DNS 8 NXRRSET vs 9 NOTAUTH
Both DNS 8 (NXRRSET) and 9 (NOTAUTH) belong to the DNS Response Codes (RCODEs) category. 8 indicates that rR Set that should exist does not. A required resource record set is missing from the zone. Meanwhile, 9 means that server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section.
Description
RR Set that should exist does not. A required resource record set is missing from the zone.
When You See It
A DNS UPDATE prerequisite expected a certain RRset to exist (e.g., an MX record), but the zone does not contain it.
How to Fix
Create the missing RRset in the zone before retrying the update, or change the prerequisite to not require its existence.
Description
Server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section.
When You See It
You sent a dynamic update or zone operation to a server that is not the authoritative master for that zone, or the server rejected it due to TSIG authentication failure.
How to Fix
Send the update to the correct primary authoritative server for the zone. If using TSIG, verify the key name and secret match on both client and server.
Key Differences
DNS 8: RR Set that should exist does not. A required resource record set is missing from the zone.
DNS 9: Server Not Authoritative for zone, or Not Authorized. The server is not authoritative for the zone named in the Zone section.
You encounter 8 when a DNS UPDATE prerequisite expected a certain RRset to exist (e.g., an MX record), but the zone does not contain it.
You encounter 9 when you sent a dynamic update or zone operation to a server that is not the authoritative master for that zone, or the server rejected it due to TSIG authentication failure.
When to Use Which
For 8 (NXRRSET): Create the missing RRset in the zone before retrying the update, or change the prerequisite to not require its existence. For 9 (NOTAUTH): Send the update to the correct primary authoritative server for the zone. If using TSIG, verify the key name and secret match on both client and server.