[may be OT] What is the meaning of this error from dnsreport ?

[Kevin Darcy]

Netfortius wrote:

>As a preliminary step for some work I need to do on a client's site, on some 
>firewall networking and rules setup for the DMZ (including TCP 53 for DNS 
>servers communications restrictions), I ran a dnsreport on my client's domain 
>name:
>
>http://dnsreport.com/tools/dnsreport.ch?domain=<my-cllent's-domain>.com
>
>and I got this error:
>
>FAIL	Missing nameservers 2	ERROR: One or more of the nameservers listed at the 
>parent servers are not listed as NS records at your nameservers. The problem 
>NS records are: <ns-of-ISP-hosting-secondary-server>
>
>My client is hosting his DNS primary server in house, with the secondary setup 
>at the ISP, and the dnsreport did not come up with any other errors, so:
>- the parents server report them both as authoritative
>- a change I have forced - out of curiosity - on the serial number on my 
>client's hosted name server showed up at the secondary, so they are "aware" 
>of each other.
>
>Having described the above - what could be the cause of the problem reported 
>by dnsreport.com (i.e. is that a mis-configuration at my client's site, or at 
>the ISP's name server)?
>
The error message seems pretty self-explanatory to me. Add the missing 
NS records to the zone.

For true redundancy, it's not enough that master/slave replication 
works: everyone has to *know* where the slaves/replicas are. And you 
announce that with NS records. There are some slaves that are not 
published via the zone's NS records, so in the case of an outage, no-one 
would be expected to know, except via a circuitous route, to look to 
those slaves to resolve names for the zone. The only reason dnsreport 
knows of those slaves' existence is because they are present in the 
_other_ set of NS records for the zone -- the delegation NS records -- 
but those two sets should match each other, and apparently they don't in 
this case.

- Kevin