TLD Delegation and Nameserver Failures (2020-09)

We run a detailed analysis of many nameservers and domains including for thousands owned by Fortune 500 companies, S&P Global 100 (largest) Banks, and the US government. Our standard DNS test suite has over 80 checks for various IETF/RFC requirements and advice, government mandates, and registry guidelines, including for IPv6 and DNSSEC. This recent study looked at 1508 top-level domain names and found some interesting and significant errors, including DNSSEC failures.


The BJ authoritative nameserver(s) at and 2001:678:c::1 both returned REFUSED.


The CM NS record didn't have corresponding A and AAAA addresses:

CM.  86400 IN NS benoue.camnet.CM.


The following CX NS record had problems:

CX.      172800  IN     NS     ns.anycast.nic.CX.
due to DNSSEC failure (resulting in a SERVFAIL). Its signature was:    43 IN RRSIG A 8 4 3600 (
                     20200924012852 20200909142333 26133
                     loiD8MqYe7Bb+9L5uKEG2lOGoEjaXki+nA4DNDw= )
We didn't see any DNSKEY with key id "26133". (The same problem was seen with other records too.)


The DJ nameserver returned a SERVFAIL for DJ.

(Also we found it interesting that a third-party "vps" domain with a number is used for a NS. This could lead to a dangling DNS exploit if not managed well. See our dangling DNS research.)


One of the JM NS records didn't have corresponding A and AAAA addresses:

JM.  1800 IN NS


The KE authoritative nameserver (UDP) and (TCP) both returned REFUSED for KE. (Also see other TLDs in this report using these same nameservers.)


KM's authoritative nameserver(s) at 2001:43f8:120::46 and both returned a SERVFAIL. (Also see NE.)


The NS-delegated nameserver(s) at and both returned REFUSED for NA. (These same nameservers also failed for other domains in this report.)


NE's authoritative nameserver(s) at 2001:43f8:120::45 and both returned a SERVFAIL. (Also see KM.)


Several of the PROTECTION nameservers were not responsive (from different networks): UDP and TCP timeout UDP and TCP timeout UDP and TCP timeout 2a02:e180:3::10 UDP and TCP timeout 2a02:e180:4::10 UDP and TCP timeout
(We don't list all the time outs in this report, but this case was significant since many of their nameservers did have connectivity problems as seen from different networks.)


The SK authoritative nameserver 2001:67c:13cc::1:16 returned a SERVFAIL over TCP. (This was not seen for UDP and couldn't be repeated.)


The SS authoritative nameserver returned a SERVFAIL.

Also the SS authoritative nameservers at and returned REFUSED. (Also see other TLDs in this report using these same nameservers.)


The TL NS record's address failed due to a DNSSEC error (resulting in a SERVFAIL). The signature was missing its corresponding DNSKEY:   604800 IN RRSIG A 8 4 604800 (
                   20200925091803 20200911082333 55626
                   PbooOyzeXgdi1OaJR7TeyqGINBn9KQgRjOdsh0o= )
We didn't see a DNSKEY for that key id 55626. (The same problem was for some other records.)


The UNO NS record didn't have a corresponding address record:

UNO.      172800  IN      NS      e.nic.UNO.
(This could not be repeated.)

XN--D1ALF (North Macedonia)

The XN--D1ALF authoritative nameserver at and 2001:628:453:bb::4 both returned REFUSED for its domain.

XN--J1AMH (Ukraine)

The nameserver returned a SERVFAIL for XN--J1AMH.

The nameserver timed out (UDP and TCP).

The nameserver 2607:5300:60:2e43::5 timed out (UDP and TCP).

XN--MGBPL2FH (Sudan)

The XN--MGBPL2FH authoritative nameserver at 2001:67c:e0::109 and both returned a REFUSED for this domain.

Also the XN--MGBPL2FH nameserver(s) at and 2001:43f8:120::26 both returned a REFUSED for the domain.

XN--MGBTX2B (Iraq)

The NS authoritative nameserver(s) at and 2a03:dd40:3::93 both returned REFUSED for XN--MGBTX2B.

XN--MGBTX2B also had an authoritative server, a public-benefit secondary service, which no longer exists in DNS.

XN--YGBI2AMMX (Palestine)

The authoritative nameserver does not have a corresponding A or AAAA address record.

XN--YGBI2AMMX.      172800  IN      NS
It does have a glue (additional section) record at the parent root server:       172800  IN      A
which times out for UDP and TCP.


The ZM authoritative nameservers at and both returned REFUSED for it. (Also see other TLDs in this report using these same IPv4 nameservers.)

We also had nine TLDs with at least one TCP connection refused, 142 TLDs had at least one IPv4 UDP timeout, 124 TLDs had at least one IPv4 TCP timeout, 22 TLDs had at least one IPv6 UDP timeout, and 25 TLDs had at least one IPv6 TCP timeout.

The percentage of DNSSEC signed SOA records was 91% (1383) and 98% (1486) of the TLDs were available over IPv6 with one or more AAAA nameserver addresses. (Two of the TLDs had DNSSEC failures.)

Our analysis tool identified 109756 warnings and 60048 failures from its many TLD test combinations. For more information, see our DNS monitoring page.

For our DNS research updates, please follow us on Facebook and Twitter.