[dns-operations] Dumb question: why is it that some registries limit the nameservers that can be delegated to?

Mark Andrews marka at isc.org
Fri Sep 12 00:03:03 UTC 2014

In message <CAAF6GDeBO-4Xmwe_xZZu2b4fefj5qWftiC3gRZxA1gbXDQFpxA at mail.gmail.com>
, =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= writes:
> On Thu, Sep 11, 2014 at 4:28 PM, Mark Andrews <marka at isc.org> wrote:
> > Actually timeout is much, much, much worse.
> When I experiment empirically there seem to be caches that will fail
> the resolution if one of the auth servers returned REFUSED or
> SERVFAIL. Different numbers for each, but both trigger it. Meanwhile
> timeouts do cause delay, but a greater percentage of resolutions
> succeed.

Which indicates broken recursive servers.  Recursive servers should
be expecting misconfigured authoritative servers.  You don't stuff
up authoritative behaviour because you have broken recursive servers.

> > Delegation should never succeed unless you can get a SOA response
> > for the zone being delegated from the nameservers being delegated
> > to.
> Of course, but that's not what .is do. They check for a completely
> different name first, not in the zone being delegated, and expect to
> see an error.

So they are doing a additional test to the ones I listed.  I have
no problem with them checking this however this should be cached
and only rechecked periodically along with delegation checks and
EDNS compliance checks.

The basic "are you serving this zone" check should be done for every
delegation.  EDNS compliance and basic response checks I would make

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list