How to trace DNS delegation with dig
DNS delegation decides which authoritative nameservers control a domain at each point in the lookup path. Tracing that path helps separate a missing record from a parent-zone referral problem, a stale nameserver set, or a nameserver that answers only after the resolver reaches the right zone.
The dig +trace option makes iterative queries from the root zone toward the requested name. The output shows the root referral, the top-level domain referral, the delegated zone's nameservers, and the final answer or failure returned by an authoritative server.
Use the exact name and record type that is failing, such as A for a web host, MX for mail routing, or TXT for a verification token. The +nodnssec option keeps the transcript focused on delegation records; remove it when DS, DNSKEY, or validation evidence is part of the incident.
Steps to trace DNS delegation with dig:
- Run a delegation trace for the target name and record type.
$ dig +trace +nodnssec iana.org A ; <<>> DiG 9.18.39-0ubuntu0.24.04.5-Ubuntu <<>> +trace +nodnssec iana.org A ;; global options: +cmd . 4502 IN NS a.root-servers.net. . 4502 IN NS b.root-servers.net. ##### snipped ##### org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS a0.org.afilias-nst.info. ##### snipped ##### iana.org. 3600 IN NS ns.icann.org. iana.org. 3600 IN NS b.iana-servers.net. iana.org. 3600 IN NS a.iana-servers.net. iana.org. 3600 IN NS c.iana-servers.net. ;; Received 168 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 100 ms iana.org. 3600 IN A 192.0.43.8 iana.org. 86400 IN NS a.iana-servers.net. iana.org. 86400 IN NS b.iana-servers.net. iana.org. 86400 IN NS c.iana-servers.net. iana.org. 86400 IN NS ns.icann.org. ;; Received 140 bytes from 199.43.133.53#53(b.iana-servers.net) in 203 ms
+trace follows referrals instead of asking only the resolver from /etc/resolv.conf. +nodnssec removes DNSSEC records from the display so the NS handoff is easier to read.
- Check the top-level domain referral from the root zone.
org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. ;; Received 470 bytes from 192.112.36.4#53(g.root-servers.net) in 85 ms
The Received line names the server that supplied the referral. A stop before this point usually means local network filtering, resolver bootstrap trouble, or blocked access to the root servers.
- Check the delegated zone referral from the parent zone.
iana.org. 3600 IN NS ns.icann.org. iana.org. 3600 IN NS b.iana-servers.net. iana.org. 3600 IN NS a.iana-servers.net. iana.org. 3600 IN NS c.iana-servers.net. ;; Received 168 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 100 ms
If the nameserver list does not match the registrar or DNS provider setting, fix the parent-side delegation before changing host records in the child zone.
- Check the final authoritative answer.
iana.org. 3600 IN A 192.0.43.8 iana.org. 86400 IN NS a.iana-servers.net. iana.org. 86400 IN NS b.iana-servers.net. iana.org. 86400 IN NS c.iana-servers.net. iana.org. 86400 IN NS ns.icann.org. ;; Received 140 bytes from 199.43.133.53#53(b.iana-servers.net) in 203 ms
A final A, AAAA, MX, TXT, or other requested record means the delegation path reached an authoritative server. If the trace stops at a referral, the last Received line is the handoff point to investigate next.
- Query one listed authoritative nameserver directly.
$ dig @a.iana-servers.net iana.org A +norecurse +noall +comments +answer ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44525 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: iana.org. 3600 IN A 192.0.43.8
The aa flag means the server answered authoritatively, and the A value matches the trace.
Related: How to query a specific DNS server with dig