[dns-operations] DNS trust dependencies for TLDs

Florian Weimer fw at deneb.enyo.de
Mon Jun 15 12:39:44 UTC 2009

* Antoin Verschuren:

> What would happen if we accidentally deleted all *.nic.nl A records
> from our nic.nl zone ?

Nothing at once, if there's still glue.  But if a client queries for
one of those names, some resolvers will issue a fresh upstream query,
cache the resulting NXDOMAIN and not use this particular server any

> I would say no authoritative answer for .nl would exist anymore on
> the *.nic.nl nameservers, but the out of bailiwick nameservers would
> still produce valid answers for the .nl zone, and there is no way we
> could cause their glue to change, either in their zones, or at the
> root.

It's very brittle.  If those were the only servers for .nl, client
queries can make the zone unavailable from the point of view of the
resolver they use.

More information about the dns-operations mailing list