NS Record Consistency

What This Check Does

The NS Record Consistency check compares the NS records published in your DNS zone with the nameservers actually registered at your domain's parent zone (the registrar delegation). If there is a mismatch — for example, your zone lists a nameserver that is not in the parent delegation, or vice versa — this check fails.

DNS Spy queries both your zone's NS records and the parent zone's delegation records, then compares them for consistency.

Why It Matters

NS record inconsistency is a common source of DNS problems. When the nameservers listed in your zone do not match the delegation at the registrar, resolvers may receive conflicting information about which nameservers are authoritative for your domain. This can cause intermittent resolution failures, increased latency, and unpredictable behavior.

NIST SP 800-81, Section 3.3, addresses nameserver architecture and emphasizes the importance of consistent delegation. Mismatched NS records can also complicate DNSSEC validation and zone transfer processes.

NIST SP 800-81 Compliance

Section 3.3 of the NIST Secure DNS Deployment Guide recommends maintaining consistent nameserver delegation across all levels. NS record mismatches represent a deviation from NIST best practices. DNS Spy's automated monitoring ensures your NS records remain consistent, supporting compliance with NIST recommendations.

Good vs. Bad Configuration

Bad Configuration

Your zone file lists ns1.example.com, ns2.example.com, and ns3.example.com as nameservers, but the registrar delegation only includes ns1.example.com and ns2.example.com. The third nameserver is not authoritative according to the parent zone.

Good Configuration

Your zone NS records exactly match the registrar delegation. Both list ns1.example.com and ns2.example.com as the authoritative nameservers for your domain.

How DNS Spy Monitors This

DNS Spy queries both your zone's NS records and the parent zone delegation during each monitoring cycle. Any mismatch triggers an alert with details showing which nameservers differ. Historical tracking helps you identify when inconsistencies were introduced, making it easier to resolve the root cause.