[dns-operations] Upcoming DNS behavior changes to .com/.net/.edu name servers

Mark Andrews marka at isc.org
Mon Mar 1 05:19:23 UTC 2010


In message <20100301044844.GA4316 at vacation.karoshi.com.>, bmanning at vacation.kar
oshi.com writes:
>  i think it already happened - since its been 01mar2010 for almost 13hrs now.
> 
> --bill

While it is March 1 in some parts of the world the servers have not
yet changed behaviour so asking for when the change will happen is
still reasonable.

Mark

; <<>> DiG 9.3.6-P1 <<>> ns1.google.com @a.gtld-servers.net +norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64906
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;ns1.google.com.			IN	A

;; ANSWER SECTION:
ns1.google.com.		172800	IN	A	216.239.32.10

;; AUTHORITY SECTION:
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.		172800	IN	A	216.239.32.10
ns2.google.com.		172800	IN	A	216.239.34.10
ns3.google.com.		172800	IN	A	216.239.36.10
ns4.google.com.		172800	IN	A	216.239.38.10

;; Query time: 178 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Mon Mar  1 16:16:40 2010
;; MSG SIZE  rcvd: 180

> On Sun, Feb 28, 2010 at 07:47:48PM -0800, Doug Barton wrote:
> > Out of curiosity are these changes still on schedule for tomorrow? If
> > so, is there a UTC time that the switch is expected to be thrown?
> > 
> > 
> > Thanks,
> > 
> > Doug
> > 
> > 
> > On 01/08/10 15:52, Matt Larson wrote:
> > > (Apologies in advance that some of you will see multiple copies of
> > > this message on various lists.)
> > > 
> > > On March 1, 2010, VeriSign will be making two changes that affect the
> > > behavior of the authoritative name servers for the .com, .net and .edu
> > > zones ([a-m].gtld-servers.net).  The changes are a prerequisite for
> > > deploying DNSSEC in these three zones beginning in 2010.
> > >  
> > > Because of the widespread use of .com and .net, and because resolution
> > > of some domains might be affected, we'd like to notify the community
> > > in advance about these changes.
> > > 
> > > The two changes are:
> > >  
> > > 1. New referral behavior
> > >  
> > > When queried for an existing A or AAAA record serving as glue (an
> > > address record at or below NS records at a delegation point), the
> > > authoritative name servers for .com and .net respond with the glue
> > > record in the answer section.  However, the answer is not marked
> > > authoritative, i.e., the AA bit is not set.  While this behavior
> > > conforms to the DNS standards, recent authoritative servers do not
> > > respond this way.  Instead, when queried for a name at or below a
> > > delegation point, recent authoritative servers respond with a referral
> > > to the delegated zone.  This behavior is also supported by the DNS
> > > standards.
> > >  
> > > The [a-m].gtld-servers.net servers are changing to the latter referral
> > > behavior: queries for glue records will result in referrals rather
> > > than non-authoritative answers.
> > 
> > [...]
> > 
> > > 2. Glue no longer promoted to authoritative status
> > >  
> > > In the .com/.net registry system, a domain can be placed on an
> > > administrative hold status.  A domain on hold is not published: the NS
> > > records delegating the domain are removed from the .com or .net zone.
> > > For example, registrars sometimes place a domain on hold if it is
> > > about to expire but the registrant has not responded to requests to
> > > renew it, or if it is being used for malicious activity.
> > >  
> > > Currently, when a domain is placed on hold, its NS records are removed
> > > from the zone but not any of the A and AAAA records of name servers in
> > > that domain.  For example, consider if the domain "example.com"
> > > existed in the registry along with the name server "ns.example.com".
> > > (An important note: whether or not the "example.com" zone itself
> > > actually uses "ns.example.com" as one of its authoritative name
> > > servers is irrelevant to the behavior described here.  The important
> > > point is that "ns.example.com" is in the "example.com" domain, i.e.,
> > > below it in the DNS name space.)
> > >  
> > > If the "example.com" domain were placed on hold today, the NS records
> > > delegating it would be removed from the .com zone.  The A and AAAA
> > > records for "ns.example.com" remain in the zone.  In fact, since these
> > > records are no longer below a delegation point, they are promoted to
> > > become authoritative data.
> > >  
> > > As of March 1, 2010, when a domain goes on hold, the NS records
> > > delegating the domain will be removed from the zone, and the A and
> > > AAAA records for name servers below the domain will no longer be
> > > promoted to authoritative status.  These A and AAAA records will not
> > > actually be removed: although they will not be returned when queried
> > > for directly, they will appear in the additional section of referrals
> > > that reference them.
> > >  
> > 
> > 
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list