Pierre-Olivier Mercier
5ccdd8892f
Add individual reference pages for all domain health checkers (EN/FR), update the homepage feature descriptions in both languages to highlight monitoring, notifications, and domain availability checks.
4.5 KiB
| date | author | title | description | weight |
|---|---|---|---|---|
| 2026-06-11T09:00:00+02:00 | nemunaire | Authoritative consistency | Probes every authoritative name server of a zone and verifies they agree with each other and with the parent on NS, SOA, reachability, EDNS0 and authoritativeness. | 80 |
The Authoritative consistency checker probes every authoritative name server of a zone and verifies that they agree — with one another and with the parent delegation. Where the {{< relref "/reference/checkers/delegation" >}} checker focuses on the parent/child hand-off, this checker concentrates on the apex itself: do all the servers serve the same NS and SOA, are they all reachable over UDP and TCP, do they support EDNS0, do they answer authoritatively, and how fast do they respond?
This checker is service-level: it targets an Origin or NS-only Origin service (abstract.Origin, abstract.NSOnlyOrigin) and is configured from that service's Checks tab.
What it checks
Each rule emits a finding code. Several severities depend on the options below.
| Finding code | Default severity | Condition |
|---|---|---|
authoritative_consistency_no_ns |
Critical | No name servers could be discovered (declared list empty and parent query returned nothing). |
authoritative_consistency_too_few_ns |
Warning | Fewer name servers declared than minNameServers (RFC 1034 recommends at least 2). |
authoritative_consistency_parent_query_failed |
Warning | The parent delegation query failed (network error, REFUSED…). |
authoritative_consistency_parent_drift |
Warning | The parent's NS RRset does not match the NS declared in the service. |
authoritative_consistency_ns_unresolvable |
Critical | A declared name server has no A or AAAA record. |
authoritative_consistency_ns_udp_failed |
Critical | A name server did not answer any SOA query over UDP/53. |
authoritative_consistency_ns_tcp_failed |
Critical with requireTCP, else Warning |
A name server did not answer over TCP/53 (required by RFC 7766 and DNSSEC). |
authoritative_consistency_lame |
Critical | A name server answered without the AA bit for the zone (lame delegation). |
authoritative_consistency_no_soa |
Critical | A name server is authoritative but returned no SOA. |
authoritative_consistency_edns_unsupported |
Warning | A name server drops or mishandles EDNS0 queries (RFC 6891). |
authoritative_consistency_slow_ns |
Info | A name server's response time exceeded latencyThresholdMs. |
authoritative_consistency_serial_drift |
Warning | Authoritative servers disagree on the SOA serial (zone not fully propagated). |
authoritative_consistency_serial_stale_vs_saved |
Warning | The serial saved in happyDomain is newer than what the servers publish (likely un-pushed change). |
authoritative_consistency_serial_ahead_of_saved |
Info | The servers publish a serial newer than the saved one (out-of-band change). |
authoritative_consistency_soa_fields_drift |
Warning | Servers disagree on SOA fields (MNAME, RNAME, refresh, retry, expire, minimum). |
authoritative_consistency_ns_rrset_drift |
Warning | Servers disagree on the NS RRset they publish at the apex. |
authoritative_consistency_ns_rrset_mismatch_config |
Warning | The published NS RRset does not match the NS declared in the service. |
Options
| Option | Meaning | Default |
|---|---|---|
requireTCP |
When enabled, a server that fails over TCP is critical (otherwise warning). TCP/53 is required by RFC 7766 and DNSSEC. | true |
checkEDNS |
Probe each name server for EDNS0 (RFC 6891). Servers that mishandle EDNS0 break DNSSEC and large answers. | true |
checkLatency |
Measure response time of every name server and warn on slow responders. | true |
latencyThresholdMs |
Response times above this value trigger a slow-server warning. | 500 |
useParentNS |
Query the parent for the delegation NS RRset and compare it to the service's declared name servers. |
true |
warnOnStaleSaved |
Warn when the saved SOA serial is newer than what authoritative servers publish. |
true |
minNameServers |
Below this count, a warning is emitted (RFC 1034 recommends at least 2). | 2 |
In happyDomain
Enable the Authoritative consistency checker from the Checks tab of an Origin service. See {{< relref "/pages/checks" >}} for the full workflow. To compare what recursive resolvers around the world see against the authoritative answer, pair it with {{< relref "/reference/checkers/resolver-propagation" >}}.