[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

Colm MacCárthaigh colm at stdlib.net
Thu Sep 11 23:32:34 UTC 2014


On Thu, Sep 11, 2014 at 4:28 PM, Mark Andrews <marka at isc.org> wrote:
> Actually timeout is much, much, much worse.

When I experiment empirically there seem to be caches that will fail
the resolution if one of the auth servers returned REFUSED or
SERVFAIL. Different numbers for each, but both trigger it. Meanwhile
timeouts do cause delay, but a greater percentage of resolutions
succeed.

> Delegation should never succeed unless you can get a SOA response
> for the zone being delegated from the nameservers being delegated
> to.

Of course, but that's not what .is do. They check for a completely
different name first, not in the zone being delegated, and expect to
see an error.

-- 
Colm



More information about the dns-operations mailing list