[dns-operations] Missing nameservers reported by parent

David C Lawrence tale at akamai.com
Tue May 21 13:58:39 UTC 2013


fenghe writes:
> from: http://www.intodns.com/dns-oarc.net
> 
> FAIL: The following nameservers are listed at your nameservers as 
> nameservers for your domain, but are not listed at the parent 
> nameservers (see RFC2181 5.4.1). You need to make sure that these 
> nameservers are working.If they are not working ok, you may have problems!
> ns2.dns-oarc.net
> 
> How about this warning?

While this is an interesting thing for the tool to note, it is being
overzealous in calling it a failure.  The NS record set at the apex is
not required to be identical to that above the zone cut, not even with
DNSSEC.

The reference to RFC 2181 is to the section on trustworthiness, which
is relevant but could be explained better in the report.  There's an
implication by the sentence structure that the equivalence is mandated
there.  Something like this would be clearer:

  WARNING: The following nameservers are listed at your nameservers as 
  nameservers for your domain, but are not listed at the parent 
  nameservers.  Because of the trustworthiness rules of RFC 2181
  section 5.4.1 some resolvers will use these additional nameservers,
  and if they are not working like those at your parent then you
  may have problems.



More information about the dns-operations mailing list