MXToolBox Reports Problems with SOA with Netlify DNS

Hi there,

First of all, thanks for the awesome service that Netlify provides! It’s great, for both companies and also new learners eg. our bootcamp students at upleveled.io :raised_hands:

We’re using Netlify DNS (because we want to use Netlify for the apex domain upleveled.io) and it’s worked out well so far.

However, MXToolBox has detected a few problems with the DNS configuration (which I assume that is not a fault of how we have configured it, but more Netlify’s global DNS config):

  1. An “Primary Name Server Not Listed At Parent” error on a Domain Health Report: Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox

This is described by MXToolBox as follows:

Your Primary Name Server was not in the list of name servers given to us by the root.

If your name server is not listed at the root this could cause impaired/incorrect lookups for your domain.

The Primary Name Server is the name server declared in your SOA file and is usually the name server that reads your records from zone files and is responsible for distributing that data to your secondary name servers. This problem is present when this primary name server is not included in the parent referrals and is almost always accompanied by a Local Parent Mismatch problem.

RFC 1035: Here a primary name server acquires information about one or more
zones by reading master files from its local file system, and
answers queries about those zones that arrive from foreign
resolvers.

If your Primary Name Server is not listed at your Parent or is not responding, then our DNS Propagation test tool will not operate properly. You will most likely also be experiencing other real world problems with DNS queries for your domain. Users with Basic or Pro accounts can contact our Support Team for assistance with understanding any DNS warnings or errors with specific information about your domain. If you are still a free user, upgrading your account will give you access to support as well as many other benefits.

  1. An “There is a problem. We were not able to find a Start of Authority (SOA) record which may indicate a DNS problem.” error when using the SuperTool: Network Tools: DNS,IP,Email

I must admit, my knowledge on DNS and various problems is still fledgling, so I’m not entirely sure what I should be checking for. But I did try running a dig command, where I was unable to see any issues:

$ dig SOA upleveled.io

; <<>> DiG 9.10.6 <<>> SOA upleveled.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;upleveled.io.			IN	SOA

;; ANSWER SECTION:
upleveled.io.		3600	IN	SOA	dns1.p01.nsone.net. domains+netlify.netlify.com. 1638894161 43200 7200 1209600 3600

;; Query time: 65 msec
;; SERVER: 2a02:8383:d:c::1000#53(2a02:8383:d:c::1000)
;; WHEN: Wed Dec 08 17:06:32 CET 2021
;; MSG SIZE  rcvd: 122

I did read https://answers.netlify.com/t/modification-to-soa-record/32899 about a potential issue caused by the domains+netlify.netlify.com part above, but I’m unsure if this is really a problem.

Hi, @karlhorky. I do think this is safe to ignore because the name server is listed in the SOA record.

Note, even if you don’t include the name server in the SOA record, things will still work correctly. I know the warning says they won’t work correctly but my personal experience proves otherwise. Again, even if the name server missing in the SOA record did cause problems (and it doesn’t) your SOA record does have the name server it in.

Want some proof? (Personally, I like proof so here we go!)

Let’s look at the NS record for google.com.:

$ dig +noall +answer google.com. NS
google.com.		21600	IN	NS	ns4.google.com.
google.com.		21600	IN	NS	ns1.google.com.
google.com.		21600	IN	NS	ns2.google.com.
google.com.		21600	IN	NS	ns3.google.com.

Now, let’s see the SOA record:

$ dig +noall +answer google.com. SOA
google.com.		3	IN	SOA	ns1.google.com. dns-admin.google.com. 415235059 900 900 1800 60

We see ns1.google.com. appears as a name server and in the SOA record.

The same is true for your domain:

$ dig +noall +answer upleveled.io. NS
upleveled.io.		3600	IN	NS	dns1.p01.nsone.net.
upleveled.io.		3600	IN	NS	dns2.p01.nsone.net.
upleveled.io.		3600	IN	NS	dns3.p01.nsone.net.
upleveled.io.		3600	IN	NS	dns4.p01.nsone.net.
$ dig +noall +answer upleveled.io. SOA
upleveled.io.		3600	IN	SOA	dns1.p01.nsone.net. domains+netlify.netlify.com. 1638894161 43200 7200 1209600 3600

We can see dns1.p01.nsone.net. included both places. My best guess is that MXToolBox’s parsing of the DNS record is broken and not the SOA record itself.

2 Likes

Thanks for the reply Luke!

Interesting facts there. I’m glad that it’s not causing a problem in practice, but I’d be interested as to the source of the failure. I’ve checked some other non-Netlify domains and MXToolBox doesn’t report an error. My guess is that MXToolBox isn’t broken, but there is something unusually configured on Netlify’s side (that others don’t do - eg. Cloudflare).

Wonder if the failure we’re seeing has anything to do with the fact that there is this domains+netlify.netlify.com in the answer, that doesn’t have anything to do with the name server or the upleveled.io domain…

Anyway, I can understand that my lack of knowledge and information here can’t be easy to work with, so if you can’t spend any more time on this, I totally understand!

Thanks for your help anyway!

In case we don’t get any further with investigation, maybe a next step could be to experiment with moving the domain over to Cloudflare Pages, to see if there is still this error over there.

Curiously @karlhorky, I checked a couple of my domains configured in Netlify DNS using the https://mxtoolbox.com/Supertool.aspx?action=a:DOMAIN_NAME:all you shared, and none of them return the message about SOA that occurs with your domain.

@coelmay Very interesting! Are you using apex / root domains? (eg. without the www)

One domain configured with www, others without.

Also worth noting I believe, the SOA Lookup returns no issues.

@coelmay For sure, very interesting! Wonder why our domain has this problem. Anyway, thanks for the info!