Issues with NAST Predelegation Check of Denic (alias-domain)

OS type and version Ubuntu Linux 20.04.6
Webmin version 2.111
Usermin version 2.010
Virtualmin version 7.10.0
Theme version 21.10
Package updates All installed packages are up to date

If you enter following value in the domain-field: and keep the NS-entries empty.
If you send this request, NAST find this NS-Servers itself:

But throw errors like:

Error 901 Unexpected RCODE
Error 133 Answer must be authoritative

The Domain is an Alias-Domain (with activated DNS) in Virtualmin, the Config look like this:

Any hints and helping hands are very appreciated

just who or what are they? never heard of it/them!

What is that? Googled it, and nothing comes up.

Ok. So sounds like your missing registering nameservers.

It’s a domain I have at my server and which might not be setup in the right way.
Therefor I ask here for help.

It’s a DNS-Check-Tool of denic ( TLD= DE Registrar):

Ok, I’ve checked the same page you checked, and want to start to fix the first error that was found:

I read the detail-info which note:

The Primary Name Server is the name server declared in your SOA file and is usually the name server that reads your records from zone files and is responsible for distributing that data to your secondary name servers. This problem is present when this primary name server is not included in the parent referrals and is almost always accompanied by a Local Parent Mismatch problem.

I do wonder, why my is the last NS-Server in the List, and not the parent one!!
Actually xst01 should be the parent one, and all other the secondaries.

But I wonder what’s wrong at my config, as I see the right NS-Server in the SOA Entry:

And doing a dig on my NS also seems to work as expected:


; <<>> DiG 9.18.26 <<>>
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41203
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4459aa237a2563f101000000665457723c20c4aadc3e64e8 (good)
;             IN      A

;; ANSWER SECTION:      3600    IN      A

;; Query time: 20 msec
;; WHEN: Mon May 27 11:50:42 CEST 2024
;; MSG SIZE  rcvd: 90

3 things to check on each NS.

  1. is it registered at a registrar like namecheap
  2. Does it have a A record. (using same IP as what you used at registrar)
  3. Does it have a NS record.

I usually have the standard etc.
Do all there names have that?
The SOA I usually use just use

I follow those steps I never normally have a issue.

If I was setting up this domain with nameserver.
At the registrar for I would create 4 namervers with IP <–primary (nameserver whatever that is) with IP with IP with IP

add A records for all those names with those Ips
create 4 NS records to those 4 names
change SOA to

is this the primary your editing, why is a different domain not

@stefan1959 @Stegan I’ve got some news (and a new question :slight_smile: )

So first of all, I solved the issue for
I’ve looked into /etc/bind/named.conf.local and found that the allow-transfer don’t contained all the NS-IP’s in the block:

zone "" {
       type master;
       file "/var/lib/bind/";
       allow-transfer {
zone "" {
       type master;
       file "/var/lib/bind/";
       allow-transfer {

Thats part of the new Question. WHY?
Setup in Virtualmin and Webmin is set for this NS to be in the allowed-transfer-List:

I’ve also tried to edit those Domains and deactivate and re-activate the DNS-Settings for this Domain.

I wonder if that issue appear because the domains where added “before” the NS-Setting for the allow-transfer was made?!?

And if so… is there a way to re-configure all existing domains automatically so that the working allow-transfer-Entry is set in named.conf.local?