Consistent issue with NS records

18 views
Skip to first unread message

Bas van Wetten

unread,
Jan 13, 2025, 4:31:23 AMJan 13
to DNSControl-discuss
Hello all,

Thanks for your awesome work on dnscontrol, this is a great tool and I'm really glad I've found it. Makes my dns maintenance a lot easier :-)

I'm not sure if this is the right place, but I'm struggling with a part of dnscontrol that I cannot seem to get right. Below is my configuration for one of my domains:

Raw zone:

$ORIGIN mydropbox.nl.
$TTL 600
@                IN MX    10 mx.zoho.eu.
                 IN MX    20 mx2.zoho.eu.
                 IN MX    50 mx3.zoho.eu.
                 IN TXT   "v=spf1 include:zoho.eu ~all"
                 IN TXT   "zoho-verification=zb12109573.zmverify.zoho.eu"
www              IN CNAME mydropbox.nl.


Config:

var MX_ZOHO = function(name) {
  if (name === undefined) {
    name = "@";
  }
  return [
    MX(name, 10, "mx.zoho.eu."),
    MX(name, 20, "mx2.zoho.eu."),
    MX(name, 50, "mx3.zoho.eu."),
  ];
};

DEFAULTS(
  DefaultTTL("10m"),                      // 10 minutes (600 seconds) default TTL
  NAMESERVER_TTL("1d"),                   // 1 day (86400 seconds) default NS TTL
  IGNORE("_acme-challenge", "TXT"),
  IGNORE("_acme-challenge.**", "TXT"),
)

D("mydropbox.nl", REG_NONE,
    DnsProvider(DNS_TRANSIP),
    MX_ZOHO(),
    SPF_BUILDER({
        label: "@",
        overflow: "_spf%d",
        raw: "_rawspf",
        parts: [
            "v=spf1",
            "include:zoho.eu", // Zoho
            "~all"
        ],
        flatten: []
    }),
    CNAME("www", "mydropbox.nl."),
    TXT("@", "zoho-verification=zb12109573.zmverify.zoho.eu"),
);

I run the following command: dnscontrol push --domains mydropbox.nl

And this is my output:

$ dnscontrol push --domains mydropbox.nl

CONCURRENTLY gathering 1 zone(s)
SERIALLY gathering 0 zone(s)
Waiting for concurrent gathering(s) to complete...DONE
******************** Domain: mydropbox.nl
3 corrections (transip)
#1: + CREATE mydropbox.nl NS ns0.nl. ttl=86400
+ CREATE mydropbox.nl NS ns11.net. ttl=86400
+ CREATE mydropbox.nl NS ns5.be. ttl=86400
completed with errors
FAILURE! it is not allowed to have an NS for an @ record: @ 86400 NS ns0.nl.
Done. 3 corrections.


Issue:

I consistently get the 'FAILURE! it is not allowed to have an NS for an @ record: <record-in-question>' I do not understand where the error comes from or how I can prevent this.

When I change DnsProvider to 'HE_NET' (for example) this issue does not occur.

$ dnscontrol push --domains mydropbox.nl

CONCURRENTLY gathering 0 zone(s)
SERIALLY gathering 1 zone(s)
Serially Gathering: "mydropbox.nl"
******************** Domain: mydropbox.nl
1 correction (he_net)
#1: ± MODIFY mydropbox.nl NS (ns2.he.net.mydropbox.nl. ttl=300) -> (ns1.he.net. ttl=86400)
SUCCESS!
Done. 1 corrections.

(Somehow the TTL change for the first NS record doesn't go through, but that is another issue I guess)

Is this a bug in the transip provider code?

Kind regards, Bas

Tom Limoncelli

unread,
Jan 13, 2025, 12:15:59 PMJan 13
to Bas van Wetten, DNSControl-discuss
On Mon, Jan 13, 2025 at 4:31 AM Bas van Wetten <bas.van...@gmail.com> wrote:
>
> Hello all,
>
> Thanks for your awesome work on dnscontrol, this is a great tool and I'm really glad I've found it. Makes my dns maintenance a lot easier :-)

Glad to hear it!


> ******************** Domain: mydropbox.nl
> 3 corrections (transip)
> #1: + CREATE mydropbox.nl NS ns0.nl. ttl=86400
> + CREATE mydropbox.nl NS ns11.net. ttl=86400
> + CREATE mydropbox.nl NS ns5.be. ttl=86400
> completed with errors
> FAILURE! it is not allowed to have an NS for an @ record: @ 86400 NS ns0.nl.
> Done. 3 corrections.
>
> Issue:
>
> I consistently get the 'FAILURE! it is not allowed to have an NS for an @ record: <record-in-question>' I do not understand where the error comes from or how I can prevent this.
>

That error message doesn't seem to appear in the source code. It
looks like it is coming from the TransIP provider.

What happens when you try to make the same change from the TransIP web portal?

I don't know much about TransIP, but many DNS providers don't permit
you to update some or all NS records.

Tom

Jeffrey Cafferata

unread,
Jan 13, 2025, 5:01:55 PMJan 13
to Tom Limoncelli, Bas van Wetten, DNSControl-discuss
Hi Tom, Bas,

The error message indicates that DNSControl is trying to add NS records for the root (@) of the domain, but TransIP doesn’t allow this because external nameservers are currently configured for mydropbox.nl. This creates a DNS 'diff' that DNSControl interprets as a necessary change, even though it’s not valid in TransIP’s system. This behavior is likely due to a bug or limitation in how DNSControl interacts with TransIP when external nameservers are in use. DNSControl interprets the external name servers as follows:

D("mydropbox.nl", REG_NONE,
    DnsProvider(DNS_TRANSIP),
    NAMESERVER('ns0.nl.'),
    NAMESERVER('ns11.net.'),
    NAMESERVER('ns5.be.'),
);

You could try changing the name servers within TransIP first ("TransIP default nameserver settings") and then perform a DNS control push again.

Jeffrey

Op ma 13 jan 2025 om 18:16 schreef 'Tom Limoncelli' via DNSControl-discuss <dnscontro...@googlegroups.com>:
--
You received this message because you are subscribed to the Google Groups "DNSControl-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-disc...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dnscontrol-discuss/CAOWqsAiWwRGxPbS35G0FbfyZ0KyY8fFxFxPpwGEtzo9gD36%3DNQ%40mail.gmail.com.

Bas van Wetten

unread,
Jan 14, 2025, 4:47:51 AMJan 14
to Jeffrey Cafferata, Tom Limoncelli, DNSControl-discuss
Hi Jeffrey & Tom,

I manually changed the NS servers for the domain 'mydropbox.nl' to the Transip nameservers (default nameservers, as per Jeffrey's suggestion), but that still gave the same result when using DNSControl, it still tried to create the NS records, even though the domain is already using the Transip nameservers.


The 3 'CREATE' messages keep re-occuring on every subsequent run of 'dnscontrol push'.

Kind regards,

Bas van Wetten


------ Original Message ------
From "Jeffrey Cafferata" <jef...@jcid.nl>
To "Tom Limoncelli" <tlimo...@stackoverflow.com>
Cc "Bas van Wetten" <bas.van...@gmail.com>; "DNSControl-discuss" <dnscontro...@googlegroups.com>
Date 13-1-2025 23:01:16
Subject Re: Consistent issue with NS records

Jeffrey Cafferata

unread,
Jan 14, 2025, 5:14:41 AMJan 14
to Bas van Wetten, Tom Limoncelli, DNSControl-discuss
Hi Bas,

Could you share the complete dnsconfig.js file from DNSControl? I’ve applied your earlier snippet to a test domain, but as with yesterday, I’m unable to reproduce the issue. I see in your screenshot the corrections are also applied for "he_net". I didn't see this in your code snippet before.

Kind regards,
Jeffrey Cafferata

Op di 14 jan 2025 om 10:47 schreef Bas van Wetten <bas.van...@gmail.com>:
Screenshot 2025-01-14 at 11.08.44.png
Screenshot 2025-01-14 at 11.07.48.png
Screenshot 2025-01-14 at 11.11.19.png

Bas van Wetten

unread,
Jan 14, 2025, 7:03:01 AMJan 14
to Jeffrey Cafferata, Tom Limoncelli, DNSControl-discuss
Hi Jeffrey,

Here is my 'dnsconfig.js' file. Thanks for looking into this, by the way!

Kind regards,

Bas van Wetten

dnsconfig.js:

// @ts-check
/// <reference path="types-dnscontrol.d.ts" />

// Constants
var IPV4_VPS_1 = IP("1.2.3.4"); // slicehosting
var IPV4_VPS_2 = IP("1.2.3.4"); // vps.hosting
var IPV4_HOME = IP("1.2.3.4");

var IPV4_HOME_BURNARDO = IP("1.2.3.4");

// Macros
var MX_ZOHO = function(name) {
  if (name === undefined) {
    name = "@";
  }
  return [
    MX(name, 10, "mx.zoho.eu."),
    MX(name, 20, "mx2.zoho.eu."),
    MX(name, 50, "mx3.zoho.eu."),
  ];
};

var MX_SIMPLELOGIN = function(name) {
  if (name === undefined) {
    name = "@";
  }
  return [
    MX(name, 10, "mx1.simplelogin.co."),
    MX(name, 20, "mx2.simplelogin.co."),
  ];
};

var CNAME_DKIM_SIMPLELOGIN = function(name) {
  if (name === undefined) {
    name = "";
  }
  var dkimName = "._domainkey";
  if (name !== "") {
    dkimName += "." + name;
  }
  return [
    CNAME("dkim" + dkimName, "dkim._domainkey.simplelogin.co."),
    CNAME("dkim02" + dkimName, "dkim02._domainkey.simplelogin.co."),
    CNAME("dkim03" + dkimName, "dkim03._domainkey.simplelogin.co."),
  ]
};

DEFAULTS(
  DefaultTTL("10m"),                      // 10 minutes (600 seconds) default TTL
  NAMESERVER_TTL("1d"),                   // 1 day (86400 seconds) default NS TTL
  IGNORE("_acme-challenge", "TXT"),
  IGNORE("_acme-challenge.**", "TXT"),
)

// The "NONE" registrar is a "fake" registrar.
// This is useful if the registrar is not supported by DNSControl,
// or if you don't want to control the domain's delegation.
var REG_NONE = NewRegistrar("none");
var REG_PORKBUN = NewRegistrar("porkbun");
var DNS_PORKBUN = NewDnsProvider("porkbun");
var DNS_CLOUDFLARE = NewDnsProvider("cloudflare");
var DNS_ROUTE53 = NewDnsProvider("r53_main");
var DNS_TRANSIP = NewDnsProvider("transip");
var DNS_HE_NET = NewDnsProvider("he_net");
var DNS_HE_NET_2 = NewDnsProvider("he_net_2");

// Import zones
D("besqua.red",
  REG_NONE,
  DnsProvider(DNS_PORKBUN),
  DnsProvider(DNS_HE_NET, 0),
  //MX
  MX_ZOHO(),
  // SPF
  SPF_BUILDER({
    label: "@",
    overflow: "_spf%d",
    raw: "_rawspf",
    parts: [
      "v=spf1",
      "include:zoho.eu", // Zoho
      "~all"
    ],
    flatten: []
  }),
  // Zoho DKIM
  TXT("zoho._domainkey", "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnglO3CMVRDNeFaiTDTpH3WGvq34gPILutdFdYt4u/8FTe4ksVHN0wMc5NS9Os3yIBI0nI4lel4nX7pzXnrbh461SzTGvFMkPBdk6GWQy4iehpH1jPtUVynAEDqg2tcTtQDBKQBuVYrVsOQHiiMmBXprx2bNVCv0gKZ0UTxrhvanPaw5WfzCkR1UasfL0mxDzfnCByeGfwOau3KmHthoHOYwuUHitpr+evQSGEHKjhBgHi5MexbWNpxFMtSmT5LfwO4YpTxFKEzC/t84ZNqC4SQSbyFzljIfSR+lQpIC5dVKA9Jmd9XEt8spRIKFPfdfwGwt/sbnuP3JtnDgQNiEKNQIDAQAB"),
);

  REG_NONE,
  DnsProvider(DNS_TRANSIP),
  DnsProvider(DNS_HE_NET, 0), // Quietly send a copy of the zone here.
  INCLUDE("besqua.red"),
);




------ Original Message ------
From "Jeffrey Cafferata" <jef...@jcid.nl>
To "Bas van Wetten" <bas.van...@gmail.com>
Cc "Tom Limoncelli" <tlimo...@stackoverflow.com>; "DNSControl-discuss" <dnscontro...@googlegroups.com>
Date 14-1-2025 11:13:55
Subject Re: Re[2]: Consistent issue with NS records

Jeffrey Cafferata

unread,
Jan 14, 2025, 7:50:25 AMJan 14
to DNSControl-discuss
Hi Bas,

Thanks for the DNSControl set-up. I have created a GitHub issue for the TransIP provider maintainer @blackshadev.

Kind regards,
Jeffrey

Op dinsdag 14 januari 2025 om 13:03:01 UTC+1 schreef bas.van...@gmail.com:

Bas van Wetten

unread,
Jan 14, 2025, 7:53:49 AMJan 14
to Jeffrey Cafferata, DNSControl-discuss
Thanks Jeffrey,

I've subscribed to the GH issue - good job on creating the issue and getting a good reproducible case!

Thanks! 

Met vriendelijke groet,

Bas van Wetten


------ Original Message ------
From "'Jeffrey Cafferata' via DNSControl-discuss" <dnscontro...@googlegroups.com>
To "DNSControl-discuss" <dnscontro...@googlegroups.com>
Date 14-1-2025 13:50:25
Subject Re: Re[4]: Consistent issue with NS records

Jeffrey Cafferata

unread,
Jan 15, 2025, 3:53:10 PMJan 15
to DNSControl-discuss
Hi Bas,

You may have seen it from the GitHub issue tracker. The issue has been fixed in the main branch. Once the latest version of DNSControl has been tagged, you can proceed without the error "FAILURE! it is not allowed to have an NS for an @ record".

Kind regards,
Jeffrey

Op dinsdag 14 januari 2025 om 13:53:49 UTC+1 schreef bas.van...@gmail.com:
Reply all
Reply to author
Forward
0 new messages