Nameservers setup problems


I’m trying to setup Mail-in-a-Box, but when following the tutorial to setup the glue records and nameservers I ran into problems.

In the tutorial you must specify the same ip address for the glue records and for the nameservers , but both in Gandi and my own registrar I get the same error:

•2308 : Data management policy violation (504 Missing required attribute; IP-addresses of subordinate name servers cannot be identical.)

Can some one please help me with this.

Some top level domains (TLDs) require two IP addresses. You can’t use those TLDs with Mail-in-a-Box following the normal instructions, so you’re on your own if you try — you would need to use an external DNS provider.

What TLD did you use? See the TLD quirks list at

The TLD is .nl and the guide mentions this:
Probably good TLDs:

But then I must assume that .nl also require two IP addresses.
I will try to setup the external DNS

Would Mail-in-a-Box support TLDs that require two IP addresses in the future?

The issue is just that Mail-in-a-Box sets up one machine, and if you need two IP addresses you need two machines. That’s too complicated for me to try to support. (Although I guess you could try to get your ISP to assign two IP addresses to the same machine.)

I have a VPS (from with 2 public IP’s, and if I create the glue records and nameservers 2 use these IP’s, would MiaB DNS works.

I don’t think so. Due to the complex setup of running both bind and nsd, the DNS server nsd will only listen on one IP address, not both. It probably can be made to work, but it’s not something I have time to support.

Josh, I’ve had success with multiple .TLDs with annoying name server requirements via LightSail ( or Route 43 ) + Mail-in-a-Box. I wrote a small post under “Setup Help” with the title ‘Workaround for .CA’ - it will also work for many other new gTLDs. Thanks for Mail-in-a-box, it’s great.

Hi @nessuno

The nuance that is missing here is that MiaB is designed to be an all in one solution – in meeting that goal, some things are not really possible - this includes the dozen or so TLD’s that have special requirements. If DNS is being served by an external DNS server (as you have done in your workaround post) then it is not really an ‘all in one’ solution any more.

1 Like

Hi Alento,
It would be beneficial if we differentiate ccTLDs and gTLDs. Most NS problems can be narrowed to these 2 groups. By “gluing” or using the Registrar’s authority ( given by the Registry or the country entity ) one would be ensuring that the text generated in the section ‘External DNS’ is still consistent and I still feel my Mail-in-a-box worked neatly out of the box. But I respect the author’s intention of keeping it simple.

I think that you are possibly missing the point, and why glue records exist …

The TLD’s that are problematic are problematic for a variety of reasons. Most on the list (such as .ca) require 2 name servers per the appropriate RFC. Most TLD’s have chosen to ignore this requirement unofficially - so they do not enforce is as .ca & .de do (amongst others). Others only allow the subdomains for the name servers to be in the format of which does not allow the MiaB standard of putting the name servers on a subdomain i.e. ( this is the case with .gg .je and .as.

Now the reason that we have glue records is so that there is an official place for the DNS system to check what the locations are for the name servers on a specific domain. IF you run name servers on a domain then there must be Glue records listed by the domain registrar. That is the only reliable way to identify the location of a name server as how can you find a name server if you do not know its address? So the glue record provides the official database of name server addresses.

Now a little about how name servers work. There are what is called ‘primary’ and ‘secondary’ name servers. This does NOT specifically refer to ns1 and ns2. It refers to the name server(s) that have the absolute OFFICIAL dns zone for a domain (the primary) and the other name servers who receive their information from the official dns zone, which are the secondaries yet still speak authoritatively for the domain. So to quickly summarize, the secondaries serve official records but they receive those official records from the primary name server.

Ok, so what happens here is called a zone transfer which is when the primary gives all of the secondaries the information needed to serve the records to DNS inquiries. The primaries always transfer to the secondaries - it is a one way transfer. They do not transfer elsewhere, such as to the glue records - because that is not the purpose of a glue record.

Now, in MiaB parlance, ‘External DNS’ refers to the fact that the name servers handled for the domain(s) served by our box are handled elsewhere - by a different provider … be that Cloudflare, the registrar, our VPS provider, whoever … and by definition since it is EXTERNAL, there is no glue record on our domain for it (it is not on our domain, so why would there be) AND by definition our domain DOES NOT need a Glue record because our domain does not have any name servers.

So … if we tie all this together, we will see that there is no correlation at all between using External DNS and having Glue records for our domain.

Which leads me to this question …


The answer is that it doesn’t. Having glue records on a domain which has no name servers does not ensure consistency. How could it?

So, in conclusion, I will state again - there is no reason to create glue records when DNS will be hosted Externally. And in some cases, due to rare malfunction (which would usually be caused by human error), it would be best NOT to have them pointing to an IP when they do not exist.

With all due respect… if you really want to talk SLD.TLD message me privately, you seem to be extremely confused by how TLDs actually work. Look up SOA and different requirements from ICANN towards ccTLDs versus gTLDs and then perhaps you will understand.

delete my post if you find it so offensive. I was trying to give it back as I noticed people really query this up ( re dot CA ) -but arrogance predominates the open source.


The minimal set of requisite glue records is considered to be:

One A record, if all authoritative name servers are in-bailiwick of the parent zone; and,

As clearly the external name servers are not in-baliwick of the parent zone, then there is NO requirement for a glue record. As I have stated.