Reverse DNS troubleshooting

Some aspects of this procedure can cause problems; the more common errors are listed below.


Likely cause

My domain object is in the database, but it isn’t visible to the Internet The authoritative nameserver, is reloaded every two hours. Updates should become visible at the next nameserver reload.
If your domain is still not visible more than 2 hours after you have successfully created a domain object, please contact the APNIC Helpdesk.
I don’t have a maintainer object. How can I request a reverse delegation domain object? Maintainer objects are used to protect a given object in the APNIC database from ad-hoc changes. As such, they can be created in MyAPNIC.
What does “hierarchical authorisation failed, request forwarded to maintainer” mean? Another use of maintainer objects is to protect the space that is logically beneath an object with the ‘mnt-lower’ attribute set. There exists a domain object named ‘’ which has the ‘mnt-lower’ set, which ensures that no unauthorised creations occur beneath the zone.
If you request the creation of a new domain, it will usually fail the hierarchical authorisation, producing an automatic email reply. This reply will also be automatically forwarded to the APNIC helpdesk staff, who will create the new domain for you. An email notification will be sent out when the new domain has been created.
This only occurs on initial creation, and should not occur when you wish to update the delegation (as it will be maintained by your own maintainer object).
Please do not confuse this error message with the standard “authorisation failed” message (which indicates that you have supplied the wrong password for the specified maintainer object).
*ERROR*: No SOA RR were found. No Start of Authority records were found. This tends to indicate that the nominated nameservers are not replying correctly for the zone in question. Usually, the fix for this involves reloading all of the nameservers.
*WARNING*: some of the specified name servers appear to be in the same subnet, according to RFC2182, they should be geographically separated. If you supply two (or more) nameservers which appear to be in the same physical location, the above is a reminder that the zone may not be visible if your connection to the internet fails. Having off-site secondary nameservers can be considered a form of insurance for system failure (eg, fire in your machine room).
APNIC highly recommends that you have multiple secondary nameservers located outside your network to cover system or network failures.
*ERROR*: NS RR for abc.b.c.d found on xyz.b.c.d but not in template. The machine abc.b.c.d is reported to be a nameserver for this domain by the machine xyz.b.c.d, but you did not list abc.b.c.d when submitting the form.
*ERROR*: nserver: a.b.c.d
*ERROR*: The specified name server is not responding
The nameserver a.b.c.d has failed to respond because:

  • a nameserver process is not running on port 53; or
  • the nameserver does not accept both UDP and TCP port 53 queries; or
  • the nameserver process is running on the given host but has not been loaded with information about itself

Correct your nameserver or firewall/router configuration and resubmit the request.

*ERROR*: cross-check of listed NS RR failed. The nameservers on both zones should be the same.
*ERROR*: SOA on “machine1.b.c.d” does not match SOA on “machine2.b.c.d” Some of the nameservers supplied could not be contacted, or some of them failed to respond appropriately (ie, is a nameserver running on these hosts, and do they know about the zone in question?)
This message is also generated when the list of nameservers that you supply to the form, does not match the list of nameservers that you set up (on the nameservers in question). The comparisions is done on a textual basis (ie, supplying IP addresses won’t work).
Help, I’m sure my zone is set up correctly, but your form just won’t accept it You can always email the APNIC Helpdesk for help. However we suggest that you first read RFC1912 – Common DNS Operational and Configuration Errors.