Fixing DNS Errors After Changing Nameservers for Cloudflare

dns-zonedomain-name-systemipip addressnameserver

I don't know if this is the right place for my question, but I have a problem with my DNS/nameservers after changing the nameservers. I'm not sure if it is a problem at my side or at my webhost.

I updated the DNS Zone Records in the Control Panel of my webhosting provider to the ones provided by Cloudflare.
After that there are two nameservers:

NS  elle.ns.cloudflare.com  
NS  lloyd.ns.cloudflare.com

The site is still alive, but when I check the DNS (http://www.intodns.com) I have the following errors:

enter image description here

Pingdom also tells me:

Superfluous name server listed at parent: ns1.mijnhostingpartner.nl
Superfluous name server listed at parent: ns2.mijnhostingpartner.nl
Superfluous name server listed at parent: ns3.mijnhostingpartner.nl 2
different serials found. 2 different SOA records found. Could not
find reverse address for (4 times)

Could someone please help me? Cloudflare also says that the installation is not correct.
Thanks!

Best Answer

The error messages and the referenced RFC2181 5.4.1 pretty much already tells what's wrong: you are having conflicting NS records in your zone and in the parent zone as "glue" records.

"Glue" above includes any record in a zone file that is not properly part of that zone, including nameserver records of delegated sub- zones (NS records), address records that accompany those NS records (A, AAAA, etc), and any other stray data that might appear.

It is not enough to change the NS records in the zone file, but you should also change them at your domain registrar. Then, they are added in the TLD's zone in order to delegate the control over your sub-zone. Here, example.com. is a sub-zone of com. that is a sub-zone of ., the root.

Why are these "glue" records necessary? They prevent circular references. If you think DNS queries as a conversation between DNS servers, a circular reference could be:

Hello, NS of com.! Do you know, what is the name server for example.com.?
Sure I do! It's ns1.example.com..
Thanks bro! What is the IP address of this ns1.example.com.?
I don't know, you should ask from the name server of example.com..
Ok, what is the name server for example.com.?

Therefore, the previous level zone must include the IP addresses of the nameservers, too.

Related Solutions

Why No name servers found at child

NS3 does not respond to queries for itself and the other name server:

$ dig @83.169.20.193 ns4.soonce.com

; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 ns4.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23542
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns4.soonce.com.            IN  A

;; AUTHORITY SECTION:
soonce.com.     86400   IN  SOA ns3.soonce.com. info.soonce.com. 2012022101 86400 7200 3600000 86400

;; Query time: 29 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr  5 13:54:50 2012
;; MSG SIZE  rcvd: 77

$ dig @83.169.20.193 ns3.soonce.com

; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 ns3.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7770
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns3.soonce.com.            IN  A

;; AUTHORITY SECTION:
soonce.com.     86400   IN  SOA ns3.soonce.com. info.soonce.com. 2012022101 86400 7200 3600000 86400

;; Query time: 33 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr  5 13:54:54 2012
;; MSG SIZE  rcvd: 73

NS4 responds correctly:

$ dig @83.169.46.225 ns3.soonce.com

; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.46.225 ns3.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45021
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns3.soonce.com.            IN  A

;; ANSWER SECTION:
ns3.soonce.com.     14400   IN  A   83.169.46.225

;; AUTHORITY SECTION:
ns3.soonce.com.     86400   IN  NS  ns3.soonce.com.
ns3.soonce.com.     86400   IN  NS  ns4.soonce.com.

;; ADDITIONAL SECTION:
ns4.soonce.com.     14400   IN  A   83.169.20.193

;; Query time: 31 msec
;; SERVER: 83.169.46.225#53(83.169.46.225)
;; WHEN: Thu Apr  5 13:57:30 2012
;; MSG SIZE  rcvd: 96

$ dig @83.169.46.225 ns4.soonce.com

; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.46.225 ns4.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39553
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns4.soonce.com.            IN  A

;; ANSWER SECTION:
ns4.soonce.com.     14400   IN  A   83.169.20.193

;; AUTHORITY SECTION:
ns4.soonce.com.     86400   IN  NS  ns4.soonce.com.
ns4.soonce.com.     86400   IN  NS  ns3.soonce.com.

;; ADDITIONAL SECTION:
ns3.soonce.com.     14400   IN  A   83.169.46.225

;; Query time: 31 msec
;; SERVER: 83.169.46.225#53(83.169.46.225)
;; WHEN: Thu Apr  5 13:57:33 2012
;; MSG SIZE  rcvd: 96

NS4 is also not returning glue records. There should be an ADDITIONAL SECTION with the A records for the two name servers after the ANSWER SECTION:

$ dig @83.169.20.193 soonce.com NS

; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 soonce.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44464
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;soonce.com.            IN  NS

;; ANSWER SECTION:
soonce.com.     86400   IN  NS  ns4.soonce.com.
soonce.com.     86400   IN  NS  ns3.soonce.com.

;; Query time: 81 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr  5 14:00:01 2012
;; MSG SIZE  rcvd: 64

Domain – DNS BIND on CENTOS 6.3 and domain nameservers

Your configuration file sets

allow-query     { localhost; };

That means BIND will only respond to queries from it's own server.

[jonv@desk ~]$ dig @66.215.210.17 example.com. soa

; <<>> DiG 9.7.6-P1 <<>> @66.215.210.17 example.com. soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59075
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

The 'status: REFUSED' is the big indicator of what's wrong.

Edit: You should be able to just remove the line, the default is allow-query {any;};. Without understanding your environment further, it's hard to give you an exact answer. You can also put the allow-query line within the zone statement for example.com while leaving the allow-query { localhost;}; in place for the global setting.

Best Answer

Related Solutions

Why No name servers found at child

Domain – DNS BIND on CENTOS 6.3 and domain nameservers

Related Topic