[dns-operations] NS strangeness for TLD "nc"

Chris Thompson cet1 at cam.ac.uk
Wed Jun 22 19:08:37 UTC 2011

[Cc'd to the SOA.rname for NC]

I noticed that I was getting strangely inconsistent results when checking
whether the TLD "nc" was signed or not, which I tracked down to this:

Delegation in the root zone is to

    ns-nc.ripe.net.  (only its IPv4 address appears in the glue)

while in the zone itself the NS records are for


This isn't a matter of aliasing: all seven names have different IP
addresses. The zone appears to have the same SOA serial (and NS RRset)
at each of them, but the latter 4 have signed versions, while the other
3 have unsigned ones.

One result is that if you don't have the NS RRset in cache, you have
only a 25% chance of seeing DNSKEY records, but once it is, you have
a 100% chance.

Can this really be an intended configuration? Cock-up or conspiracy?

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list