NS3 does not respond to queries for itself and the other name server:
$ dig @83.169.20.193 ns4.soonce.com
; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 ns4.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23542
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns4.soonce.com. IN A
;; AUTHORITY SECTION:
soonce.com. 86400 IN SOA ns3.soonce.com. info.soonce.com. 2012022101 86400 7200 3600000 86400
;; Query time: 29 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr 5 13:54:50 2012
;; MSG SIZE rcvd: 77
$ dig @83.169.20.193 ns3.soonce.com
; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 ns3.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7770
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns3.soonce.com. IN A
;; AUTHORITY SECTION:
soonce.com. 86400 IN SOA ns3.soonce.com. info.soonce.com. 2012022101 86400 7200 3600000 86400
;; Query time: 33 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr 5 13:54:54 2012
;; MSG SIZE rcvd: 73
NS4 responds correctly:
$ dig @83.169.46.225 ns3.soonce.com
; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.46.225 ns3.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45021
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns3.soonce.com. IN A
;; ANSWER SECTION:
ns3.soonce.com. 14400 IN A 83.169.46.225
;; AUTHORITY SECTION:
ns3.soonce.com. 86400 IN NS ns3.soonce.com.
ns3.soonce.com. 86400 IN NS ns4.soonce.com.
;; ADDITIONAL SECTION:
ns4.soonce.com. 14400 IN A 83.169.20.193
;; Query time: 31 msec
;; SERVER: 83.169.46.225#53(83.169.46.225)
;; WHEN: Thu Apr 5 13:57:30 2012
;; MSG SIZE rcvd: 96
$ dig @83.169.46.225 ns4.soonce.com
; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.46.225 ns4.soonce.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39553
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns4.soonce.com. IN A
;; ANSWER SECTION:
ns4.soonce.com. 14400 IN A 83.169.20.193
;; AUTHORITY SECTION:
ns4.soonce.com. 86400 IN NS ns4.soonce.com.
ns4.soonce.com. 86400 IN NS ns3.soonce.com.
;; ADDITIONAL SECTION:
ns3.soonce.com. 14400 IN A 83.169.46.225
;; Query time: 31 msec
;; SERVER: 83.169.46.225#53(83.169.46.225)
;; WHEN: Thu Apr 5 13:57:33 2012
;; MSG SIZE rcvd: 96
NS4 is also not returning glue records. There should be an ADDITIONAL SECTION
with the A records for the two name servers after the ANSWER SECTION
:
$ dig @83.169.20.193 soonce.com NS
; <<>> DiG 9.6-ESV-R4-P3 <<>> @83.169.20.193 soonce.com NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44464
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;soonce.com. IN NS
;; ANSWER SECTION:
soonce.com. 86400 IN NS ns4.soonce.com.
soonce.com. 86400 IN NS ns3.soonce.com.
;; Query time: 81 msec
;; SERVER: 83.169.20.193#53(83.169.20.193)
;; WHEN: Thu Apr 5 14:00:01 2012
;; MSG SIZE rcvd: 64
Your configuration file sets
allow-query { localhost; };
That means BIND will only respond to queries from it's own server.
[jonv@desk ~]$ dig @66.215.210.17 example.com. soa
; <<>> DiG 9.7.6-P1 <<>> @66.215.210.17 example.com. soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 59075
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
The 'status: REFUSED' is the big indicator of what's wrong.
Edit: You should be able to just remove the line, the default is allow-query {any;};. Without understanding your environment further, it's hard to give you an exact answer. You can also put the allow-query line within the zone statement for example.com while leaving the allow-query { localhost;}; in place for the global setting.
Best Answer
The error messages and the referenced RFC2181 5.4.1 pretty much already tells what's wrong: you are having conflicting NS records in your zone and in the parent zone as "glue" records.
It is not enough to change the NS records in the zone file, but you should also change them at your domain registrar. Then, they are added in the TLD's zone in order to delegate the control over your sub-zone. Here,
example.com.
is a sub-zone ofcom.
that is a sub-zone of.
, the root.Why are these "glue" records necessary? They prevent circular references. If you think DNS queries as a conversation between DNS servers, a circular reference could be:
com.
! Do you know, what is the name server forexample.com.
?ns1.example.com.
.ns1.example.com.
?example.com.
.example.com.
?Therefore, the previous level zone must include the IP addresses of the nameservers, too.