When configuring test.example.com with both an A record and NS record, we create a fundamental DNS resolution conflict. The scenario presents two competing configurations:
<!-- Original zone file at example.com --> test.example.com. IN A 1.1.1.1 test.example.com. IN NS ns1.anotherdnshost.com
The actual resolution depends on several factors in the DNS lookup chain:
- Resolver caching behavior
- TTL values of the records
- DNS server implementation specifics
Here's what happens during resolution:
dig test.example.com +trace ; <<>> DiG 9.16.1 <<>> test.example.com +trace ;; global options: +cmd . 3600 IN NS a.root-servers.net. ;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 4 ms com. 172800 IN NS a.gtld-servers.net. ;; Received 1172 bytes from 198.41.0.4#53(a.root-servers.net) in 28 ms example.com. 172800 IN NS ns1.example.com. ;; Received 840 bytes from 192.5.6.30#53(a.gtld-servers.net) in 32 ms test.example.com. 3600 IN A 1.1.1.1 test.example.com. 3600 IN NS ns1.anotherdnshost.com. ;; Received 120 bytes from 203.0.113.1#53(ns1.example.com) in 16 ms
Most DNS implementations will prioritize the NS record over the A record when both exist for the same name:
- The resolver first sees the NS record delegation
- It then queries the authoritative servers listed in the NS record
- The final A record (2.2.2.2) from the delegated zone is returned
To avoid unpredictable behavior:
<!-- Recommended configuration --> ; Option 1: Full delegation test.example.com. IN NS ns1.anotherdnshost.com. test.example.com. IN NS ns2.anotherdnshost.com. ; Option 2: Non-delegated with glue records test.example.com. IN A 1.1.1.1 www.test.example.com. IN A 1.1.1.1
To verify your specific configuration:
# Clear local DNS cache sudo dscacheutil -flushcache # macOS sudo systemd-resolve --flush-caches # Linux # Perform clean query dig @8.8.8.8 test.example.com +norecurse dig test.example.com +trace
In DNS configurations, having both A and NS records for the same subdomain creates an ambiguous situation that DNS resolvers must handle. Let's analyze the technical behavior when test.example.com has:
; Zone file for example.com
test.example.com. IN A 1.1.1.1
test.example.com. IN NS ns1.anotherdnshost.com.
Meanwhile, at anotherdnshost.com:
; Zone file for delegated test.example.com
@ IN A 2.2.2.2
The resolution depends on the resolver's implementation, but generally follows these steps:
- Recursive resolver checks cache for
test.example.com - If not cached, starts from root servers down to
example.comauthoritative servers - Finds both A and NS records at the parent zone
Different DNS servers handle this differently:
| DNS Server | Behavior |
|---|---|
| BIND 9 | Follows NS delegation, ignores local A record |
| Windows DNS | May return both records with round-robin |
| Unbound | Follows NS records by default |
Let's examine real-world behavior using the dig tool:
dig test.example.com A +trace
; Expected output shows delegation chain
; Final answer typically comes from the NS-delegated servers
In standard DNS implementations:
- The NS record takes precedence over the A record
- Resolution continues with the delegated nameservers
- The A record at the parent zone is effectively ignored
To avoid ambiguity:
; Recommended zone file
; Either delegate completely:
test.example.com. IN NS ns1.anotherdnshost.com.
test.example.com. IN NS ns2.anotherdnshost.com.
; Or handle locally:
test.example.com. IN A 1.1.1.1
www.test.example.com. IN A 1.1.1.1