.. _Zone Scan Errors: Full list of Zone Scan Errors ============================= ======== ========= ================================= ========== ======================= ID Error_id Code Severity Description ======== ========= ================================= ========== ======================= 561 46 ZONE:FATAL_DELEGATION critical No name servers found at child or at parent. No further testing can be performed. 577 47 ADDRESS:PRIVATE_IPV4 error A private IP address should normally not be exposed in the public DNS, since it's not reachable from the Internet. 581 48 ADDRESS:RESERVED_IPV4 error Reserved IPv4 addresses should not be used on the public Internet. 548 49 ADDRESS:RESERVED_IPV6 error Reserved IPv6 addresses should not be used on the public Internet. 583 2 CONSISTENCY:SOA_DIGEST_DIFFERENT error The other fields in the SOA record are not the same among all name servers. This is usually due to misconfiguration. 551 4 DELEGATION:BROKEN_BUT_FUNCTIONAL error Not enough nameserver information was found to test the zone, but an IP address lookup succeeded 543 6 DELEGATION:EXTRA_NS_PARENT error A name server listed at the parent, but not at the child, was found. This is most likely an administrative error. You should update the parent to match the name servers at the child as soon as possible. 572 7 DELEGATION:GLUE_MISSING_AT_CHILD error The IP address of the name server was not found at the child. This is a configuration error and should be corrected as soon as possible. 539 8 DELEGATION:INCONSISTENT_GLUE error The address of a name server differed between the child and the parent. This is a configuration error and should be corrected as soon as possible. 532 9 DELEGATION:INZONE_NS_WITHOUT_GLUE error Nameserver is listed for zone without address information. 537 11 DELEGATION:NO_COMMON_NS_NAMES error The parent lists name servers that the child doesn't know about; see details in advanced. This configuration could actually work but breaks very easily if one of these zones changes slightly. 559 10 DELEGATION:NOT_FOUND_AT_CHILD error No name servers could be found at the child. This usually means that the child is not configured to answer queries about the zone. 534 12 DELEGATION:NS_IS_CNAME error Nameserver has a CNAME record, which is forbidden 550 13 DNS\:NO_CHILD_NS error Failed to find name server records 562 14 DNS\:NO_EDNS error EDNS is an extension to the DNS protocol. The major change is that the 512-byte size limit of the query/answer packet has been removed, which allows more information to be provided. EDNS is essential for newer protocols and technologies (such as DNSSEC and IPv6) that requires larger packet sizes. 552 50 DNS\:SOA_SERVFAIL error DNS SERVFAIL when querying for SOA 542 15 DNSSEC:DNSKEY_NO_VALID_SIGNATURES error No valid signatures for the DNSKEY RRset for the zone was found - make sure the zone is signed with a valid and published key. 533 18 DNSSEC:INCONSISTENT_SECURITY error The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY records. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation. 560 20 DNSSEC:NO_SIGNATURES error No DNSSEC signatures were found when querying the zone. Perhaps the zone isn't signed? 576 21 DNSSEC:NO_VALID_DS error The zone has published DS records, but none of them work. 541 24 DNSSEC:SOA_NO_VALID_SIGNATURES error No valid signatures for the SOA RRset for the zone was found - make sure the zone is signed with a valid and published key. 578 52 HOST:CNAME_FOUND error The host name is an alias (CNAME), which is not allowed. Host names must be published with an A or AAAA record. 567 53 HOST:ILLEGAL_NAME error The hostname is not syntactially correct according to RFC 952. A common error is to begin the hostname with a non-letter (a-z) or use invalid characters (only a-z, 0-9 and - are allowed). 546 51 HOST:NOT_FOUND error No IPv4 or IPv6 address was found for the host name. 570 25 MAIL:ADDRESS_SYNTAX error Zone contains an invalid email address. 574 26 MAIL:DOMAIN_NOT_FOUND error No mail exchanger was found for the domain. This makes it impossible to deliver email to any recipient within the domain. 544 31 NAMESERVER:HOST_ERROR error The specified host name is not a valid host name or the host name points to an invalid IP address, e.g. a private or reserved IP address. 553 35 NAMESERVER:NO_TCP error The name server failed to answer queries sent over TCP. This is probably due to the name server not correctly set up or due to misconfgured filtering in a firewall. It is a rather common misconception that DNS does not need TCP unless they provide zone transfers - perhaps the name server administrator is not aware that TCP usually is a requirement. 580 36 NAMESERVER:NO_UDP error The name server failed to answer queries sent over UDP. This is probably due to the name server not correctly set up or due to misconfigured filtering in a firewall. 569 32 NAMESERVER:NOT_AUTH error The name server does not answer authoritatively to queries for the tested domain. This is probably due to misconfiguration where the name server is not set up to serve the tested domain. 563 41 SOA:MULTIPLE_SOA error Multiple SOA records found when querying the name servers. This is a serious error and definitely due to misconfiguration. 556 42 SOA:NOT_FOUND error No SOA record was found when querying the name server. This is most probably due to misconfiguration at the name server - a zone must have a SOA record. 575 43 SOA:RNAME_SYNTAX error The email address specified in SOA RNAME is specified incorrectly. A common error is to use @ in the address field - an address like hostmaster@example.com must be specified as hostmaster.example.com. 535 16 DNSSEC:DS_KEYREF_INVALID info The DS RRset must refer to a valid DNSKEY at the child, or the chain of trust between the parent and the child will be broken and validating resolver will not be able to validate answers from the child. 579 5 DELEGATION:EXTRA_NS_CHILD notice A name server listed at the child, but not at the parent, was found. This is most likely a configuration error, but there are sometimes reasons for setting up a zone this way. 573 17 DNSSEC:DS_TO_NONSEP notice The DS RRset refers to a DNSKEY at the child, but the key is not marked as a secure entry point. 565 27 MAIL:HOST_ERROR notice The hostname for the mail exchanger is invalid. A common error is to point the mail exchanger to an alias (CNAME) or directly to an IP address. 566 29 MX:RECORDS_NOT_FOUND notice No MX records found for zone 568 30 NAMESERVER:AXFR_OPEN notice This name server accepts zone transfer requests from any party. 547 40 SOA:MNAME_STEALTH notice The name server listed as the SOA MNAME is not listed as a name server. 555 1 CONSISTENCY:MULTIPLE_NS_SETS warning The listed nameservers for the domain don't all report the same set of nameservers 531 3 CONSISTENCY:SOA_SERIAL_DIFFERENT warning The SOA serial is not the same on all name servers. This is usually due to misconfiguration, but can sometimes be the result of slow zone propagation to secondary name servers. 536 19 DNSSEC:MISSING_DS warning The child seems to use DNSSEC, but the parent has no secure delegation. The chain of trust between the parent and the child is broken and validating resolvers will not be able to validate answers from the child. 571 22 DNSSEC:RRSIG_EXPIRED warning Expired signatures will be ignored by validating resolvers. 538 23 DNSSEC:RRSIG_FAILS_VERIFY warning DNSSEC signature fails to validate the RR set. 549 28 MX:HOST_ERROR warning Hostname is invalid 545 33 NAMESERVER:NOT_AUTH_TCP warning Nameserver is not authoritative over TCP. 554 34 NAMESERVER:NOT_AUTH_UDP warning Nameserver is not authoritative over UDP. 557 37 NAMESERVER:RECURSIVE warning The name server answers recursive queries for 3rd parties (such as DNSCheck). By making a recursive query to a name server that provides recursion, an attacker can cause a name server to look up and cache information contained in zones under their control. Thus the victim name server is made to query the attacker's malicious name servers, resulting in the victim caching and serving bogus data. 558 38 SOA:MNAME_ERROR warning The SOA MNAME is not a valid host name. 564 39 SOA:MNAME_NOT_AUTH warning The name server listed as the original or primary source of data for this zone does not answer authoriatively. This is probably due to misconfiguration; perhaps the SOA MNAME is not set up as a name server for the zone. 582 44 SOA:RNAME_UNDELIVERABLE warning DNSCheck failed to deliver email to the email address listed as the one responsible for the zone. 540 45 SOA:SERIAL_IS_ZERO warning The serial number in the SOA record should not be zero. ======== ========= ================================= ========== =======================