TLD Delegation and Nameserver Failures (2020-09)

We run a detailed analysis of many nameservers and domains including for thousands owned by Fortune 500 companies, S&P Global 100 (largest) Banks, and the US government. Our standard DNS test suite has over 80 checks for various IETF/RFC requirements and advice, government mandates, and registry guidelines, including for IPv6 and DNSSEC. This recent study looked at 1508 top-level domain names and found some interesting and significant errors, including DNSSEC failures.

BJ

The BJ authoritative nameserver(s) ns-bj.nic.fr. at 194.0.9.1 and 2001:678:c::1 both returned REFUSED.

CM

The CM NS record didn't have corresponding A and AAAA addresses:

CM.  86400 IN NS benoue.camnet.CM.

CX

The following CX NS record had problems:

CX.      172800  IN     NS     ns.anycast.nic.CX.
due to DNSSEC failure (resulting in a SERVFAIL). Its signature was:
ns.anycast.nic.cx.    43 IN RRSIG A 8 4 3600 (
                     20200924012852 20200909142333 26133 nic.cx.
                     C2L8BFWjby2I+2FjPNr3QLRW6pS/2n691GEEZ7498IX/
                     LWaRj007A+xpAVrsGPYduAhhMk5XLebsEVTD186yyvdb
                     sgiLS0pW3TWx44w9+yyjXMHWJt0zLLDzntPf6xF3YvDH
                     loiD8MqYe7Bb+9L5uKEG2lOGoEjaXki+nA4DNDw= )
We didn't see any DNSKEY with key id "26133". (The same problem was seen with other nic.cx records too.)

DJ

The DJ nameserver bow5.intnet.dj. 196.201.196.41 returned a SERVFAIL for DJ.

(Also we found it interesting that a third-party "vps" domain with a number is used for a NS. This could lead to a dangling DNS exploit if not managed well. See our dangling DNS research.)

JM

One of the JM NS records didn't have corresponding A and AAAA addresses:

JM.  1800 IN NS ns-jm.ripe.net.

KE

The KE authoritative nameserver kenic.anycastdns.cz. 185.28.194.194 (UDP) and 185.38.108.108 (TCP) both returned REFUSED for KE. (Also see other TLDs in this report using these same nameservers.)

KM

KM's authoritative nameserver(s) ns-km.afrinic.net. at 2001:43f8:120::46 and 196.216.168.46 both returned a SERVFAIL. (Also see NE.)

NA

The NS-delegated nameserver(s) na.anycastdns.cz. at 185.28.194.194 and 185.38.108.108 both returned REFUSED for NA. (These same nameservers also failed for other domains in this report.)

NE

NE's authoritative nameserver(s) ns-ne.afrinic.net. at 2001:43f8:120::45 and 196.216.168.45 both returned a SERVFAIL. (Also see KM.)

PROTECTION

Several of the PROTECTION nameservers were not responsive (from different networks): b.nic.protection. 185.24.64.67 UDP and TCP timeout
c.nic.protection. 185.38.99.10 UDP and TCP timeout
d.nic.protection. 108.59.161.10 UDP and TCP timeout
c.nic.protection. 2a02:e180:3::10 UDP and TCP timeout
d.nic.protection. 2a02:e180:4::10 UDP and TCP timeout
(We don't list all the time outs in this report, but this case was significant since many of their nameservers did have connectivity problems as seen from different networks.)

SK

The SK authoritative nameserver e.tld.sk. 2001:67c:13cc::1:16 returned a SERVFAIL over TCP. (This was not seen for UDP and couldn't be repeated.)

SS

The SS authoritative nameserver root.nic.ss. 196.1.4.230 returned a SERVFAIL.

Also the SS authoritative nameservers ssnic.anycastdns.cz. at 185.28.194.194 and 185.38.108.108 returned REFUSED. (Also see other TLDs in this report using these same nameservers.)

TL

The TL NS record's address failed due to a DNSSEC error (resulting in a SERVFAIL). The signature was missing its corresponding DNSKEY:

ns.anycast.nic.tl.   604800 IN RRSIG A 8 4 604800 (
                   20200925091803 20200911082333 55626 nic.tl.
                   Rr5fDGoYhideTGGNcTlTs7fUd+BfzJpNtAqZFQF4ln5u
                   2T08hR0p6KEqfokzdEAcN+zXk0+OA4HehvPkafkou6s+
                   qvb5/JcIfhiH5RMXMENrkQ8iOv9699JQqrvxRPF01ugw
                   PbooOyzeXgdi1OaJR7TeyqGINBn9KQgRjOdsh0o= )
We didn't see a DNSKEY for that key id 55626. (The same problem was for some other nic.tl records.)

UNO

The UNO NS record didn't have a corresponding address record:

UNO.      172800  IN      NS      e.nic.UNO.
(This could not be repeated.)

XN--D1ALF (North Macedonia)

The XN--D1ALF authoritative nameserver dns-mk.univie.ac.at. at 78.104.145.4 and 2001:628:453:bb::4 both returned REFUSED for its domain.

XN--J1AMH (Ukraine)

The nameserver nsi.uanic.net. 212.1.66.247 returned a SERVFAIL for XN--J1AMH.

The nameserver dns2.u-registry.net. 195.123.1.7 timed out (UDP and TCP).

The nameserver dns1.u-registry.com. 2607:5300:60:2e43::5 timed out (UDP and TCP).

XN--MGBPL2FH (Sudan)

The XN--MGBPL2FH authoritative nameserver sd.cctld.authdns.ripe.net. at 2001:67c:e0::109 and 193.0.9.109 both returned a REFUSED for this domain.

Also the XN--MGBPL2FH nameserver(s) ns-sd.afrinic.net. at 196.216.168.26 and 2001:43f8:120::26 both returned a REFUSED for the domain.

XN--MGBTX2B (Iraq)

The NS authoritative nameserver(s) ns.cocca.fr. at 185.17.236.93 and 2a03:dd40:3::93 both returned REFUSED for XN--MGBTX2B.

XN--MGBTX2B also had an authoritative server sns-pb.isc.org, a public-benefit secondary service, which no longer exists in DNS.

XN--YGBI2AMMX (Palestine)

The authoritative nameserver does not have a corresponding A or AAAA address record.

XN--YGBI2AMMX.      172800  IN      NS      idn.pnina.ps.
It does have a glue (additional section) record at the parent root server:
idn.pnina.ps.       172800  IN      A       208.64.68.4
which times out for UDP and TCP.

ZM

The ZM authoritative nameservers gransy.nic.zm. at 185.28.194.194 and 185.38.108.108 both returned REFUSED for it. (Also see other TLDs in this report using these same IPv4 nameservers.)


We also had nine TLDs with at least one TCP connection refused, 142 TLDs had at least one IPv4 UDP timeout, 124 TLDs had at least one IPv4 TCP timeout, 22 TLDs had at least one IPv6 UDP timeout, and 25 TLDs had at least one IPv6 TCP timeout.

The percentage of DNSSEC signed SOA records was 91% (1383) and 98% (1486) of the TLDs were available over IPv6 with one or more AAAA nameserver addresses. (Two of the TLDs had DNSSEC failures.)

Our analysis tool identified 109756 warnings and 60048 failures from its many TLD test combinations. For more information, see our DNS monitoring page.

For our DNS research updates, please follow us on Facebook and Twitter.