TLD Delegation and Nameserver Failures (2020-09)
We run a detailed analysis of many nameservers and domains including for thousands owned by Fortune 500 companies, S&P Global 100 (largest) Banks, and the US government. Our standard DNS test suite has over 80 checks for various IETF/RFC requirements and advice, government mandates, and registry guidelines, including for IPv6 and DNSSEC. This recent study looked at 1508 top-level domain names and found some interesting and significant errors, including DNSSEC failures.
The BJ authoritative nameserver(s) ns-bj.nic.fr. at 220.127.116.11 and 2001:678:c::1 both returned REFUSED.
The CM NS record didn't have corresponding A and AAAA addresses:
CM. 86400 IN NS benoue.camnet.CM.
The following CX NS record had problems:
CX. 172800 IN NS ns.anycast.nic.CX.due to DNSSEC failure (resulting in a SERVFAIL). Its signature was:
ns.anycast.nic.cx. 43 IN RRSIG A 8 4 3600 ( 20200924012852 20200909142333 26133 nic.cx. C2L8BFWjby2I+2FjPNr3QLRW6pS/2n691GEEZ7498IX/ LWaRj007A+xpAVrsGPYduAhhMk5XLebsEVTD186yyvdb sgiLS0pW3TWx44w9+yyjXMHWJt0zLLDzntPf6xF3YvDH loiD8MqYe7Bb+9L5uKEG2lOGoEjaXki+nA4DNDw= )We didn't see any DNSKEY with key id "26133". (The same problem was seen with other nic.cx records too.)
The DJ nameserver bow5.intnet.dj. 18.104.22.168 returned a SERVFAIL for DJ.
(Also we found it interesting that a third-party "vps" domain with a number is used for a NS. This could lead to a dangling DNS exploit if not managed well. See our dangling DNS research.)
One of the JM NS records didn't have corresponding A and AAAA addresses:
JM. 1800 IN NS ns-jm.ripe.net.
The KE authoritative nameserver kenic.anycastdns.cz. 22.214.171.124 (UDP) and 126.96.36.199 (TCP) both returned REFUSED for KE. (Also see other TLDs in this report using these same nameservers.)
KM's authoritative nameserver(s) ns-km.afrinic.net. at 2001:43f8:120::46 and 188.8.131.52 both returned a SERVFAIL. (Also see NE.)
The NS-delegated nameserver(s) na.anycastdns.cz. at 184.108.40.206 and 220.127.116.11 both returned REFUSED for NA. (These same nameservers also failed for other domains in this report.)
NE's authoritative nameserver(s) ns-ne.afrinic.net. at 2001:43f8:120::45 and 18.104.22.168 both returned a SERVFAIL. (Also see KM.)
Several of the PROTECTION nameservers were not responsive
(from different networks):
b.nic.protection. 22.214.171.124 UDP and TCP timeout
c.nic.protection. 126.96.36.199 UDP and TCP timeout
d.nic.protection. 188.8.131.52 UDP and TCP timeout
c.nic.protection. 2a02:e180:3::10 UDP and TCP timeout
d.nic.protection. 2a02:e180:4::10 UDP and TCP timeout
(We don't list all the time outs in this report, but this case was significant since many of their nameservers did have connectivity problems as seen from different networks.)
The SK authoritative nameserver e.tld.sk. 2001:67c:13cc::1:16 returned a SERVFAIL over TCP. (This was not seen for UDP and couldn't be repeated.)
The SS authoritative nameserver root.nic.ss. 184.108.40.206 returned a SERVFAIL.
Also the SS authoritative nameservers ssnic.anycastdns.cz. at 220.127.116.11 and 18.104.22.168 returned REFUSED. (Also see other TLDs in this report using these same nameservers.)
The TL NS record's address failed due to a DNSSEC error (resulting in a SERVFAIL). The signature was missing its corresponding DNSKEY:
ns.anycast.nic.tl. 604800 IN RRSIG A 8 4 604800 ( 20200925091803 20200911082333 55626 nic.tl. Rr5fDGoYhideTGGNcTlTs7fUd+BfzJpNtAqZFQF4ln5u 2T08hR0p6KEqfokzdEAcN+zXk0+OA4HehvPkafkou6s+ qvb5/JcIfhiH5RMXMENrkQ8iOv9699JQqrvxRPF01ugw PbooOyzeXgdi1OaJR7TeyqGINBn9KQgRjOdsh0o= )We didn't see a DNSKEY for that key id 55626. (The same problem was for some other nic.tl records.)
The UNO NS record didn't have a corresponding address record:
UNO. 172800 IN NS e.nic.UNO.(This could not be repeated.)
XN--D1ALF (North Macedonia)
The XN--D1ALF authoritative nameserver dns-mk.univie.ac.at. at 22.214.171.124 and 2001:628:453:bb::4 both returned REFUSED for its domain.
The nameserver nsi.uanic.net. 126.96.36.199 returned a SERVFAIL for XN--J1AMH.
The nameserver dns2.u-registry.net. 188.8.131.52 timed out (UDP and TCP).
The nameserver dns1.u-registry.com. 2607:5300:60:2e43::5 timed out (UDP and TCP).
The XN--MGBPL2FH authoritative nameserver sd.cctld.authdns.ripe.net. at 2001:67c:e0::109 and 184.108.40.206 both returned a REFUSED for this domain.
Also the XN--MGBPL2FH nameserver(s) ns-sd.afrinic.net. at 220.127.116.11 and 2001:43f8:120::26 both returned a REFUSED for the domain.
The NS authoritative nameserver(s) ns.cocca.fr. at 18.104.22.168 and 2a03:dd40:3::93 both returned REFUSED for XN--MGBTX2B.
XN--MGBTX2B also had an authoritative server sns-pb.isc.org, a public-benefit secondary service, which no longer exists in DNS.
The authoritative nameserver does not have a corresponding A or AAAA address record.
XN--YGBI2AMMX. 172800 IN NS idn.pnina.ps.It does have a glue (additional section) record at the parent root server:
idn.pnina.ps. 172800 IN A 22.214.171.124which times out for UDP and TCP.
The ZM authoritative nameservers gransy.nic.zm. at 126.96.36.199 and 188.8.131.52 both returned REFUSED for it. (Also see other TLDs in this report using these same IPv4 nameservers.)
We also had nine TLDs with at least one TCP connection refused, 142 TLDs had at least one IPv4 UDP timeout, 124 TLDs had at least one IPv4 TCP timeout, 22 TLDs had at least one IPv6 UDP timeout, and 25 TLDs had at least one IPv6 TCP timeout.
The percentage of DNSSEC signed SOA records was 91% (1383) and 98% (1486) of the TLDs were available over IPv6 with one or more AAAA nameserver addresses. (Two of the TLDs had DNSSEC failures.)
Our analysis tool identified 109756 warnings and 60048 failures from its many TLD test combinations. For more information, see our DNS monitoring page.