[dns-operations] Upcoming DNS behavior changes to .com/.net/.edu name servers

Doug Barton dougb at dougbarton.us
Mon Mar 1 03:47:48 UTC 2010

Out of curiosity are these changes still on schedule for tomorrow? If
so, is there a UTC time that the switch is expected to be thrown?



On 01/08/10 15:52, Matt Larson wrote:
> (Apologies in advance that some of you will see multiple copies of
> this message on various lists.)
> On March 1, 2010, VeriSign will be making two changes that affect the
> behavior of the authoritative name servers for the .com, .net and .edu
> zones ([a-m].gtld-servers.net).  The changes are a prerequisite for
> deploying DNSSEC in these three zones beginning in 2010.
> Because of the widespread use of .com and .net, and because resolution
> of some domains might be affected, we'd like to notify the community
> in advance about these changes.
> The two changes are:
> 1. New referral behavior
> When queried for an existing A or AAAA record serving as glue (an
> address record at or below NS records at a delegation point), the
> authoritative name servers for .com and .net respond with the glue
> record in the answer section.  However, the answer is not marked
> authoritative, i.e., the AA bit is not set.  While this behavior
> conforms to the DNS standards, recent authoritative servers do not
> respond this way.  Instead, when queried for a name at or below a
> delegation point, recent authoritative servers respond with a referral
> to the delegated zone.  This behavior is also supported by the DNS
> standards.
> The [a-m].gtld-servers.net servers are changing to the latter referral
> behavior: queries for glue records will result in referrals rather
> than non-authoritative answers.


> 2. Glue no longer promoted to authoritative status
> In the .com/.net registry system, a domain can be placed on an
> administrative hold status.  A domain on hold is not published: the NS
> records delegating the domain are removed from the .com or .net zone.
> For example, registrars sometimes place a domain on hold if it is
> about to expire but the registrant has not responded to requests to
> renew it, or if it is being used for malicious activity.
> Currently, when a domain is placed on hold, its NS records are removed
> from the zone but not any of the A and AAAA records of name servers in
> that domain.  For example, consider if the domain "example.com"
> existed in the registry along with the name server "ns.example.com".
> (An important note: whether or not the "example.com" zone itself
> actually uses "ns.example.com" as one of its authoritative name
> servers is irrelevant to the behavior described here.  The important
> point is that "ns.example.com" is in the "example.com" domain, i.e.,
> below it in the DNS name space.)
> If the "example.com" domain were placed on hold today, the NS records
> delegating it would be removed from the .com zone.  The A and AAAA
> records for "ns.example.com" remain in the zone.  In fact, since these
> records are no longer below a delegation point, they are promoted to
> become authoritative data.
> As of March 1, 2010, when a domain goes on hold, the NS records
> delegating the domain will be removed from the zone, and the A and
> AAAA records for name servers below the domain will no longer be
> promoted to authoritative status.  These A and AAAA records will not
> actually be removed: although they will not be returned when queried
> for directly, they will appear in the additional section of referrals
> that reference them.

More information about the dns-operations mailing list