DNS Tech Support Training Courses DNSSEC Consulting DNS Analysis System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

Finding out-of-sync TLD nameservers (2024-05)

With recent news about c.root-servers.net not getting updated for near ten days, we realized our own existing tests which check for this didn't adequately check the . (dot) root zone.

This weekend, we did an analysis of 1448 TLDs and it reported thousands of anomalies and real DNS failures. Out of the DNS Institute DNS Analyzer's 160+ test cases, 67 unique test types reported problems. These are based on IETF/RFC standards, registry best practices, and government mandates, including for DNSSEC and IPv6. See the following examples of possible TLD zones that are out-of-date for some nameservers:

If the SOA serial numbers are counters, it detected 75 others that had a difference of at least 30. For example:

The following examples are Unix epoch times:

In addition to SOA SERIAL comparisons, we also did experiments looking at DNSSEC signature expiration and inception times using same key tags. We saw 73 TLDs that had over 30 second differences in the SOA EXPIRATION times or for SOA INCEPTION times. While we saw anomalies, we did not yet decide if some nameservers are really behind or if there is any significance. Here are examples:

What techniques are you using to identify zones that are not getting updated?

Our DNS Institute DNS Analyzer also identified many other errors with TLDs, such as ns1.teleinfo.cn. (2402:7d80::1) for ANQUAN., SHOUJI., XIHUAN., XN--3DS443G., XN--KPUT3I., XN--RHQV96G., XN--VUQ861B.. and YUN. and b.dns-servers.vn. ( for VN. nameservers responding with a source address that was different from the queried destination address. We also saw expired DNSSEC signatures for XN--FZC2C9E2C., XN--MGBAYH7GPA., and XN--XKC2AL3HYE2A. Again we saw 67 unique failure types.

Contact Us | About | Site Map |  Gab |  Twitter