My conclusions are already the same as yours. The distant DNS is refusing the query because the zone does not yet exist there yet. I cannot create it there until I create it here (first). It has to work here first so they can query my DNS for THEIR DNS records in place before they will let me create the zone.
I want to create it here and resolve it here LOCALLY first and not have it going out to them. I get that I have told my own nameserver that this subdomain is delegated externally and it’s trying to go out there to check apparently. But I want it to at least store the NS record and provide a response locally to it. But I would expect to still be “autoritive” for that one NS record. I also get it’s a bad design that I can’t create the zone on the provider’s site (free service). Before I am answering NS queries for the subdomain. I may have to get really creative and make it a “full” parent domain to get everything to work. Then go back and fix things up on my end as a “subdomain” after I get the sites talking. But also still asking if there’s a simple way to make my own nameserver serve that NS record without going out and checking the DNS that I have delegated for it. It of course checks that I have delegated and am serving up their DNS records before I can proceed. LOL I could also write their folks and ask if they can do anything on their end. I’d love to be able to override this checking part on my own server if it is possible. Because that would fix it. From: Al <aw...@sunnyside.com> Sent: Wednesday, August 27, 2025 9:14 PM To: Steve Gladden <st...@michiganbroadband.com> Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work. chatgpt was pretty coherent for once: That message comes from BIND (named) when it tries to resolve a domain and gets a response code (RCODE) from the upstream server that it wasn’t expecting. Let’s break it down carefully: nginx Copy REFUSED unexpected RCODE resolving 'dyn.6ipv.com/NS/IN': 216.218.130.2#53 Components: REFUSED This is BIND’s log label. It usually means the query was refused by the upstream server, i.e., the server at 216.218.130.2 refused to answer your request. unexpected RCODE BIND received an RCODE (response code) from the server that it didn’t expect for this query type. Common RCODEs include: NOERROR – query succeeded NXDOMAIN – name does not exist REFUSED – server refused to answer SERVFAIL – server failed internally Here, “unexpected” usually means BIND asked for an NS record for dyn.6ipv.com, but the response wasn’t a valid NS answer—most likely REFUSED. resolving 'dyn.6ipv.com/NS/IN' BIND was trying to resolve the NS (name server) record for the domain dyn.6ipv.com in the IN (Internet) class. 216.218.130.2#53 This is the IP address of the upstream server that BIND tried to contact on port 53 (DNS). Interpretation: The server 216.218.130.2 (probably a Dyn-managed authoritative server for 6ipv.com) refused your query. BIND did not expect a REFUSED response when asking for NS records. This often happens because: The upstream server only answers queries from certain clients (your IP might be blocked). The server may have a misconfiguration or be temporarily rejecting queries. Some dynamic-DNS providers intentionally refuse certain direct NS lookups to reduce abuse. How to check: You can manually query the server: bash Copy dig @216.218.130.2 dyn.6ipv.com NS You may get: pgsql Copy ; <<>> DiG 9.16 <<>> @216.218.130.2 dyn.6ipv.com NS ; connection timed out; no servers could be reached or yaml Copy ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12345 If it returns REFUSED, the server is explicitly refusing queries. Actionable steps: Check your network: Are you allowed to query that server? Some servers refuse non-authorized queries. Try another resolver: Use a public DNS like 8.8.8.8 or 1.1.1.1 for resolution. Check BIND configuration: If you are doing forward or recursive queries, ensure your named.conf forwards to servers that actually answer. Concrete answer: Your BIND server tried to get the NS records for dyn.6ipv.com from 216.218.130.2, but that server refused the query, giving a REFUSED RCODE. This is usually intentional on the authoritative server side, not a BIND bug. On 8/27/2025 18:08, Steve Gladden wrote: Thanks Al, I will see about figuring that out. Meanwhile I am able to tail the log when trying to query for that NS record. This is the only named error.item I see at default settings while attempting the query. It’s like it will not add the record unless it already exists on the delegated server. Aug 27 20:54:40 NS1 named[35894]: REFUSED unexpected RCODE resolving 'dyn.6ipv.com/NS/IN': 216.218.130.2#53 No errors or anything “interesting” on Bind9 start & stop. I only see that error when performing the NS query against the problem name. That IP address is indeed the IP address of the delegated server. But I also cannot add the zone on that server provider’s system (He.net). Because it checks MY server for the delegated NS records before it will let me add the zone there. Which I can’t get working as detailed above.. I am only trying to get it to work locally first and I can’t even do that, because Bind9 somehow wants to verify the zone already exists on the delegated server.. Is there a way I can get this to at least work first this way? I would like it to be able just serve up the NS record/pointer. Not check the remote system for sanity before letting me add the record. This has me stuck as I can’t add the zone on the remote system, AND I can’t simply add the NS record on my local system. Thanks. -Steve From: Al <aw...@sunnyside.com><mailto:aw...@sunnyside.com> Sent: Wednesday, August 27, 2025 8:13 PM To: Steve Gladden <st...@michiganbroadband.com><mailto:st...@michiganbroadband.com> Subject: Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work. this is a job for the log files. setting up log files for named can be pretty time consuming, but even the generic setup will probably report what is causing the servfail. without the logs there isn't any easy way to find out what the problem is. if you are using views, they should be checked, but again logs are everything On 8/27/2025 17:01, Steve Gladden wrote: Hi this is my first post ever. I’m stuck on a very simple task that I have not been able to get it to work. I have done this in the past with older versions of BIND but it has been quite a while. I’m trying to delegate to an external provider’s nameserver for a “subdomain” of mine. The parent zone file works properly and loads and serves everything as expected. But will not load and serve my NS record pointing an external provider’s DNS. I can get much more specific as need-be I am on and up to date version of Debian Server and up to date version of Bind9 named -v BIND 9.18.28-1~deb12u2-Debian (Extended Support Version) <id:> This is a generic example of what I am trying to do. The top two parent NS records load and serve as expected. As well as the A record of course. But the delegated NS record at the bottom does not get loaded or served when queried for it I am using dig as you may expect to determine this. I must be totally missing something simple but I am totally stumped on this at the moment. $TTL 3600 $ORIGIN domain.com. @ IN SOA domain.com. admin.domain.com. ( 2017090101 ; Serial 10800 ; Refresh 1800 ; Retry 1209600 ; Expire 3600 ; Negative Cache TTL ) @ IN NS ns1.domain.com. @ IN NS ns2.domain.com. @ IN A 1.2.3.4 www IN A 1.2.3.4 $ORIGIN test.domain.com. @ IN NS ns1.anothernameserver.com. dig @localhost test.domain.com NS ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @localhost test.domain.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59084 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: fb069e980ad743db0100000068af9952a0efd48210391401 (good) ;; QUESTION SECTION: ;test.domain.com. IN NS ;; Query time: 31 msec ;; SERVER: 127.0.0.1#53(localhost) (UDP) ;; WHEN: Wed Aug 27 19:48:34 EDT 2025 ;; MSG SIZE rcvd: 69 Thank you for any pointers.. I have spent about a day searching the web before posting. Many examples say to do it the way I am doing it. And I’ve done it before this way. Not sure what I am missing. -SteveG
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
