<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">My conclusions are already the same as yours. <br>
The distant DNS is refusing the query because the zone does not yet exist there yet.
<br>
I cannot create it there until I create it here (first). <br>
It has to work here first so they can query my DNS for THEIR DNS records in place before they will let me create the zone.
<br>
<br>
I want to create it here and resolve it here LOCALLY first and not have it going out to them.
<br>
<br>
I get that I have told my own nameserver that this subdomain is delegated externally and it’s trying to go out there to check apparently.
<br>
But I want it to at least store the NS record and provide a response locally to it.
<br>
But I would expect to still be “autoritive” for that one NS record. <br>
I also get it’s a bad design that I can’t create the zone on the provider’s site (free service).<br>
Before I am answering NS queries for the subdomain. <br>
<br>
I may have to get really creative and make it a “full” parent domain to get everything to work.
<br>
Then go back and fix things up on my end as a “subdomain” after I get the sites talking.
<br>
<br>
But also still asking if there’s a simple way to make my own nameserver serve that NS record without going out and checking the DNS<br>
that I have delegated for it. <br>
It of course checks that I have delegated and am serving up their DNS records before I can proceed.
<br>
<br>
LOL <br>
<br>
I could also write their folks and ask if they can do anything on their end.<br>
<br>
I’d love to be able to override this checking part on my own server if it is possible.
<br>
Because that would fix it. <br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none"> Al <aw009@sunnyside.com>
<br>
<b>Sent:</b> Wednesday, August 27, 2025 9:14 PM<br>
<b>To:</b> Steve Gladden <steve@michiganbroadband.com><br>
<b>Subject:</b> Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Helvetica",sans-serif">chatgpt was pretty coherent for once:<br>
</span>That message comes from BIND (named) when it tries to resolve a domain and gets a response code (RCODE) from the upstream server that it wasn’t expecting. Let’s break it down carefully:<br>
<br>
nginx<br>
Copy<br>
REFUSED unexpected RCODE resolving 'dyn.6ipv.com/NS/IN': 216.218.130.2#53<br>
Components:<br>
REFUSED<br>
This is BIND’s log label. It usually means the query was refused by the upstream server, i.e., the server at 216.218.130.2 refused to answer your request.<br>
<br>
unexpected RCODE<br>
BIND received an RCODE (response code) from the server that it didn’t expect for this query type. Common RCODEs include:<br>
<br>
NOERROR – query succeeded<br>
<br>
NXDOMAIN – name does not exist<br>
<br>
REFUSED – server refused to answer<br>
<br>
SERVFAIL – server failed internally<br>
<br>
Here, “unexpected” usually means BIND asked for an NS record for dyn.6ipv.com, but the response wasn’t a valid NS answer—most likely REFUSED.<br>
<br>
resolving 'dyn.6ipv.com/NS/IN'<br>
BIND was trying to resolve the NS (name server) record for the domain dyn.6ipv.com in the IN (Internet) class.<br>
<br>
216.218.130.2#53<br>
This is the IP address of the upstream server that BIND tried to contact on port 53 (DNS).<br>
<br>
Interpretation:<br>
The server 216.218.130.2 (probably a Dyn-managed authoritative server for 6ipv.com) refused your query.<br>
<br>
BIND did not expect a REFUSED response when asking for NS records.<br>
<br>
This often happens because:<br>
<br>
The upstream server only answers queries from certain clients (your IP might be blocked).<br>
<br>
The server may have a misconfiguration or be temporarily rejecting queries.<br>
<br>
Some dynamic-DNS providers intentionally refuse certain direct NS lookups to reduce abuse.<br>
<br>
How to check:<br>
You can manually query the server:<br>
<br>
bash<br>
Copy<br>
dig @216.218.130.2 dyn.6ipv.com NS<br>
You may get:<br>
<br>
pgsql<br>
Copy<br>
; <<>> DiG 9.16 <<>> @216.218.130.2 dyn.6ipv.com NS<br>
; connection timed out; no servers could be reached<br>
or<br>
<br>
yaml<br>
Copy<br>
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12345<br>
If it returns REFUSED, the server is explicitly refusing queries.<br>
<br>
Actionable steps:<br>
Check your network: Are you allowed to query that server? Some servers refuse non-authorized queries.<br>
<br>
Try another resolver: Use a public DNS like 8.8.8.8 or 1.1.1.1 for resolution.<br>
<br>
Check BIND configuration: If you are doing forward or recursive queries, ensure your named.conf forwards to servers that actually answer.<br>
<br>
Concrete answer:<br>
Your BIND server tried to get the NS records for dyn.6ipv.com from 216.218.130.2, but that server refused the query, giving a REFUSED RCODE. This is usually intentional on the authoritative server side, not a BIND bug.<span style="mso-ligatures:none"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 8/27/2025 18:08, Steve Gladden wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Thanks Al,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I will see about figuring that out. <br>
Meanwhile I am able to tail the log when trying to query for that NS record. <br>
This is the only named error.item I see at default settings while attempting the query.
<br>
It’s like it will not add the record unless it already exists on the delegated server.
<br>
Aug 27 20:54:40 NS1 named[35894]: REFUSED unexpected RCODE resolving 'dyn.6ipv.com/NS/IN': 216.218.130.2#53<o:p></o:p></p>
<p class="MsoNormal">No errors or anything “interesting” on Bind9 start & stop. <br>
I only see that error when performing the NS query against the problem name.<o:p></o:p></p>
<p class="MsoNormal">That IP address is indeed the IP address of the delegated server.
<br>
<br>
But I also cannot add the zone on that server provider’s system (He.net). <br>
Because it checks MY server for the delegated NS records before it will let me add the zone there.
<br>
Which I can’t get working as detailed above.. <br>
I am only trying to get it to work locally first and I can’t even do that, because Bind9 somehow wants to verify the<br>
zone already exists on the delegated server.. <br>
<br>
Is there a way I can get this to at least work first this way? <br>
I would like it to be able just serve up the NS record/pointer. <br>
Not check the remote system for sanity before letting me add the record. <br>
This has me stuck as I can’t add the zone on the remote system, AND I can’t simply add the NS record on my local system.
<br>
<br>
Thanks. <br>
-Steve<br>
<br>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none"> Al
<a href="mailto:aw009@sunnyside.com"><aw009@sunnyside.com></a> <br>
<b>Sent:</b> Wednesday, August 27, 2025 8:13 PM<br>
<b>To:</b> Steve Gladden <a href="mailto:steve@michiganbroadband.com"><steve@michiganbroadband.com></a><br>
<b>Subject:</b> Re: Trying simple NS delegation for a subdomain * I cannot get it to load/work.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Helvetica",sans-serif">this is a job for the log files.<br>
setting up log files for named can be pretty time consuming, but even the generic setup will probably report what is causing the servfail.<br>
without the logs there isn't any easy way to find out what the problem is.<br>
if you are using views, they should be checked, but again logs are everything</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 8/27/2025 17:01, Steve Gladden wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi this is my first post ever. <br>
I’m stuck on a very simple task that I have not been able to get it to work. <br>
I have done this in the past with older versions of BIND but it has been quite a while.
<br>
<br>
I’m trying to delegate to an external provider’s nameserver for a “subdomain” of mine.
<br>
The parent zone file works properly and loads and serves everything as expected.
<br>
But will not load and serve my NS record pointing an external provider’s DNS. <br>
<br>
I can get much more specific as need-be <br>
I am on and up to date version of Debian Server and up to date version of Bind9 <br>
named -v<o:p></o:p></p>
<p class="MsoNormal">BIND 9.18.28-1~deb12u2-Debian (Extended Support Version) <id:><o:p></o:p></p>
<p class="MsoNormal"><br>
This is a generic example of what I am trying to do. <br>
The top two parent NS records load and serve as expected.<br>
As well as the A record of course. <br>
<br>
But the delegated NS record at the bottom does not get loaded or served when queried for it
<br>
I am using dig as you may expect to determine this.<o:p></o:p></p>
<p class="MsoNormal">I must be totally missing something simple but I am totally stumped on this at the moment.
<br>
<br>
<br>
$TTL 3600<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">$ORIGIN domain.com.<o:p></o:p></p>
<p class="MsoNormal">@ IN SOA domain.com. admin.domain.com. (<o:p></o:p></p>
<p class="MsoNormal"> 2017090101 ; Serial<o:p></o:p></p>
<p class="MsoNormal"> 10800 ; Refresh<o:p></o:p></p>
<p class="MsoNormal"> 1800 ; Retry<o:p></o:p></p>
<p class="MsoNormal"> 1209600 ; Expire<o:p></o:p></p>
<p class="MsoNormal"> 3600 ; Negative Cache TTL<o:p></o:p></p>
<p class="MsoNormal">)<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">@ IN NS ns1.domain.com.<o:p></o:p></p>
<p class="MsoNormal">@ IN NS ns2.domain.com.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">@ IN A 1.2.3.4<o:p></o:p></p>
<p class="MsoNormal">www IN A 1.2.3.4<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">$ORIGIN test.domain.com.<o:p></o:p></p>
<p class="MsoNormal">@ IN NS ns1.anothernameserver.com.<o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><br>
dig @localhost test.domain.com NS<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @localhost test.domain.com ns<o:p></o:p></p>
<p class="MsoNormal">; (2 servers found)<o:p></o:p></p>
<p class="MsoNormal">;; global options: +cmd<o:p></o:p></p>
<p class="MsoNormal">;; Got answer:<o:p></o:p></p>
<p class="MsoNormal">;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59084<o:p></o:p></p>
<p class="MsoNormal">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">;; OPT PSEUDOSECTION:<o:p></o:p></p>
<p class="MsoNormal">; EDNS: version: 0, flags:; udp: 1232<o:p></o:p></p>
<p class="MsoNormal">; COOKIE: fb069e980ad743db0100000068af9952a0efd48210391401 (good)<o:p></o:p></p>
<p class="MsoNormal">;; QUESTION SECTION:<o:p></o:p></p>
<p class="MsoNormal">;test.domain.com. IN NS<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">;; Query time: 31 msec<o:p></o:p></p>
<p class="MsoNormal">;; SERVER: 127.0.0.1#53(localhost) (UDP)<o:p></o:p></p>
<p class="MsoNormal">;; WHEN: Wed Aug 27 19:48:34 EDT 2025<o:p></o:p></p>
<p class="MsoNormal">;; MSG SIZE rcvd: 69<br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">Thank you for any pointers.. <br>
I have spent about a day searching the web before posting. <o:p></o:p></p>
<p class="MsoNormal">Many examples say to do it the way I am doing it. <br>
And I’ve done it before this way.<br>
Not sure what I am missing. <br>
<br>
<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal">-SteveG<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-ligatures:none"><br>
<br>
<br>
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="mso-ligatures:none"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="mso-ligatures:none"><o:p> </o:p></span></p>
</div>
</body>
</html>