# What's wrong with my DNS zone file?



## ikevinjp (Jun 21, 2013)

I'm trying to set up a domain using PowerDNS within a FreeBSD jail. Everything is configured correctly. I even tested using `dig @69.60.111.133 myclientdomain.com` from my local machine and it worked. However, it does not get propagated to any name servers and it has been more than 24 hours - I think there is a problem and don't think it will work even after 48 or 72 hours. What's wrong with my named.conf or zone file?



```
# file /usr/local/etc/pdns/config/zones/named.conf

zone "myclientdomain.com" IN {
    type master;
    file "/usr/local/etc/pdns/config/zones/myclientdomain.com";
};
```


```
# /usr/local/etc/pdns/config/zones/myclientdomain.com

$ORIGIN myclientdomain.com.     
$TTL 1h
myclientdomain.com.            IN  SOA  ns1.myclientdomain.com. c14.myclientdomain.com. (
                      2013062001 
                      1d         
                      2h         
                      4w         
                      1h         
                      )
myclientdomain.com.            NS    ns1
myclientdomain.com.            NS    ns2
myclientdomain.com.            A     69.60.111.133
ns1                   A     69.60.111.133
ns2                   A     69.60.111.134
www                   CNAME myclientdomain.com.
secure                CNAME myclientdomain.com.
```


----------



## SirDice (Jun 21, 2013)

Did you actually register that domain with a registrar?


----------



## ikevinjp (Jun 21, 2013)

Yes, of course - the domain is registered. Due to some sensitivity for my client, I've changed the domain name to a generic name. The config files are exactly the same - except for the domain and IP - on the server. 

The child name servers have also been registered, and name servers are correctly pointed to them.

Kevin.


----------



## SirDice (Jun 21, 2013)

ikevinjp said:
			
		

> Yes, of course - the domain is registered.


Registering may not be obvious to everyone  



> The child name servers have also been registered, and name servers are correctly pointed to them.


At first glance I don't see anything wrong with them.


----------



## fonz (Jun 21, 2013)

Is your jail accessible from the outside world in the first place?
Your registrar must announce your nameservers upstream to the rest of the world. Have they done that?
There are several online DNS checkers on the web (e.g. DNSsy, but there are many more). Try some of those and see what diagnostics they come up with.
My NS records look different:

```
IN NS    ns.somedomain.com.
```
instead of

```
myclientdomain.com.            NS    ns1
```
This might just be a difference between the base system's BIND and the PowerDNS you are using and I have no experience with the latter, but I figured I'd point it out anyway.
Likewise, many records are lacking IN, but I'm not sure how crucial that is.
Your zone file lacks any MX records. That's probably not fatal either, but it is generally considered an error.


----------



## ShelLuser (Jun 21, 2013)

The most important thing to check are your logfiles as well as the so called "whois database". When you check the whois database, does it actually list your own DNS servers? Because that's where it all starts. As to your logfiles; do those list anything regarding zone transfers or actual requests being done?

Out of curiosity: which domain registrar did you use? Because most of them will perform their own checks before they actually continue and register your DNS servers.


----------



## J65nko (Jun 21, 2013)

You can use the DNS traversal checker at http://www.squish.net/dnscheck/v1.html to check whether your 69.60.111.13(3|4) name servers are listed as the authoritative ones.


----------



## kpa (Jun 21, 2013)

No need to use anything fancy to check if the delegation of your domain is working, the plain old dig(1) does the job. Just remember to query a well known public DNS forwarder like the Google DNS so you don't query your own servers that might give different information:

`dig @8.8.8.8 mydomain.tld NS`

Why this works? Well, DNS is a completely distributed database and the delegation information is just the NS records of a domain that can be queried with the standard utilities like dig(1).

Example:


```
beat:~ kimmo$ dig @8.8.8.8 freebsd.org NS

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 freebsd.org NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10644
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;freebsd.org.			IN	NS

;; ANSWER SECTION:
freebsd.org.		3600	IN	NS	ns3.isc-sns.info.
freebsd.org.		3600	IN	NS	ns2.isc-sns.com.
freebsd.org.		3600	IN	NS	ns1.isc-sns.net.

;; Query time: 72 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 21 21:52:10 2013
;; MSG SIZE  rcvd: 117

beat:~ kimmo$
```

These of course are the authoritative name servers for freebsd.org. Something to point out, you have to repeat the same NS records in your zone files exactly. Something like this in this case:


```
$ORIGIN freebsd.org
...
        IN	NS	ns3.isc-sns.info.
        IN	NS	ns2.isc-sns.com.
        IN	NS	ns1.isc-sns.net.
...
```

And then there's the point that the names in these records must be A records, CNAMEs are not allowed.


----------

