Technical check

Regcheck error codes

Clarifications on error codes from regcheck


M-CNAM -E- [domain] NS record CNAME

Reason:

One of the name servers - specified as an NS record - is a CNAME (Canonical Name). It should be an A (Address) record (see: RFC1912 2.4. and http://www.faqs.org/faqs/internet/tcp-ip/domains-faq/part1/ Q6.6.)

Correction:

Define an A record instead of the CNAME.


M-DIFN -E- [domain] All nameservers on the same network

Reason:

According to the registration rules at least two name servers should be on different networks. The checking procedure cannot determine this for sure, and assumes it to be true if:

  1. Two name servers are in different /24 address block, or
  2. Traceroutes to the name servers differ.

Correction:

Place another (a slave) name server on another network.


M-DSOA -E- [domain] SOA records differ on servers

Reason:

All the name servers should serve the same zone data, and so the same SOA record.

Correction:

The reason might be an error in the master/slave communication between the name servers. Some possible causes: firewall rules, name server configuration parameters, etc.

The reason might be also zone refresh delay. In this case waiting for the refresh might suffice. One can also trigger zone refresh on the slave.


M-LASE -E- [domain] Lame secondary

Reason:

At least one of the name servers do not server the zone.

Correction:

Make sure that the server is authoritative for the given zone. Sometimes firewall rules prohibit proper zone propagation at one of the servers. Check and correct these settings.


M-MXF -E- [domain] canonical A record for MX mx not found

Reason:

On the right side of the MX record there is a domain name which do not resolve to an A record.

Correction:

Define an A record for the mail server.


M-NMAS -E- [domain] Cannot get A for NS host pserv

Reason:

There is no A record for the name server.

Correction:

Define an A record for the name server.


M-NNAS -E- [domain] Cannot get A for NS host nshost

Reason:

There is no A record for the name server.

Correction:

Define an A record for the name server.


M-NOSE -E- [domain] No secondary

Reason:

There is no secondary name server defined for the domain.

Correction:

Make sure that at least another name server serves the zone.


M-NOSOA -E- [domain] No SOA record found

Reason:

There is no SOA record for the zone. One possible reason for this might be that there is just a CNAME for the domain at the authoritative server.

Correction:

Define a proper SOA.


M-NSF -E- [domain] A record for NS ns not found

Reason:

There is no A record for the name server given in the zone.

Correction:

Define a proper A record.


M-PMAS -E- [domain] address check for postmaster@domain failed at ALL MX records

Reason:

Accordint to the registration rules (and RFC2821) if there is an MX for the domain, the postmaster@domain address should work.

Correction:

Define the postmaster@domain e-mail address at the mail server.


M-PNAU -E- [domain] NS not authoritative: ns

Reason:

The given name server does answer domain queries however those answers are not authoritative. (See: RFC1034)

Correction:

Correct the name server configuration.


M-PNAU6 -E- [domain] NS at AAAA not responding, not authoritative, or wrong serial: ns

Reason:

The name server at the given IPv6 address does not serve the zone, or the zone SOA record differs from the SOA record obtained via IPv4.

Correction:

Correct the configuration at the name server.


M-PRIF -E- [domain] Cannot get domain data (nshost_a nshost)

Reason:

The SOA record of the domain could not be obtained.

Possibly the name server IP address has been misspelled. One cannot leave the name server field empty, unless the domain is already registered and one does not want to change name servers.

One other reason might be that the given name server does not serve the zone. This might be because of some firewall rules also.

Correction:

Specify the name server or correct the configuration.


M-SOAER -E- [domain] syntax error in SOA record:

Reason:

There is a syntax error in the domain SOA record.

Correction:

Correct the configuration according to RFC1035 .


M-SOAM -E- [domain] SOA mail address check failed

Reason:

The RNAME field in the SOA record (see: RFC1035) one should specify an email address. This is the email address of the person who is looking after the zone technically. The checking procedure tried to send an email to this address, which failed.

Correction:

Correct the RNAME field in ths SOA record, or make sure that the mail server accepts mail to the given address.


M-SOF -E- [domain] A record for soa mail host soa_mail_host not found

Reason:

The RNAME field in the SOA record (see: RFC1035) one should specify an email address. This is the email address of the person who is looking after the zone technically. The checking procedure was not able to resolve the A record for the domain part of this address.

Correction:

Correct the RNAME field or the A record of the domain part.


M-TO -E- [domain] Timout, exiting...

Reason:

The checking procedure timed out, because there was no answer for a query.

This might be a DNS query but mostly email address verifications time out. Other messages from the procedure may help to find the reason.

Correction:

Make sure that dns queries and email verification get answered. Somtetimes firewall rule tuning is necessery. In case of a network outage retry the check later.


M-RERR -W- [domain] SOA parameters don't comply with RIPE,

Reason:

This message means that the refresh, retry, expire and ttl values significantly differ from the RIPE recommandation: at least one of the values fall outside the range [x/20, 20*x] where x is the recommended valu in ftp://ftp.ripe.net/ripe/docs/ripe-203.txt.

The RIPE recommendation dates back to 1999. The author - Peter Koch - revised the values in 2005. The values according to this revision:

  refresh = 86400,        # 24 hours
  retry   = 7200,         # 2 hours
  expire  = 2419200,      # 4 weeks
  ttl     = 3600          # 1 hour

The checking procedure adheres to these values.

Correction:

Set the SOA parameters close to the recommended values.


M-PMAE -W- [domain] address check for [postmaster@domain] failed at [mx],

Reason:

The mx server of the domain should accept messages to the postmaster@domain address. The checking procedure tried to send a mail to this address and failed. This is not a fatal error if there is any MX, which accepts messages to the postmaster address. (See: PMAS)

Correction:

Make sure that the postmaster email address works.


M-SXERR -W- [domain] syntax error in zone xyz

Reason:

The checking procedure found a syntax error in the zone data.

Correction:

Check and correct the syntax.


M-GLUE -W- [domain] glue record in zone

Reason:

There is an extraneous glure record in the zone which is most probably superfluous and might cause trouble.

Correction:

Delete the extra glue from the zone.


M-SOAR -W- [domain] no NS record for SOA MNAME

Reason:

The MNAME parameter in the SOA record which points to the primary NS of the zone does not appear as an NS for the zone. This might be intentional and valid (hidden primary) sometimes however this is not intended.

Correction:

Define an NS record with the MNAME value.


M-PRZO -W- [domain] cannot download domain from primary

Reason:

The checking procedure tried an AXFR and failed. Allowing zone transfer is not necessary to pass the check. However if it is allowed the procedure tries to check the syntax of all records.

Correction:

If we wish the checking procedure to check the zone syntactically allow AXFR. For the IP address of the check see http://www.domain.hu/domain/regcheck/.


M-PARI -W- [domain] NS records inconsistent with parent !!!

Reason:

This message may appear if the domain is already registered and the parent (e.g. .hu or co.hu) zone serves different NS records from the authoritative servers. Most probably the name servers changed, and the registrar has not changed the name servers in the registration system yet.

Correction:

Have the registrar change the delegation or revert to the old servers.


M-GLUD -W- [domain] NS glues differ on parent [parent_ip : ip] !!! ,

Reason:

This message may appear if the domain is already registered and the parent (e.g. .hu or co.hu) zone serves different glue records from the authoritative servers. Most probably the name server address changed, and the registrar has not changed it in the registration system yet.

Correction:

Have the registrar change the delegation or revert to the old address.


M-VRRT -W- [domain] retrying verify

Reason:

The procedure tried to verify an email address (SOA RNAME or postmaster@domain) but failed. However this is just a warning: the procedure does not give up, retries.

Correction:

If the check fails at the end make sure that the email address works.


M-NODS -E- [domain] No dnskey found at [ip cím]

Reason:

This message appears if we requested DNSSEC validation also. The procedure did not found DNSKEY record for the domain at name server ip cím. Most probably the zone is not configured with DNSSEC yet.

Correction:

Either retry the check without DNSSEC or correct the DNSSEC configuration.


M-DIFDS -E- [domain] DNSKEY RRset differs on servers

Reason:

This message appears if we requested DNSSEC validation also. The checking procedure finds different DNSKEY rrsets at different authoritative name servers.

Correction:

Make sure that the same DNSKEY rrset is served at all the authoritative name servers.


M-DSD -W- [domain] DS keys differ at parent

Reason:

This message appears if the domain has been already registered with DNSSEC. The procedure found different KSK records than those indicated by the DS records in the parent (usually .hu). Most probably a KSK rollover occured at the zone which is not reflected in the parent: the registrar has not updated the domain data in the registration system (yet).

Correction:

Have the registrar update the domain data in the registration system with DNSSEC so that the new DS record in the parent reflect the actual KSK records.


M-KERR -E- [domain] Key error [keyerr]

Reason:

The procedure found an error with the DNSKEY RRset or with the signature(s) of the DNSKEY RRset. [keyerr] gives further explanation. Possibly there are no RRSIG records, or there are no RRSIG records from some of the authoritative name servers.

Correction:

Make sure that the DNSKEY RRset and the corresponding RRsig(s) are correct on all authoritative name servers.


Main page | List of Registrars | Delegation rules | Domain announcement | Domain search | Technical check
Consulting body | Alternative dispute resolution | Arbitration court | Archive | Others | Statistics