
> my website's server where Bind9 is running?
If I understand correctly, once you create the dnssec signing key
for the domain, register with https://dlv.isc.org/ and have the
domain signing key signed by the master key for the top level domain.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
Pascal Hambourg
Artist a écrit :
> I have this error message at http://www.intodns.com:
>
> FAIL: The following nameservers are listed at your nameservers as
> nameservers for your domain, but are not listed at the parent
> nameservers (see RFC2181 5.4.1). You need to make sure that these
> nameservers are working. If they are not working ok, you may have problems!
> ns1.example.info
>
> What is a parent nameserver?
That does not exist. In the context of the above message, I guess it
should be "parent zone".
The message means that the nameserver list you provide to the registrar
for your zone should match the NS records in your zone.
Artist
> Hello,
>
> Artist a ï¿œcrit :
The parent zone is the Bind9 zone file on my server?
I do not understand where there is a mismatch. In the line below I have
substituted "example" for the real domain name and 192.0.32.10 for the
real IP address.
In the file "example.info.zone" I have as the first two lines:
$TTL 10800
@ IN SOA ns1.example.info. admin.example.info. (
Then farther down in the file I have the glue line:
ns1 IN A 192.0.32.10
My understanding is .example.info is automatically appended to ns1 in
the above line.
At the registrar which is Cheapies.com I have listed ns1.example.info as
the Primary Nameserver. Also, in their "Domain Nameserver Creation" page
I have listed ns1.example.info as a Host with the IP address 192.0.32.10.
I also set up slave nameservers at http://afraid.org and
https://puck.nether.net/dns/login. These are listed as secondayr
nameservers at the registrar as:
Artist
> Hello,
>
> Artist a ï¿œcrit :
The parent zone is the Bind9 zone file on my server?
I do not understand where there is a mismatch. In the line below I have
substituted "example" for the real domain name and 192.0.32.10 for the
real IP address.
In the file "example.info.zone" I have as the first two lines:
$TTL 10800
@ IN SOA ns1.example.info. admin.example.info. (
Then farther down in the file I have
@ IN NS ns1.example.info.
Then farther still in the file I have the glue line:
ns1 IN A 192.0.32.10
My understanding is .example.info is automatically appended to ns1 in
the above line.
At the registrar which is Cheapies.com I have listed ns1.example.info as
the Primary Nameserver. Also, in their "Domain Nameserver Creation" page
I have listed ns1.example.info as a Host with the IP address 192.0.32.10.
I also set up slave nameservers at http://afraid.org and
https://puck.nether.net/dns/login. These are listed as secondayr
nameservers at the registrar as:
--
Pascal Hambourg
>
>>> What is a parent nameserver?
>>
>> That does not exist. In the context of the above message, I guess it
>> should be "parent zone".
>>
>> The message means that the nameserver list you provide to the registrar
>> for your zone should match the NS records in your zone.
>
> The parent zone is the Bind9 zone file on my server?
No, it is the higher-level zone that contains the delegation (NS
records) for your zone. For 'example.com', the parent zone would be
'com'. Anyway you don't have to worry about this because the registrar
takes care of it.
> I do not understand where there is a mismatch. In the line below I have
> substituted "example" for the real domain name and 192.0.32.10 for the
> real IP address.
Note : the IP range reserved for examples and documentation is 192.0.2.0/24.
> In the file "example.info.zone" I have as the first two lines:
>
> $TTL 10800
> @ IN SOA ns1.example.info. admin.example.info. (
>
> Then farther down in the file I have
>
> @ IN NS ns1.example.info.
>
> Then farther still in the file I have the glue line:
>
> ns1 IN A 192.0.32.10
In your zone, this is not a glue record (your zone is authoritative for
ns1.example.info). It is a glue record only in the parent zone.
> My understanding is .example.info is automatically appended to ns1 in
> the above line.
Yes.
> At the registrar which is Cheapies.com I have listed ns1.example.info as
> the Primary Nameserver. Also, in their "Domain Nameserver Creation" page
> I have listed ns1.example.info as a Host with the IP address 192.0.32.10.
Ok, the registrar uses that info to create the glue record in the parent
zone.
> I also set up slave nameservers at http://afraid.org and
> https://puck.nether.net/dns/login. These are listed as secondayr
> nameservers at the registrar as:
>
> ns2.afraid.org
> puck.nether.net
Ok, but you must also add NS records for each of them in your zone file.
I guess this is what the message means.
Artist
>> Then farther still in the file I have the glue line:
>>
>> ns1 IN A 192.0.32.10
>
> In your zone, this is not a glue record (your zone is authoritative for
> ns1.example.info). It is a glue record only in the parent zone.
Then should this line be there?
This is called a glue record according to documentation I find online
such as here:
http://www.howtoforge.com/troubleshooting-common-dns-misconfiguration-errors
>
>> I also set up slave nameservers at http://afraid.org and
>> https://puck.nether.net/dns/login. These are listed as secondayr
>> nameservers at the registrar as:
>>
>> ns2.afraid.org
>> puck.nether.net
>
> Ok, but you must also add NS records for each of them in your zone file.
> I guess this is what the message means.
These are present already. Here is the complete zone file:
$TTL 10800
@ IN SOA ns1.example.info. admin.example.info. (
2010100401 ; serial
8H ; refresh
2H ; retry
1W ; expiry
11h) ; minimum
@ IN NS ns1.example.info.
@ IN NS ns2.afraid.org.
@ IN NS puck.nether.net.
@ IN MX 10 mail.example.info.
ns1 IN A 192.0.2.0
mail IN A 192.0.2.0
imap IN A 192.0.2.0
smtp IN A 192.0.2.0
pop3 IN A 192.0.2.0
@ IN TXT "v=spf1 a mx -all"
@ IN A 192.0.2.0
www IN A 192.0.2.0
Pascal Hambourg
> Pascal Hambourg wrote:
>
>>> Then farther still in the file I have the glue line:
>>>
>>> ns1 IN A 192.0.32.10
>> In your zone, this is not a glue record (your zone is authoritative for
>> ns1.example.info). It is a glue record only in the parent zone.
>
> Then should this line be there?
Yes. It should be both in the child (your) zone as a normal record and
in the parent zone as a glue record.
> This is called a glue record according to documentation I find online
> such as here:
> http://www.howtoforge.com/troubleshooting-common-dns-misconfiguration-errors
I repeat : this is called a glue record only in the parent zone.
>>> I also set up slave nameservers at http://afraid.org and
>>> https://puck.nether.net/dns/login. These are listed as secondayr
>>> nameservers at the registrar as:
>>>
>>> ns2.afraid.org
>>> puck.nether.net
>>
>> Ok, but you must also add NS records for each of them in your zone file.
>> I guess this is what the message means.
>
> These are present already. Here is the complete zone file:
>
> $TTL 10800
> @ IN SOA ns1.example.info. admin.example.info. (
> 2010100401 ; serial
> 8H ; refresh
> 2H ; retry
> 1W ; expiry
> 11h) ; minimum
> @ IN NS ns1.example.info.
> @ IN NS ns2.afraid.org.
> @ IN NS puck.nether.net.
[...]
That looks fine.
What are the nameservers that intodns.com complains about ?
Artist
If my entry at the registrar was supposed to create a glue record at the
parent (affilias.info?), and according to intodns it has not, and if
nothing is wrong with my zone file, then it must be that something is
wrong at my registrar. I need to know how intodns looks this up so I can
make a better case to Cheapies.com tech support that they need to fix
this. Should this glue record have appeared in the whois lookup at
affilias.info?
Intodns.com does show other problems. I am trying to get them solved one
at a time, the ones that appear to be the most serious ones first.
The other error messages at intodns.com that indicate trouble:
Domain NS records Nameserver records returned by the parent servers are:
ns2.afraid.org. ['174.37.196.55'] (NO GLUE) [TTL=86400]
puck.nether.net. ['204.42.254.5'] (NO GLUE) [TTL=86400]
c0.info.afilias-nst.info was kind enough to give us that information.
NS records from your nameservers NS records got from your nameservers
listed at the parent NS are:
puck.nether.net ['204.42.254.5'] [TTL=10800]
ns1.example.info ['192.0.2.0 '] [TTL=10800]
ns2.afraid.org ['174.37.196.55'] [TTL=10800]
Recursive Queries I could use the nameservers listed below to performe
recursive queries. It may be that I am wrong but the chances of that are
low. You should not have nameservers that allow recursive queries as
this will allow almost anyone to use your nameservers and can cause
problems. Problem record(s) are:
204.42.254.5
Nameservers are lame ERROR: looks like you have lame nameservers. The
following nameservers are lame:
174.37.196.55
Stealth NS records sent Stealth NS records were sent:
ns1.example.info
SOA MNAME entry WARNING: SOA MNAME (ns1.example.info) is not listed as
a primary nameserver at your parent nameserver!
Pascal Hambourg
> Pascal Hambourg wrote:
>> What are the nameservers that intodns.com complains about ?
Oops sorry, I didn't see in your first post that it was ns1.example.info.
> If my entry at the registrar was supposed to create a glue record at the
> parent (affilias.info?), and according to intodns it has not, and if
> nothing is wrong with my zone file, then it must be that something is
> wrong at my registrar.
I guess so.
> I need to know how intodns looks this up so I can
> make a better case to Cheapies.com tech support that they need to fix
> this.
It's just DNS queries. You can do it yourself with tools such as dig,
host or nslookup. E.g. :
$ dig ns example.info +trace
will list the NS hierarchy up from the root zone down to your zone.
Then you can query any NS on the chain, e.g. :
$ dig ns example.info @b2.info.afilias-nst.org.
To check the delegation, i.e. the NS records for your zone in the parent
zone.
$ dig a ns1.example.info @b2.info.afilias-nst.org.
To check the glue record if the previous query does not provided it as
an additionnal record.
> Should this glue record have appeared in the whois lookup at
> affilias.info?
I don't know. Anyway whois data are only informational.
> Intodns.com does show other problems. I am trying to get them solved one
> at a time, the ones that appear to be the most serious ones first.
>
> The other error messages at intodns.com that indicate trouble:
>
> Domain NS records Nameserver records returned by the parent servers are:
> ns2.afraid.org. ['174.37.196.55'] (NO GLUE) [TTL=86400]
> puck.nether.net. ['204.42.254.5'] (NO GLUE) [TTL=86400]
> c0.info.afilias-nst.info was kind enough to give us that information.
Indeed your primary nameserver ns1.example.info is missing. Maybe you
followed the wrong procedure when you declared it as an authoritative
nameserver for your zone to your registrar.
Note that the "(NO GLUE)" indication is not an error. The authoritative
nameservers for 'info' are not authoritative for 'org' or 'net', so
A/AAAA glue records for these names are pointless.
> NS records from your nameservers NS records got from your nameservers
> listed at the parent NS are:
>
> puck.nether.net ['204.42.254.5'] [TTL=10800]
> ns1.example.info ['192.0.2.0 '] [TTL=10800]
> ns2.afraid.org ['174.37.196.55'] [TTL=10800]
These are the three NS records from your zone. No error.
> Recursive Queries I could use the nameservers listed below to performe
> recursive queries. It may be that I am wrong but the chances of that are
> low. You should not have nameservers that allow recursive queries as
> this will allow almost anyone to use your nameservers and can cause
> problems. Problem record(s) are:
> 204.42.254.5
This is puck.nether.net, and it is reported to be recursive, i.e.
provide answers it is not authoritative for. According to my test, it is
not. Anyway this server is out of your control so there is nothing you
can do.
> Nameservers are lame ERROR: looks like you have lame nameservers. The
> following nameservers are lame:
>
This is ns2.afraid.org, and it is reported to be lame, i.e. not
authoritative for your zone. Check it yourself :
$ dig soa example.info @ns2.afraid.org
You'll have to check why with afraid.org.
> Stealth NS records sent Stealth NS records were sent:
> ns1.example.info
>
> SOA MNAME entry WARNING: SOA MNAME (ns1.example.info) is not listed as
> a primary nameserver at your parent nameserver!
These two messages, which are not necessarily errors, are caused by
ns1.example.info not being listed in the parent zone.
Artist
I went to http://www.affilias.info/ and did a reverse lookup of the IP
address there. My nameserver ns1.example.info did come up on that
lookup. So it appears my registrar did the glue. So maybe the error is
at intodns.com.
Pascal Hambourg
>
> I went to http://www.affilias.info/ and did a reverse lookup of the IP
> address there. My nameserver ns1.example.info did come up on that
> lookup.
Reverse DNS lookup follows a completely different delegation path than
direct lookup. In short : they are unrelated with each other.
The result of a direct lookup for a domain name is managed by the owner
of the domain.
The result of a reverse lookup for an IP address is managed by the owner
of the IP address block, usually your ISP or hosting company.
> So it appears my registrar did the glue.
Nope. Reverse DNS lookup has nothing to do with glue.