Why is Denic not accepting my nameservers?

I'm currently in the process of moving all of our domains to our own nameservers. Which wasn't an issue until I hit our own .de domain. I (think I) understand the implications of having the NS inside it's own domain, hence the need for glue records.

Until yesterday, I would have assumed I have a pretty good understanding of Bind and DNS zones until I was presented with this error from the Denic nameserver predelegation check:

Inconsistent set of nameserver IP addresses (NS, provided glues, determined glues)

  • ns2.hartwig-at.de
  • [88.198.242.190/88.198.242.190]
  • Default resolver determined: [], other resolvers determined: {88.198.242.190/88.198.242.190=[/2a01:4f8:d13:3c85:0:0:0:2, /88.198.242.190]}

Inconsistent set of nameserver IP addresses (NS, provided glues, determined glues)

  • ns1.hartwig-at.de
  • [cloud.hartwig-at.de/176.221.46.23]
  • Default resolver determined: [], other resolvers determined: {cloud.hartwig-at.de/176.221.46.23=[/2a00:1158:3:0:0:0:0:b6, /176.221.46.23]}

Screenshot of the result

The support of my registrar is either far better educated than me or doesn't have a clue. Either way, they're avoiding my questions in regards to what this error means. They just tell me

Your nameserver has to return your own nameservers as the default resolver.

But that doesn't make any sense to me and they refuse to try to explain it any other way.

This is the head of my current zone file:

@               86400   IN SOA          ns1.hartwig-at.de. hostmaster.hartwig-at.de. (
                                        2012070505 ; serial
                                        1d         ; refresh
                                        3h         ; retry
                                        4w         ; expiry
                                        1h )       ; minimum

                3600    IN NS           ns1.hartwig-at.de.
                3600    IN NS           ns2.hartwig-at.de.

                3600    IN MX 10        remote.hartwig-at.de.
                3600    IN MX 20        mx1.hartwig-at.de.
                3600    IN MX 30        mx2.hartwig-at.de.

localhost       3600    IN A            127.0.0.1
localhost       3600    IN AAAA         ::1
@               3600    IN A            176.221.46.23
                3600    IN AAAA         2a00:1158:3::b6
*               3600    IN A            176.221.46.23
                3600    IN AAAA         2a00:1158:3::b6

hetzner         3600    IN A            88.198.242.190
hetzner         3600    IN AAAA         2a01:4f8:d13:3c85::2
cloud           3600    IN A            176.221.46.23
cloud           3600    IN AAAA         2a00:1158:3::b6

; List all NS as A/AAAA record
ns              3600    IN A            176.221.46.23
ns              3600    IN AAAA         2a00:1158:3::b6
ns1             3600    IN A            176.221.46.23
ns1             3600    IN AAAA         2a00:1158:3::b6
ns2             3600    IN A            88.198.242.190
ns2             3600    IN AAAA         2a01:4f8:d13:3c85::2

So, what is the problem with my zone? And what is the "default resolver"?


Solution 1:

Your nameservers have AAAA records, but you didn't include the IPv6 addresses as glue records (hence the glue records are not consistent with the addresses returned by your nameserver). Running the check with both IPv4 and IPv6 addresses listed returns the following:

DEnic nameserver check