Delegation

The Delegation checker audits how a zone is delegated from its parent. It cross-examines the parent zone and the child name servers to confirm that the hand-off is coherent: that the parent and child agree on the NS set, that glue records are correct, that the DNSSEC DS/DNSKEY chain lines up, and that every delegated server is reachable and actually authoritative for the zone.

This checker is service-level: it targets a Delegation service (abstract.Delegation) published on a subdomain, and is configured from that service’s own Checks tab.

What it checks

Each rule emits a stable finding code so results can be matched deterministically.

Name-server count and parent discovery

Finding code	What it verifies
`delegation_too_few_ns`	The zone declares at least `minNameServers` `NS` records (RFC 1034 recommends ≥ 2).
`delegation_no_parent_ns`	The parent zone and its authoritative name servers can be discovered.
`delegation_parent_query_failed`	Each parent name server answers the `NS` query for the delegated zone.
`delegation_parent_tcp_failed`	Each parent name server is reachable over TCP (RFC 7766).

NS and glue at the parent

Finding code	What it verifies
`delegation_ns_mismatch`	The `NS` RRset at the parent matches the `NS` set declared by the service.
`delegation_missing_glue`	In-bailiwick name servers have glue (`A`/`AAAA`) at the parent.
`delegation_unnecessary_glue`	Out-of-bailiwick name servers do not carry unnecessary glue.

DNSSEC hand-off

Finding code	What it verifies
`delegation_ds_query_failed`	The `DS` RRset can be queried from the parent name servers.
`delegation_ds_mismatch`	The `DS` RRset at the parent matches the `DS` set declared by the service.
`delegation_ds_missing`	`DS` records are present at the parent when DNSSEC is expected (gated by `requireDS`).
`delegation_ds_rrsig_invalid`	The `DS` RRset is covered by a valid `RRSIG` at the parent.
`delegation_dnskey_query_failed`	The `DNSKEY` RRset can be queried from each child name server.
`delegation_dnskey_no_match`	At least one child `DNSKEY` matches a `DS` digest published at the parent.

Child reachability and authoritativeness

Finding code	What it verifies
`delegation_ns_unresolvable`	Each declared name server name resolves to at least one address.
`delegation_unreachable`	Each child name server answers DNS queries on its advertised addresses.
`delegation_lame`	Each child name server is authoritative for the zone (no lame delegation).
`delegation_no_authoritative_answer`	Each child name server sets the AA flag in its answers for the zone.
`delegation_tcp_failed`	Each child name server answers over TCP (gated by `requireTCP`).
`delegation_soa_serial_drift`	The `SOA` serial is consistent across all child name servers.
`delegation_ns_drift`	The `NS` RRset returned by each child matches the `NS` RRset at the parent.
`delegation_glue_mismatch`	Glue addresses at the child match those at the parent (gated by `allowGlueMismatch`).

Options

Option	Meaning	Default
`requireDS`	When enabled, missing `DS` records at the parent are treated as critical (otherwise informational).	`false`
`requireTCP`	When enabled, name servers that fail to answer over TCP are reported as critical (otherwise warning).	`true`
`minNameServers`	Below this count, the delegation is reported as a warning (RFC 1034 recommends at least 2).	`2`
`allowGlueMismatch`	When disabled, glue/address mismatches between parent and child are reported as critical.	`false`

In happyDomain

Enable the Delegation checker from the Checks tab of a Delegation service. See /en/pages/checks/ for the full workflow. For consistency between the authoritative servers of the apex itself (rather than the parent/child hand-off), see /en/reference/checkers/authoritative-consistency/; for the DNSSEC hygiene of the signed zone, see /en/reference/checkers/dnssec/.