[dns-operations] NS strangeness for TLD "nc"

[Chris Thompson]

[Cc'd to the SOA.rname for NC]

I noticed that I was getting strangely inconsistent results when checking
whether the TLD "nc" was signed or not, which I tracked down to this:

Delegation in the root zone is to

    python.opt.nc.
    triton.opt.nc.
    ns1.ird.fr.
    ns-nc.ripe.net.  (only its IPv4 address appears in the glue)

while in the zone itself the NS records are for

    ns1.nc.
    ns2.nc.
    any-ns1.nc.
    ns-nc.ripe.net.

This isn't a matter of aliasing: all seven names have different IP
addresses. The zone appears to have the same SOA serial (and NS RRset)
at each of them, but the latter 4 have signed versions, while the other
3 have unsigned ones.

One result is that if you don't have the NS RRset in cache, you have
only a 25% chance of seeing DNSKEY records, but once it is, you have
a 100% chance.

Can this really be an intended configuration? Cock-up or conspiracy?

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.