This page describes common error messages that you might receivewhen using Cloud DNS, what the messages mean, and recommended actionsfor resolving the errors.

General errors

This section describes general errors.

alreadyExists

The specified resource already exists; you cannot create a duplicate.

Recommended action: When creating a resource, use the appropriateget/listAPI to discover what resources already exist.

If you get this error when adding records, it is because an individual record istreated as a record set, which means each entry (if you have multiple entries)acts as a different record. You can add two values or strings to the record setfor the same Domain Name System (DNS) name by adding a space between the firstvalue and the second value.

accessNotConfigured

Access not configured

To resolve this error, you mustenable the Cloud DNS API for your project.

inactiveBillingState

Projectexample_project cannot accept requests while in an inactivebilling state. Billing state might take several minutes to update.

Recommended action: Enable billing for your project. To enable billing for anew project, or to re-enable billing for an existing project, follow theappropriate steps inEnable billing for a project.

preconditionFailed

This is a generic error that means that something about the request is notcompatible with the current state of the server resource. The client must dosomething to fix it and then try again. This can happen if you send acreatechange request that tries to delete a resource record set that doesn't match theone that already exists (same name and type).

Read the current state of the zone and decide what you want to delete. Itmight have changed since you last looked at it.

The error message includes the path to the problematic part of your request. Forexample,entity.change.deletions[6] refers to the seventh element in thedeletions array of the change object in the POST body of your request.

Recommended action: Fix the part of the request that is flagged asproblematic.

required

This is a generic error that means that some required part of the request is missing.For example, the request to create a managed zone requires a name, a DNS name,and a description. If any of these fields is missing, the request fails withthis error.

Recommended action: Fill in the required parameter and try again.

notFound

The specified resource does not exist.

Recommended action: Make sure that you are using the name of an existingresource.

quotaExceeded

You get this error when an impending change would exceed your current quota.The quota is associated with the project. For example, you are only allowed acertain number of resource record sets in each zone. If you need a quota increase,contact your Google Cloud sales team. New projects have a defaultquota as specified inCloud DNS resource quotas and limits.For all the different dimensions that DNS limits, see theProjects.get operation.

Recommended action: Check your project to understand why you are alreadyusing so much of that resource. You can request increased quota for a project ontheQuotas page of the Google Cloud console for the project. You can also refer toRequest a quota adjustment.

Errors relating to managed zones

This section lists errors relating to managed zones.

invalidFieldValue

Invalid value forentity.managedZone.name.

The operation to create a managed zone can fail with this error if the managedzone name does not begin with a letter, end with a letter or digit, andcontain only lowercase letters, digits, or dashes.

managedZoneDnsNameNotAvailable

The specified managed zone is not available and thus, cannot be created.

The operation to create a managed zone can fail with this error for thefollowing reasons:

• The DNS name of the proposed zone is reserved, for example, dot (.),.com, or.co.uk.
• There are no more name servers available to host the DNS name of the zone.Cloud DNS uses a pool of name servers, and that pool is finite.A DNS query to any name server must map unambiguously to one managed zone.For more details, seenameserver limits.

Recommended action: If you are the registered owner of the DNS name inquestion, check for overlapping zones. To set up DNS for a domain andits subdomains, we recommend creating a single parent zone first and addingrecords for each subdomain in that zone.

verifyManagedZoneDnsNameOwnership

Verify ownership of theexample.com domain (or a parent), and then try again.

Recommended action: When you receive this error, you mustverify domain ownership,and then try again.

Errors relating to managed records

The errors in this section relate to records.

containerNotEmpty

The specified resource cannot be deleted because it is not empty.

Recommended action: If you want to delete the resource, you must empty itfirst.

invalidZoneApex

The specified resource record set is invalid because a zone must containexactly one resource record set of a certain type at the apex.

Apex in the DNS context means the DNS name with the fewest number oflabels that are allowed in the zone. It is also the top of the zone hierarchy.The apex of a zone is the DNS name equal toManagedZone.dnsName.

This error means that you tried to make a change that would violate the DNS rulethat a zone must contain exactly one resource record set of a certain type atthe apex. The following actions can cause this error:

• You tried to delete the requiredNS resource record set at the apex.
• You tried to delete the requiredSOA resource record set at the apex.
• You tried to create a resource record set of typeSOAnot at the apex.

Recommended action: If you get this error, you are trying to do somethingthat isn't allowed under the rules of DNS. Check your request for mistakes.There is no need to delete the required resource record sets.

invalidRecordCount

The resource record setentity.change.additions[XX] is onlypermitted to have one record because it is of type<SOA_OR_CNAME>.

The rules of DNS say thatSOA andCNAME resource record sets can only haveone resource record. You get this error if you try to create a change that wouldbreak those rules. For example:

  {    kind: "dns#rrset"    name: "blog.example.com.",    type: "CNAME",    rrdata: [ "www.example.com.", "www2.example.com." ],    ...  }

Recommended action: If you get this error, check your request. You aretrying to do something that isn't allowed.

cnameResourceRecordSetConflict

The resource record setentity.change.additions[XX] is invalidbecause the DNS nameexample.com might have either one CNAME resourcerecord set or resource record sets of other types, but not both.

This error occurs when you create two types of resource record sets, such asboth an A record and a CNAME record for the same DNS name. A common cause ofthis error is trying to create a CNAME record at the zone apex. This is notpossible because it would conflict with the requiredSOA andNS records ofthe same name.

Recommended action: Pick one or the other.

wildcardNotAllowed

The specified resource record set has the wrong type to be a wildcard.

In DNS, awildcard is a special type of resource record set that matchesrequests for non-existent domain names. One limitation ofCloud DNS is that you cannot create a wildcard resourcerecord set of typeNS.

Recommended action: WildcardNS resource record sets are not supported atthis time. ContactCloud DNS Support or joincloud-dns-discussand share what you are trying to accomplish.

recordTypeDisallowedAtZoneApex

The specified resource record cannot exist alongside any other record type,including theSOA record that is required at the zone apex.

You cannot place aCNAME resource record at the apex because it cannotexist alongside any other resource record type, including theSOA resourcerecord that is required at the zone apex.

Recommended action: Use anALIAS resource record. AnALIAS resourcerecord is a Cloud DNS custom record type that behaves like aCNAMEresource record but can only be used at the zone apex and only responds toaddress record (A or AAAA) queries. For more information,seeAlias records.

invalidValue

This is a generic error that means something about your request was invalid,independent of the server's state. The error message includes the path to theproblematic part of the request, as well as the invalid value. This error couldbe triggered by many different things, such as:

• You specified a resource record set with an invalid name. For example,cymbal...group is not a valid DNS name (empty middle label).
• You specified a resource record set with an invalid type. For example Aand CNAME are valid types, butgroup is not a valid type.
• You specified a resource record set with no records in it.
• You specified resource record data that is invalid. For example1.1.1.1 isvalid resource record data for type A.X.X.X.X is invalid resource recorddata for type A.
• You specified a resource record set with an invalid TTL. The TTL must be anon-negative integer.
• You specified a resource name that is too long.

Recommended action: Fix your request.

Errors related to threat detection

This section describes common errors when enabling threat detection.

Privileged access only allowed from ThreatDetectorAdmin

You must have theThreat Detector Admin role to enable DNS threat detection.

Recommended action: You must be granted theroles/networksecurity.dnsThreatDetectorAdmin role.

FAILED_PRECONDITION

Another DNS threat detector already exists under the supplied parent.

Recommended action Inspect your current configuration state, and either use the existing DNS threat detector or remove it and create a new one.

gcloud network-security dns-threat-detectors describe --location=globalRESOURCE_REPORTED_IN_ERROR_MESSAGE

What's next

• To learn more about features, seeCloud DNS overview.
• To find solutions for common issues that you might encounter when usingCloud DNS, seeTroubleshooting.
• To get additional help, seeSupport.