This check validate that the delegation information in the parent zone (usually TLD) match the delegation information required in the child zone.
DNSmonitor KB - DNS check KB

Delegation consistency check

This check validate that the delegation information in the parent zone (usually TLD) match the delegation information required in the child zone.

The fundamentals of the DNS and the domain name space is based on the relationship between parent (who is delegating the responsibility) and child (the responsible party).

The parent keep a record of the name servers responsible for the delegated domain in order to guide resolvers to its destination. The child in turn have corresponding records in the domains zone file. If these records (NS) should differ worst case scenario is that the resolvers might not find the delegated domain.

Event severities and messages

WARNING

Child servers contain additional records not found in the parent.

The check identified that the NS resource records found in the child servers contain additional name servers not listed in the parent zone.

When resolvers iterate the domain name tree to resolve client queries they receive referral records to name servers known by the parents. This procedure is repeated from the root level and down until the resolver gets the final response. Each parent will only know the name servers records (delegation records) registered in its respective zone.

This message can have the following causes:

  • The DNS administrator has recently added an additional name server and has yet to complete the registration process with the registrar.
  • The DNS administrator has completed the registration process with the registrar but the update has not yet been propagated. Note: Updates to TLD servers are usually run as scheduled batch jobs. Consult your registrar for the specific information about your top level domain.
  • The NS resource record could have been added to the zone by mistake.
  • The NS resource record could have been added by an unknown party in order to redirect part of the DNS queries. This could mean a possible DNS hijacking.

ERROR

Name servers listed in the parent are not listed in the child.

The check identified that the NS resource records found in the parent servers contain additional name servers not listed in the child zone.

When resolvers iterate the domain name tree to resolve client queries they receive referral records to name servers known by the parents. This procedure is repeated from the root level and down until the resolver gets the final response. Each parent will only know the name servers records (delegation records) registered in its respective zone. In this particular case the referral could point the resolver to a name sever that no longer is authoritative for the domain or in worst case scenario contain rouge information.

This message can have the following causes:

  • The DNS administrator has recently removed a name server and has yet to complete the registration process with the registrar.
  • The DNS administrator has completed the registration process with the registrar but the update has not yet been propagated. Note: Updates to TLD servers are usually run as scheduled batch jobs. Consult your registrar for the specific information about your top level domain.
  • The NS resource record could have been added to the registry by mistake.
  • The NS resource record could have been added to the registry by an unknown party in order to redirect part of the DNS queries. This could mean that the registry account is compromised and a possible DNS hijacking.

UNKNOWN

Unable to perform check due to input data failure.

When this message appear usually one of the queries leading up to the final query have received an empty or garbled query response. Please report this through the normal support channel.

Corrupt or malformed response from nameserver.

The check received a query response with unreadable data fields. Please report this through the normal support channel.

Failed to get enough data from parent/child to complete the check. +additional info

The check were unable to extract the necessary data from either parent or child name servers. The additional information in the message can possibly explain the reason behind this state. If the problem remain over time please report this through the normal support channel.

Solutions, tips & tricks

The delegation information should always be consistent between parent and child in order for the domain name space to work effectively.

There are situations we are aware of where the name server names in the parent totally differ from the name server names in the child and the delegation still work since both names eventually resolves to the same IP addresses. This cause the resolver to perform additional iterations to complete queries which in the end affects the resolution times. It doesn't look good and it's bad practice.