[dns-operations] IANA testbed problem

George Barwood george.barwood at blueyonder.co.uk
Thu Apr 8 15:40:32 UTC 2010

The IANA testbed ( https://ns.iana.org/dnssec/status.html ) seems to respond incorrectly to queries for DS iana.org

It should act as a (test) signed root, with one of the root servers being

ns.iana.org.            3600    IN      A

The response to 

>dig ds iana.org @

should ( I think) be a referral to the org servers, since the DS RRset is served by the parent zone. 
However, the actual response is an authoritative NoData response, 

iana.org.               3600    IN      SOA     dns1.icann.org. hostmaster.icann

i.e. it is coming from the iana.org zone rather than the root zone.

Am I being stupid, or is this a bug?

It can lead to authentication errors if the org zone has not yet been discovered
by the resolver, e.g. if the first query is for ns.iana.org


More information about the dns-operations mailing list