DNS-problem - authoritative Nameserver refused, not defined or timeout

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: artphotos.ro

I ran this command: https://check-your-website.server-daten.de/?q=artphotos.ro

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @letsencryptdeb

what’s your question?

Your name server configuration is wrong.

X Fatal: All Name Server IPv4 addresses from the same subnet. Check https://www.iana.org/help/nameserver-requirements to learn some basics about name server configurations. If you manage these name servers, fix it. If it’s your provider, change your provider.:
X Fatal: Only one Name Server IPv4 address found. Check https://www.iana.org/help/nameserver-requirements to learn some basics about name server configurations. If you manage these name servers, fix it. If it’s your provider, change your provider.

IANA:

Minimum number of name servers

There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address.

Both of your name servers have the same ip address. That’s fatal. Change that.

1 Like

Hi

My question is that 2 or 3 weeks back with the same configuration I got A the result of the test, and now I got X.
I did not changed anything from the last time I ran this check. Last time with both nameservers pointing to the the same IP address I got an A.
Is this something that changed recently?
I have only one machine and I host my DNS on that machine, so I do not have two IP addresses. What should I do?

Thank you.

1 Like

I have changed the calculation of the result.

Added some new things (some weeks earlier), saw a lot of buggy configurations (different name servers with the same ip address or from the same subnet), then changed the calculation.

Why do you host your own name servers if you aren’t able to have different ip addresses in different locations?

I don’t host my own name servers.

1 Like

I host my own nameserver because I wanted to learn and experiment how to set up BIND on linux. I would like to keep at least one nameserver.
For the second one, can I use a secondary DNS?

Problem solved.
I added a secondary DNS.

Thank you JurgenAuer.

Nothing solved, you have created the next error. Read the output of your last check.

Looks like I should add some additional X reasons.

1 Like

Many authoritative name servers are answering now, but you have to update the NS records in the zone itself to match the delegated name server entries from the zone apex (ccTLD ro.).

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: nsge2.artphotos.ro (31.7.187.185): Delegation: ns1.1984hosting.com, ns2.1984.is, ns2.1984hosting.com, nsge1.artphotos.ro, nsge2.artphotos.ro, Zone: nsge1.artphotos.ro, nsge2.artphotos.ro

I have added ns1.1984hosting.com, ns2.1984.is, ns2.1984hosting.com to my registrar.
I have also added them in my artphotos.ro zone as nameservers as
artphotos.ro. IN NS ns1.1984hosting.com.
and so on.
What else should I do?

Thank you.

The output of the dig command still looks the same:

;; QUESTION SECTION:
;artphotos.ro.			IN	NS

;; ANSWER SECTION:
artphotos.ro.		38400	IN	NS	nsge1.artphotos.ro.
artphotos.ro.		38400	IN	NS	nsge2.artphotos.ro.

;; ADDITIONAL SECTION:
nsge1.artphotos.ro.	38400	IN	A	31.7.187.185
nsge2.artphotos.ro.	38400	IN	A	31.7.187.185

;; Query time: 39 msec
;; SERVER: 31.7.187.185#53(31.7.187.185)

Can you please check again?
When I run dig artphotos.ro NS
I get
;; ANSWER SECTION:

Thank you.
P.S. I kept only one NS outside of my network. I added it to my Zone as NS as well as an A record for it.
Is there anything else I need to do?

Since nsge1.artphotos.ro and nsge2.artphotos.ro has the same IP address, I suggest to remove one of the NS entry (probably nsge2).

I understand what you say. However, I do not think that is a problem. My problem is
Fatal: Inconsistency between delegation and zone.
The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns1.1984hosting.com (185.112.145.13):
Delegation: ns1.1984hosting.com, nsge1.artphotos.ro, nsge2.artphotos.ro,
Zone: nsge1.artphotos.ro, nsge2.artphotos.ro.
Name Servers defined in Delegation, missing in Zone: ns1.1984hosting.com.

This is what I think I have to solve, but I do not know how.

The issue is simple to solve. First of all, you need at least two name servers (with different IP addresses) to function. For the simplicity select precisely two: nsge1.artphotos.ro and ns1.1984hosting.com.

So you have to add into your DNS zone:

@ 38400 IN NS nsge1.artphotos.ro.
@ 38400 IN NS ns1.1984hosting.com.

And no other NS entries.

When this is fine (both the two servers authoritatively answer the same expected NS list), you have to update the nameserver list at your registrar for the zone artphotos.ro to precisely match the above two name servers. (You probably has to define a name server IP entry [for glue record] at the registrar for nsge1.artphotos.ro, but that is most likely already done.)

This is the part that I have now in my artphotos.ro zone

I do have glue records at my registrar for nsge1 and nsge2 with the corresponding IP addresses.
I also have a glue record without the IP for ns1.1984hosting.com. because it is hosted by a different domain.

I host my own primary DNS with nsge and I wanted to use 1984hosting.com. as my secondary DNS.

1.Is it something else I’m missing?
2. However, I do not see how the nsge2.artphotos.ro is an issue just because is there, because the requirement is for 2 different IP addresses which is covered by nsge1 and ns1

Thank you.

The name server list does no seem to be the same on the two name servers. Did you increase the serial number of the SOA record on the master that the slave name server be able to update its zone file?

It may or may not be a problem. The solution I proposed is fail safe in that respect.

  1. The serial number on my primary DNS server is 2019112504
    The serial number on my secondary DNS server at 1984hosting.com is 2019112504

  2. Give me 5 minutes and I’ll take that out from my registrar and my zone.

Thank you.

Done. I took out nsge2.artphotos.ro from both my registrar and my zone.

The NS list is not the same on the two name servers. You have to increase the serial number of the SOA record on the master to trigger zone download on the slave server.

Problem solved.
I used 1984hosting.com as a secondary.
The thing is that I only had to add a NS record in my zone.
One does not need to add an A record with the NS.
Of course we have to allow transfers to the IP suggested by 1984hosting.com

Thank you bruncsak and JurgenAuer for feedback.