How to trace DNS delegation with dig

DNS delegation decides which authoritative nameservers control a domain at each point in the lookup path. Tracing that path helps separate a missing record from a parent-zone referral problem, a stale nameserver set, or a nameserver that answers only after the resolver reaches the right zone.

The dig +trace option makes iterative queries from the root zone toward the requested name. The output shows the root referral, the top-level domain referral, the delegated zone's nameservers, and the final answer or failure returned by an authoritative server.

Use the exact name and record type that is failing, such as A for a web host, MX for mail routing, or TXT for a verification token. The +nodnssec option keeps the transcript focused on delegation records; remove it when DS, DNSKEY, or validation evidence is part of the incident.

Steps to trace DNS delegation with dig:

Run a delegation trace for the target name and record type.

$ dig +trace +nodnssec iana.org A

; <<>> DiG 9.18.39-0ubuntu0.24.04.5-Ubuntu <<>> +trace +nodnssec iana.org A
;; global options: +cmd
.			4502	IN	NS	a.root-servers.net.
.			4502	IN	NS	b.root-servers.net.
##### snipped #####
org.			172800	IN	NS	a2.org.afilias-nst.info.
org.			172800	IN	NS	a0.org.afilias-nst.info.
##### snipped #####
iana.org.		3600	IN	NS	ns.icann.org.
iana.org.		3600	IN	NS	b.iana-servers.net.
iana.org.		3600	IN	NS	a.iana-servers.net.
iana.org.		3600	IN	NS	c.iana-servers.net.
;; Received 168 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 100 ms

iana.org.		3600	IN	A	192.0.43.8
iana.org.		86400	IN	NS	a.iana-servers.net.
iana.org.		86400	IN	NS	b.iana-servers.net.
iana.org.		86400	IN	NS	c.iana-servers.net.
iana.org.		86400	IN	NS	ns.icann.org.
;; Received 140 bytes from 199.43.133.53#53(b.iana-servers.net) in 203 ms

+trace follows referrals instead of asking only the resolver from /etc/resolv.conf. +nodnssec removes DNSSEC records from the display so the NS handoff is easier to read.

Check the top-level domain referral from the root zone.

org.			172800	IN	NS	a2.org.afilias-nst.info.
org.			172800	IN	NS	a0.org.afilias-nst.info.
org.			172800	IN	NS	d0.org.afilias-nst.org.
org.			172800	IN	NS	c0.org.afilias-nst.info.
org.			172800	IN	NS	b0.org.afilias-nst.org.
org.			172800	IN	NS	b2.org.afilias-nst.org.
;; Received 470 bytes from 192.112.36.4#53(g.root-servers.net) in 85 ms

The Received line names the server that supplied the referral. A stop before this point usually means local network filtering, resolver bootstrap trouble, or blocked access to the root servers.

Check the delegated zone referral from the parent zone.

iana.org.		3600	IN	NS	ns.icann.org.
iana.org.		3600	IN	NS	b.iana-servers.net.
iana.org.		3600	IN	NS	a.iana-servers.net.
iana.org.		3600	IN	NS	c.iana-servers.net.
;; Received 168 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 100 ms

If the nameserver list does not match the registrar or DNS provider setting, fix the parent-side delegation before changing host records in the child zone.

Check the final authoritative answer.

iana.org.		3600	IN	A	192.0.43.8
iana.org.		86400	IN	NS	a.iana-servers.net.
iana.org.		86400	IN	NS	b.iana-servers.net.
iana.org.		86400	IN	NS	c.iana-servers.net.
iana.org.		86400	IN	NS	ns.icann.org.
;; Received 140 bytes from 199.43.133.53#53(b.iana-servers.net) in 203 ms

A final A, AAAA, MX, TXT, or other requested record means the delegation path reached an authoritative server. If the trace stops at a referral, the last Received line is the handoff point to investigate next.

Query one listed authoritative nameserver directly.

$ dig @a.iana-servers.net iana.org A +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44525
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
iana.org.		3600	IN	A	192.0.43.8

The aa flag means the server answered authoritatively, and the A value matches the trace.
Related: How to query a specific DNS server with dig

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.