dig NS and nslookup give outdated nameservers; +trace or whois are correct

Question

Some time ago (months), I updated the nameservers for a number of domains I control; both the old and new nameservers are run by the same hosting company.

The NS records are correct with the registrar, and the correct records are shown by a whois request, and a dig +trace

However, a dig NS and an nslookup for soa both show the old records.

Recently the old nameserver was retired (it no longer responds to dig requests), and I'm concerned that this might impact the websites.

Please forgive a slight scattershot of related questions – I'm trying to work out what's happening, but I'm not entirely sure what I should be asking:

Why are these tools returning the old nameserver? How is the old nameserver still held by any systems, months after the change?
How do I find the canonical answer? Is that a valid question? What does 'canonical' mean in this sense – I'm assuming it should mean the setting at the registrar?
What tool gives me the pragmatically correct answer (i.e. the answer that most of the internet is using to resolve my domains)? I'm assuming that the internet at large isn't actually using the info provided by dig's source.

Here's an example:

Dig shows the old nameserver ns1.OLDNAMESERVER.net

$ dig ns EXAMPLE.co.uk
; ANSWER SECTION:
EXAMPLE.co.uk.  600 IN  NS  ns2.OLDNAMESERVER.net.
EXAMPLE.co.uk.  600 IN  NS  ns1.OLDNAMESERVER.net.

as does nslookup:

$ nslookup
> set querytype=soa
> EXAMPLE.co.uk
Server:     1.2.3.4
Address:    1.2.3.4#53

Non-authoritative answer:
EXAMPLE.co.uk
    origin = ns1.OLDNAMESERVER.net

whereas whois shows the correct nameserver ns1.NEWNAMESERVER.co.uk as set in the registrar:

$ whois EXAMPLE.co.uk
Name servers:
    ns1.NEWNAMESERVER.co.uk         5.6.7.8
    ns2.NEWNAMESERVER.co.uk         1.6.7.9

as does dig +trace:

$ dig +trace EXAMPLE.co.uk
EXAMPLE.co.uk.  172800  IN  NS  ns1.NEWNAMESERVER.co.uk.
EXAMPLE.co.uk.  172800  IN  NS  ns2.NEWNAMESERVER.co.uk.

Would you tell us the domain name, the old servers and the new servers to check what's going on? — Lanexbg, Dec 12 '18 at 13:22

score 3 · Answer 1 · edited Sep 06 '19 at 04:19

3

You have NS records at your new name servers, pointed to the old ones. Go to the DNS settings of the domain (the DNS zone) and change the NS records, not the name servers. Dig +trace should be showing you that:

EXAMPLE.co.uk.    172800  IN  NS  ns2.NEWNAMESERVER.co.uk.
EXAMPLE.co.uk.    172800  IN  NS  ns1.NEWNAMESERVER.co.uk.
;; Received 643 bytes from 156.154.103.3#53(nsd.nic.uk) in 26 ms

EXAMPLE.co.uk.    86400   IN  NS  ns1.OLDNAMESERVER.net.
EXAMPLE.co.uk.    86400   IN  NS  ns2.OLDNAMESERVER.net.
;; Received 124 bytes from 5.6.7.8#53(ns2.NEWNAMESERVER.co.uk) in 43 ms

edited Sep 06 '19 at 04:19

Dan W

131
8

answered Dec 12 '18 at 17:07

Lanexbg

1,071
1
12
17

Just to check – These are NS records within the zone file, like the A, MX, and TXT records? So `dig NS` returns these records from the nameserver itself? That would explain things. I'm using cPanel's zone editor, and I can't see any NS records listed, or the option to create them. Would they have another name? – Dan W Dec 12 '18 at 17:54
1

"These are NS records within the zone file, like the A, MX, and TXT records? " Yes. Do `dig @ns1.tsohost.co.uk. NS caffiniti.co.uk` and see the wrong NS records being returned. The nameservers are not configured correctly for your domain but still reply authoritatively for it ("aa" flag). They should be modified, that is the content of the zone. Or you should use other nameservers (and if so, change the delegation at parent). – Patrick Mevzek Dec 12 '18 at 19:18

dig NS and nslookup give outdated nameservers; +trace or whois are correct

1 Answers1