Root DNS Servers Reporting Wrong NS – Solutions

domain-name-systemroot

I have an issue with the last step of DNS delegation by the root servers.

I have transferred a domain from registrar A to registrar B a couple of months back and forgot about it, until I had to change the DNS records to reflect our new server location and noticed that nothing updated until I changed it in the panel of our old provider.

This is what it currently looks like:

Panel of OLD PROVIDER:

euro-business.de. IN SOA ns1.antagus.de
euro-business.de. IN NS ns1.antagus.de
euro-business.de. IN NS ns2.antagus.de
euro-business.de. IN A 78.46.57.101
euro-business.de. IN MX mx.examplemx.com

Panel of NEW PROVIDER:

euro-business.de. IN SOA ns1.antagus.de
euro-business.de. IN NS ns1.antagus.de
euro-business.de. IN NS ns2.antagus.de
euro-business.de. IN A 82.98.201.230
euro-business.de. IN MX 10 mx.examplemx.com

When I do a DNS delegation check and query root DNS servers, I get 78.46.57.101 as a result, which is the old and thus incorrect A record. All DNS root servers report ns1.fastdns.de as the authoritative DNS server, which is wrong!

If I query ns1.antagus.de using dig, I get the correct results. The root servers however point to the incorrect NS and A records.

I've tried everything I know, including updating the records and on the old and new panel, but it doesn't seem to get to the root servers. I'd appreciate some help. If you need the domain in question, it's euro-business.de and it should point to ns1.antagus.de and ns2.antagus.de for the name servers.

Best Answer

When troubleshooting DNS issues, ask the authoritative nameserver first.

Here you should start at the registry.

This gives you which nameservers are authoritative at the registry (.DE):

$ dig NS de. +short
s.de.net.
f.nic.de.
z.nic.de.
n.de.net.
a.nic.de.
l.de.net.

(this was a shortcut, in theory you would have to ask the root servers to know the list of .DE nameservers, here I am just using my local recursive nameserver and trusting it).

Now you can contact any of this nameserver (they should all reply the same thing for the same query) and ask it about your domain name. You are interested only in the "AUTHORITY SECTION" so here it goes:

$ dig @z.nic.de euro-business.de. NS

[..]

;; AUTHORITY SECTION:
euro-business.de.   1d IN NS ns2.antagus.de.
euro-business.de.   1d IN NS ns1.antagus.de.

Those are the nameservers you need to query about your domain name.

And they say:

$ dig @ns2.antagus.de. euro-business.de. A +short
82.98.201.230

At the end of the day, it seems you changed your authoritative nameservers at some point from

ns1.fastdns.de
ns2.fastdns.de
ns3.fastdns.de

ns1.antagus.de
ns2.antagus.de

And each set of nameservers was not serving the exact same information.

So while there is technically no propagation, but still time to wait, you may not have waited enough (or could have avoided the problem altogether by first changing the IP address in the old nameservers then, after waiting some time again, changing nameservers).

Why some time? Because it depends on the TTL but:

authoritative nameservers decide the TTL but then each recursive nameserver will get its value, depending on if you used it or not to query; said differently: depending on which recursive nameserver you query you may get different results, which also has the direct consequences that when troubleshooting you should always start by querying authoritative nameservers
and, by the way, there is also another TTL for negative replies
note that in theory recursive nameservers are free to ditch values before the TTL is reached (it is only a maximum value), but in practice they will also rewrite some insanely small TTLs, like everything under 5 minutes (empirically) may be treated as 5 minutes and not something else (so forget about TTLs of like 5 seconds). They are in theory wrong to do that, but in practice probably right. And anyway it exists.

PS: "I have an issue with the last step of DNS delegation by the root servers." This is surely not the case. At most you could say something about .DE TLD servers, but there is nothing about your problem that is related to root servers, the one dealing with the . zone that hosts only nameservers for TLDs. Note also that typically registrar changes have no consequences on the DNS side of things (because the registrar is changed without any change to the nameservers) except of course if you used your previous registrar also as a DNS provider, but this is certainly not mandatory.

Related Solutions

DNS – How to Test Glue Record

Glue records only ever exist in the parent zone of a domain name.

Hence in the case of your example.org domain name, first find the .org name servers:

% dig +short org. NS
a0.org.afilias-nst.info.
a2.org.afilias-nst.info.
b0.org.afilias-nst.org.
b2.org.afilias-nst.org.
c0.org.afilias-nst.info.
d0.org.afilias-nst.org.

Then, for as many of these as you feel like testing, explicitly ask those name servers for the NS records for your domain:

% dig +norec @a0.org.afilias-nst.info. example.org. NS

You should get back the correct list of NS records in the "AUTHORITY SECTION". For any name servers that have correctly configured glue you should see those glue A (and/or AAAA) records appear in the "ADDITONAL SECTION".

DNS Subdomain Delegation Issue – Troubleshooting Guide

I'd first make sure you're getting ns1/2.provider-dns.com back as an answer to this query:

dig subdomain.example.com ns

You might also want to check that the zone is loaded on the nameservers to which you've delegated. Check that you get a correct serial number back:

dig @ns1.provider-dns.com subdomain.example.com soa

If that isn't working, check with whomever is running ns1/2.provider-dns.com to make sure your zone is being loaded.

Best Answer

Related Solutions

DNS – How to Test Glue Record

DNS Subdomain Delegation Issue – Troubleshooting Guide

Related Topic