DNS Delegation Health: Verifying Nameserver Configuration

What DNS Delegation Means

DNS delegation is the mechanism that makes the domain name system work, defined in RFC 1034 Section 4.2. When you register a domain, you tell the registrar which nameservers are authoritative for your zone. The registrar publishes NS (nameserver) records in the parent zone — the TLD registry for .com, .net, .org, and so on. When a resolver needs to look up a record in your zone, it follows this delegation chain: root servers point to the TLD, the TLD points to your nameservers, and your nameservers answer the query.

If the delegation chain is broken or inconsistent, DNS resolution fails — and with it, email delivery, website access, and every service that depends on your domain's DNS records.

The mxio Delegation Health tool verifies the integrity of this chain from top to bottom.

What the Delegation Health Tool Checks

NS Consistency Between Parent and Child

The parent zone (at the TLD registry) and your authoritative nameservers must agree on who is responsible for your zone. The tool queries the parent zone for the NS records it holds and then queries each of your nameservers for the NS records they publish. These two sets must match. A mismatch — called a lame delegation — means some resolvers will be directed to servers that do not know about your zone or return different answers.

SOA Record Agreement

The SOA (Start of Authority) record, defined in RFC 1035 Section 3.3.13, contains the serial number that indicates when the zone was last updated. The tool queries the SOA from each of your nameservers and compares the serial numbers. Disagreement between nameservers means zone transfers have failed or one server is serving stale data. This causes intermittent resolution failures — some queries return current records, others return outdated or missing records.

DNSSEC Chain Validation

If your domain uses DNSSEC, the tool verifies the chain of trust from the parent zone's DS (Delegation Signer) record through to your zone's DNSKEY and RRSIG records. The DNSSEC standard is defined across RFC 4033, RFC 4034, and RFC 4035. A broken DNSSEC chain causes SERVFAIL responses for resolvers that validate signatures, which effectively makes your domain unreachable for a growing portion of the internet.

Nameserver Reachability

Each listed nameserver is queried directly to confirm it responds to DNS queries for your zone. Unreachable nameservers add latency (resolvers must time out before trying the next server) and reduce redundancy.

Common Delegation Problems

Lame delegation (as defined in RFC 8499) — The parent zone points to a nameserver that does not serve your zone. This typically happens after a hosting migration when the old nameservers are removed but the registrar records are not updated. Use the NS Lookup tool to see what NS records are currently published.

Stale NS records after migration — You moved to a new DNS provider and updated the registrar, but the old NS records still appear at the parent or child zone. Allow 24-48 hours for TTL expiration, and verify both parent and child agree after propagation.

Split delegation — Some nameservers return one set of records while others return a different set. This usually indicates a failed zone transfer or a nameserver that was manually configured and never synchronized.

Expired DNSSEC signatures — RRSIG records have expiration dates. If your signing process stops (common after a DNS migration where DNSSEC was enabled at the old provider but not the new one), signatures expire and validation fails. The fix is either to properly configure DNSSEC at the new provider or remove the DS record from the parent zone.

When to Use Delegation Health vs. NS Lookup

The NS Lookup tool answers a simple question: what NS records are published for this domain? The Delegation Health tool goes deeper — it compares parent and child NS records, checks SOA consistency, validates DNSSEC, and tests reachability. Use NS Lookup for a quick check. Use Delegation Health when DNS changes are not propagating, when you have migrated providers, or when you need to verify the full chain before making changes.

For a complete picture of your domain's email and DNS posture, the Domain Health Check includes delegation as one of its five sub-checks alongside SPF, DKIM, DMARC, and MX records.

Check your domain's delegation health