DNS Delegation Checker — NS & SOA Chain Validation
Validate nameserver delegation chain — NS and SOA at every zone cut from TLD to your domain
How to Use This Tool
- Enter the domain or subdomain whose delegation you want to validate.
- Hostname normalizes and splits into zone suffix chain.
- NS and SOA queries run in parallel at each zone cut.
- trace steps accumulate from TLD minimum through full input.
- authoritativeZone identifies deepest traced zone suffix.
- Compare nameservers across steps for unexpected changes.
About This Tool
Broken DNS delegation causes NXDOMAIN loops, stale answers, and mail routing failures long before application teams notice. VSPIC DNS delegation checker walks the public delegation hierarchy using action dns-trace: submit a domain, receive a trace array with zone label, nameserver hostnames, SOA record string, and status at each progressively longer suffix from TLD through your full hostname, plus delegationDepth and authoritativeZone summary fields.
Operators use results after registrar NS updates, subdomain zone cuts, and acquisition integrations to confirm each parent correctly delegates to intended child nameservers. Same backend as dns-trace-lookup and dns-zone-transfer-test — this page emphasizes delegation validation SEO rather than AXFR risk framing.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Automated delegation walk in one click.
- NS and SOA together at every zone cut.
- authoritativeZone pinpoints which zone file should hold records.
- Per-step status aids debugging empty or broken zones.
- JSON structure for change-management tickets.
- Free — identical dns-trace path as sibling pages.
How DNS delegation chains work
Authority flows from root through TLD operators to your DNS host. Each delegation publishes NS records at the parent pointing to child nameservers. Resolvers iterate downward until reaching the authoritative zone for the QNAME.
A delegation checker surfaces each cut explicitly — seeing com NS at .com and example.com NS at example.com confirms expected handoff. Missing NS or unexpected hostnames reveal misconfiguration faster than single dig answers.
dns-trace action details
Action dns-trace with domain parameter returns trace array entries: zone, nameservers, soa, status. Queries use Google Public DNS for consistency with other VSPIC DNS diagnostics.
delegationDepth counts walked steps. authoritativeZone is the deepest suffix in the trace — the label whose zone file should contain records you edit for leaf names without child cuts.
Reading NS and SOA per step
NS lists who serves the zone. SOA names primary master, responsible mailbox, serial, refresh, retry, expire, and minimum TTL. Serial mismatches across NS sets often appear when secondaries lag replication.
Empty SOA with present NS may indicate delegation point without local zone on this resolver path — investigate further with DNS record lookup.
TLD to apex versus deep subdomains
Tracing mail.example.com includes com, example.com, and mail.example.com when mail is a separate zone cut. If mail is only a record inside example.com, mail.example.com step may show same NS as apex without child delegation.
Use authoritativeZone when opening tickets about which zone file needs MX or TXT edits.
Post-migration NS verification
After registrar NS changes, trace daily until TLD step lists only new provider nameservers. Stale TLD NS cause partial propagation — some resolvers ask old nameservers while others use the new pair.
Document before-and-after trace JSON in migration tickets for rollback evidence.
When NS and SOA disagree
Healthy zones usually return both at each step. Broken zones may show status errors or missing SOA. After acquisitions, trace every hostname in portfolio — legacy delegations sometimes still point at previous owner's DNS host.
Relationship to dns-trace-lookup
Same API and JSON. dns-trace-lookup uses trace lookup SEO; DNS delegation checker targets validation and checker terminology. Choose whichever page title fits your runbook.
Pair with dns-compare-tool when validating staging versus production delegation parity.
Glue and lame delegation limits
Trace does not resolve glue A/AAAA for in-bailiwick NS hostnames. Wrong glue requires A lookups on each NS hostname. Lame delegation needs direct queries to listed nameservers — status text may hint only.
API and automation
Call GET /ip-tools/api/extended?action=dns-trace&domain=example.com in CI after DNS module applies. Fail builds when apex NS differ from approved baseline JSON.
Recheck immediately after registrar updates — delegation is stable hour-to-hour but volatile during migrations.
Important notes & limitations
- Resolver-based trace — not interactive root hint walk.
- Glue records for in-bailiwick NS not resolved.
- Cannot fully detect lame delegations without NS follow-up.
- Split-horizon corporate DNS may differ from public trace.
- Wildcard-only zones may show sparse intermediate NS.
Frequently Asked Questions
Yes. VSPIC offers this DNS delegation checker at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
dns-trace with domain parameter — same JSON as dns-trace-lookup.
Same backend. Zone transfer test emphasizes AXFR security language; delegation checker emphasizes NS validation workflows.
The deepest zone suffix in the trace — last delegation step walked toward your input.
Subdomains without separate zone cuts inherit parent nameservers.
Not completely. Query each listed nameserver directly for confirmation.
Tracing begins at TLD suffix for speed and consistency, then walks down.
Next step for your check
Continue with dns trace lookup on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
DNS Trace Lookup
Walk delegation chain from TLD to domain with NS and SOA at each step
Use Free →DNS Zone Transfer Test
DNS Zone Transfer Test — free online tool
Use Free →Nameserver Lookup
Registration and DNS nameserver delegation for any domain
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →Hostname Lookup
Resolve a domain name to its hostname and IP addresses
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS