Guidelines: Name server checks

During processing of the following three types of EPP-commands, a number of name server checks are performed to ensure consistent DNS configuration.

  • domain create
  • domain update
  • host update – if the hostname and/or IP addresses are changed

The EPP command will be rejected if any of those basic checks fail.

Domain create and domain update

The following checks are performed on each of the name servers registered on the domain:

  • If the name server lies within the domain to be checked, and a glue record is needed in the parent domain:
    • The name server must be registered with at least one IPv4 address.
    • The name server must answer on all its registered IPv4 and IPv6 addresses with A and AAAA records equal to the IPv4 and IPv6 addresses which are registered on it. It must not return any other A or AAAA records than these.
  • If the name server does not lie within the domain to be checked, and a glue record is not needed in the parent domain:
    • The name server must have one or more A records.
    • The name server may have one or more AAAA records.

The following checks are performed on each IPv4 and IPv6 address for each of the name servers registered on the domain:

  • The domain has NS records for all the name servers registered on the domain, and no NS records for any other name servers.
  • The domain has one SOA record which must contain a valid mname and a valid rname.
The following DNSSEC specific checks are performed if the domain is registered with at least one DS record:
  • All the registered nameservers must return a DNSKEY set for the domain. All the nameservers must return the same DNSKEY set.
  • All the registered nameservers must return RRSIG records for the SOA records, the NS records and the DNSKEY records of the domain. All the nameservers must return the same RRSIG records.
  • The DNSKEY set must contain at least one key which is referred to from the DS set.
  • The RRSIG records for the DNSKEY set must contain at least one valid signature made with one of the keys referred to from the DS set.
  • The RRSIG records for the SOA record must contain at least one valid signature made with one of the keys in the DNSKEY set.
  • The RRSIG records for the NS set must contain at least one valid signature made with one of the keys in the DNSKEY set.

Host update

The following checks are performed if the name server lies under a domain for which it is a name server, so a glue record in the parent domain is needed:

  • The name server must be registered with at least one IPv4 address.
  • The name server must answer on all its registered IPv4 and IPv6 addresses with A and AAAA records equal to the IPv4 and IPv6 addresses which are registered on it. It must not return any other A or AAAA records than these.

The following checks are performed if the name server does not lie under a domain for which it is name server, and no glue record is needed:

  • The name server must have one or more A records.
  • The name server may have one or more AAAA records.

The following checks are performed on each of IPv4 and IPv6 address of the name server:

  • All the domains registered on the name server must have an NS record for the name server.
  • All the domains registered on the name server must have a valid SOA record.

DNSSEC checks were introduced for ‘host update’ at the system update dated 2015-03-24. The following DNSSEC checks are performed for each of the domains registered on the name server:

  • The system will perform the same checks a described for domains above. However, the checks are performed only for the name server being updated, and not for the other name servers registered for the domain.

  • Also note the following limitation:
    The check may in some cases conclude that no errors are found, even if there are actual DNSSEC errors. This can happen if a DNSSEC error is found, but no other types of DNS errors.

Last updated 2015 or before