[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)

Paul Vixie paul at vix.com
Wed Jan 9 15:29:46 UTC 2008

> ...
> But, back to what I have found the harder question during the years,  
> and that is what should happen if the tests fail? Should the  
> delegation be withdrawn?
>     Patrik

ideally the name would continue to be reserved, and held by the registrant,
but the NS RRs would no longer be published, or would be changed to point
to a nameserver inside the registry which always returned SERVFAIL.  this
would prevent queries from having to time out, it would give the registry
a chance to measure the traffic, and it would prevent someone from pirating
the original nameserver's IP address and thus taking over someone's zone.

More information about the dns-operations mailing list