MXToolBox Reports Problems with SOA with Netlify DNS

Hi there,

First of all, thanks for the awesome service that Netlify provides! It’s great, for both companies and also new learners eg. our bootcamp students at :raised_hands:

We’re using Netlify DNS (because we want to use Netlify for the apex domain and it’s worked out well so far.

However, MXToolBox has detected a few problems with the DNS configuration (which I assume that is not a fault of how we have configured it, but more Netlify’s global DNS config):

  1. An “Primary Name Server Not Listed At Parent” error on a Domain Health Report: Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox

This is described by MXToolBox as follows:

Your Primary Name Server was not in the list of name servers given to us by the root.

If your name server is not listed at the root this could cause impaired/incorrect lookups for your domain.

The Primary Name Server is the name server declared in your SOA file and is usually the name server that reads your records from zone files and is responsible for distributing that data to your secondary name servers. This problem is present when this primary name server is not included in the parent referrals and is almost always accompanied by a Local Parent Mismatch problem.

RFC 1035: Here a primary name server acquires information about one or more
zones by reading master files from its local file system, and
answers queries about those zones that arrive from foreign

If your Primary Name Server is not listed at your Parent or is not responding, then our DNS Propagation test tool will not operate properly. You will most likely also be experiencing other real world problems with DNS queries for your domain. Users with Basic or Pro accounts can contact our Support Team for assistance with understanding any DNS warnings or errors with specific information about your domain. If you are still a free user, upgrading your account will give you access to support as well as many other benefits.

  1. An “There is a problem. We were not able to find a Start of Authority (SOA) record which may indicate a DNS problem.” error when using the SuperTool: Network Tools: DNS,IP,Email

I must admit, my knowledge on DNS and various problems is still fledgling, so I’m not entirely sure what I should be checking for. But I did try running a dig command, where I was unable to see any issues:

$ dig SOA

; <<>> DiG 9.10.6 <<>> SOA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;			IN	SOA

;; ANSWER SECTION:		3600	IN	SOA 1638894161 43200 7200 1209600 3600

;; Query time: 65 msec
;; SERVER: 2a02:8383:d:c::1000#53(2a02:8383:d:c::1000)
;; WHEN: Wed Dec 08 17:06:32 CET 2021
;; MSG SIZE  rcvd: 122

I did read about a potential issue caused by the part above, but I’m unsure if this is really a problem.

Hi, @karlhorky. I do think this is safe to ignore because the name server is listed in the SOA record.

Note, even if you don’t include the name server in the SOA record, things will still work correctly. I know the warning says they won’t work correctly but my personal experience proves otherwise. Again, even if the name server missing in the SOA record did cause problems (and it doesn’t) your SOA record does have the name server it in.

Want some proof? (Personally, I like proof so here we go!)

Let’s look at the NS record for

$ dig +noall +answer NS		21600	IN	NS		21600	IN	NS		21600	IN	NS		21600	IN	NS

Now, let’s see the SOA record:

$ dig +noall +answer SOA		3	IN	SOA 415235059 900 900 1800 60

We see appears as a name server and in the SOA record.

The same is true for your domain:

$ dig +noall +answer NS		3600	IN	NS		3600	IN	NS		3600	IN	NS		3600	IN	NS
$ dig +noall +answer SOA		3600	IN	SOA 1638894161 43200 7200 1209600 3600

We can see included both places. My best guess is that MXToolBox’s parsing of the DNS record is broken and not the SOA record itself.


Thanks for the reply Luke!

Interesting facts there. I’m glad that it’s not causing a problem in practice, but I’d be interested as to the source of the failure. I’ve checked some other non-Netlify domains and MXToolBox doesn’t report an error. My guess is that MXToolBox isn’t broken, but there is something unusually configured on Netlify’s side (that others don’t do - eg. Cloudflare).

Wonder if the failure we’re seeing has anything to do with the fact that there is this in the answer, that doesn’t have anything to do with the name server or the domain…

Anyway, I can understand that my lack of knowledge and information here can’t be easy to work with, so if you can’t spend any more time on this, I totally understand!

Thanks for your help anyway!

In case we don’t get any further with investigation, maybe a next step could be to experiment with moving the domain over to Cloudflare Pages, to see if there is still this error over there.

Curiously @karlhorky, I checked a couple of my domains configured in Netlify DNS using the you shared, and none of them return the message about SOA that occurs with your domain.

@coelmay Very interesting! Are you using apex / root domains? (eg. without the www)

One domain configured with www, others without.

Also worth noting I believe, the SOA Lookup returns no issues.

@coelmay For sure, very interesting! Wonder why our domain has this problem. Anyway, thanks for the info!