Technical check

Regcheck error codes

Clarifications on error codes from regcheck


M-CNAM -E- [domain] NS record CNAME

Reason:

One of the name servers - specified as an NS record - is a CNAME (Canonical Name). It should be an A (Address) record (see: RFC1912 2.4. and http://www.faqs.org/faqs/internet/tcp-ip/domains-faq/part1/ Q6.6.)

Correction:

Define an A record instead of the CNAME.


M-DIFN -E- [domain] All nameservers on the same network

Reason:

According to the registration rules at least two name servers should be on different networks. The checking procedure cannot determine this for sure, and assumes it to be true if:

  1. Two name servers are in different /24 address block, or
  2. Traceroutes to the name servers differ.

Correction:

Place another (a slave) name server on another network.


M-SOAM -E- [domain] SOA mismatch at [address] over [prot]

Reason:

Autoritative name servers (those which have a corresponding NS record in the zone), have to serve zone data in accordance with each other. If they do not serve the very same SOA record, it is a sign of discrepancy. It might be that the some slave server has not updated the zone yet. refresh érték).

Correction:

Possibly the slave cannot download the new version of the zone. Chances are that some firewall rules, allow-transfer option or configuration file typo is the culprit.


M-SOAN -E- [domain] No authoritative SOA at [address] over [prot]

Reason:

The DNS server given in the zone is not autoritative for the domain.

Correction:

Make sure that the given server is autoritative for the domain. Make sure that no firewall rules block DNS traffic to the server.


M-DSOA -E- [domain] SOA records differ on servers

Reason:

All the name servers should serve the same zone data, and so the same SOA record.

Correction:

The reason might be an error in the master/slave communication between the name servers. Some possible causes: firewall rules, name server configuration parameters, etc.

The reason might be also zone refresh delay. In this case waiting for the refresh might suffice. One can also trigger zone refresh on the slave.


M-LASE -E- [domain] Lame secondary

Reason:

At least one of the name servers do not server the zone.

Correction:

Make sure that the server is authoritative for the given zone. Sometimes firewall rules prohibit proper zone propagation at one of the servers. Check and correct these settings.


M-MXF -E- [domain] canonical A record for MX mx not found

Reason:

On the right side of the MX record there is a domain name which do not resolve to an A record.

Correction:

Define an A record for the mail server.


M-NMAS -E- [domain] Cannot get A for NS host pserv

Reason:

There is no A record for the name server.

Correction:

Define an A record for the name server.


M-NNAS -E- [domain] Cannot get A for NS host nshost

Reason:

There is no A record for the name server.

Correction:

Define an A record for the name server.


M-NOSE -E- [domain] No secondary

Reason:

There is no secondary name server defined for the domain.

Correction:

Make sure that at least another name server serves the zone.


M-NOSOA -E- [domain] No SOA record found

Reason:

There is no SOA record for the zone. One possible reason for this might be that there is just a CNAME for the domain at the authoritative server.

Correction:

Define a proper SOA.


M-NSF -E- [domain] A record for NS ns not found

Reason:

There is no A record for the name server given in the zone.

Correction:

Define a proper A record.


M-PMAS -E- [domain] address check for postmaster@domain failed at ALL MX records

Reason:

Accordint to the registration rules (and RFC2821) if there is an MX for the domain, the postmaster@domain address should work.

Correction:

Define the postmaster@domain e-mail address at the mail server.


M-PRIF -E- [domain] Cannot get domain data (nshost_a nshost)

Reason:

The SOA record of the domain could not be obtained.

Possibly the name server IP address has been misspelled. One cannot leave the name server field empty, unless the domain is already registered and one does not want to change name servers.

One other reason might be that the given name server does not serve the zone. This might be because of some firewall rules also.

Correction:

Specify the name server or correct the configuration.


M-SOAER -E- [domain] syntax error in SOA record:

Reason:

There is a syntax error in the domain SOA record.

Correction:

Correct the configuration according to RFC1035 .


M-TO -E- [domain] Timout, exiting...

Reason:

The checking procedure timed out, because there was no answer for a query.

This might be a DNS query but mostly email address verifications time out. Other messages from the procedure may help to find the reason.

Correction:

Make sure that dns queries and email verification get answered. Somtetimes firewall rule tuning is necessery. In case of a network outage retry the check later.


M-RERR -W- [domain] SOA parameters don't comply with RIPE,

Reason:

This message means that the refresh, retry, expire and ttl values significantly differ from the RIPE recommandation: at least one of the values fall outside the range [x/20, 20*x] where x is the recommended valu in ftp://ftp.ripe.net/ripe/docs/ripe-203.txt.

The RIPE recommendation dates back to 1999. The author - Peter Koch - revised the values in 2005. The values according to this revision:

  refresh = 86400,        # 24 hours
  retry   = 7200,         # 2 hours
  expire  = 2419200,      # 4 weeks
  ttl     = 3600          # 1 hour

The checking procedure adheres to these values.

Correction:

Set the SOA parameters close to the recommended values.


M-PMAE -W- [domain] address check for [postmaster@domain] failed at [mx],

Reason:

The mx server of the domain should accept messages to the postmaster@domain address. The checking procedure tried to send a mail to this address and failed. This is not a fatal error if there is any MX, which accepts messages to the postmaster address. (See: PMAS)

Correction:

Make sure that the postmaster email address works.


M-SXERR -W- [domain] syntax error in zone xyz

Reason:

The checking procedure found a syntax error in the zone data.

Correction:

Check and correct the syntax.


M-GLUE -W- [domain] glue record in zone

Reason:

There is an extraneous glure record in the zone which is most probably superfluous and might cause trouble.

Correction:

Delete the extra glue from the zone.


M-SOAR -E- [domain] SOA error at [address] over [prot]

Reason:

There was a failure when querying SOA at [address] over [prot]. There could be some firewall rules which cause this. Possibly there is no SOA record at [address]. One possible cause of this is a CNAME at the autoritative server.

Correction:

Modify the firewall configuration, or define an approriate SOA record as necessery.


M-PARI -W- [domain] NS records inconsistent with parent !!!

Reason:

This message may appear if the domain is already registered and the parent (e.g. .hu or co.hu) zone serves different NS records from the authoritative servers. Most probably the name servers changed, and the registrar has not changed the name servers in the registration system yet.

Correction:

Have the registrar change the delegation or revert to the old servers.


M-GLUD -W- [domain] NS glues differ on parent [parent_ip : ip] !!! ,

Reason:

This message may appear if the domain is already registered and the parent (e.g. .hu or co.hu) zone serves different glue records from the authoritative servers. Most probably the name server address changed, and the registrar has not changed it in the registration system yet.

Correction:

Have the registrar change the delegation or revert to the old address.


M-VRRT -W- [domain] retrying verify

Reason:

The procedure tried to verify an email address (SOA RNAME or postmaster@domain) but failed. However this is just a warning: the procedure does not give up, retries.

Correction:

If the check fails at the end make sure that the email address works.


M-NODS -E- [domain] No dnskey found at [ip cím]

Reason:

This message appears if we requested DNSSEC validation also. The procedure did not found DNSKEY record for the domain at name server ip cím. Most probably the zone is not configured with DNSSEC yet.

Correction:

Either retry the check without DNSSEC or correct the DNSSEC configuration.


M-DIFDS -E- [domain] DNSKEY RRset differs on servers

Reason:

This message appears if we requested DNSSEC validation also. The checking procedure finds different DNSKEY rrsets at different authoritative name servers.

Correction:

Make sure that the same DNSKEY rrset is served at all the authoritative name servers.


M-DSD -W- [domain] DS keys differ at parent

Reason:

This message appears if the domain has been already registered with DNSSEC. The procedure found different KSK records than those indicated by the DS records in the parent (usually .hu). Most probably a KSK rollover occured at the zone which is not reflected in the parent: the registrar has not updated the domain data in the registration system (yet).

Correction:

Have the registrar update the domain data in the registration system with DNSSEC so that the new DS record in the parent reflect the actual KSK records.


M-KERR -E- [domain] Key error [keyerr]

Reason:

The procedure found an error with the DNSKEY RRset or with the signature(s) of the DNSKEY RRset. [keyerr] gives further explanation. Possibly there are no RRSIG records, or there are no RRSIG records from some of the authoritative name servers.

Correction:

Make sure that the DNSKEY RRset and the corresponding RRsig(s) are correct on all authoritative name servers.


M-MDS -E- [domain] More than 6 KSKs found

Reason:

This DNSSEC related message means that there were more than six DNSKEY records with SEP (Secure Entry Point) bit set.

Correction:

Make sure that there are no more than six KSK records in the DNSKEY rrset.


M-MULP -E- [domain] Not just one NS at one IP address [IP]: [name1] / [name2]

Reason

Two autoritativ name servers have the very same IP address.

Correction:

Delete one of the NS records or give an NS server another IP address


M-SOMN -W- [domain] no NS record for SOA MNAME [ns]

Reason:

The MNAME value in the SOA record - which used to point to the primary name server of the zone - does not have an NS record. This might be intentional (e.g. hidden primary) but often is not.

Correction:

Not really needed. This is just a warning. Possibly define an NS record with the given MNAME.


M-UNSDS -E- Unsupported DNSKEY algorithm [algo]

Reason:

The given DNSKEY alorithm is unsupported. The supported algorithms are listed here

Correction:

Modify the DNSKEY algorithm in the zone.


Main page | List of Registrars | Delegation rules | Domain announcement | Domain search | Technical check
Consulting body | Alternative dispute resolution | Arbitration court | Archive | Others | Statistics