DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools

TLD Delegation and Nameserver Failures (2020-09)

We run a detailed analysis of many nameservers and domains including for thousands owned by Fortune 500 companies, S&P Global 100 (largest) Banks, and the US government. Our standard DNS test suite has over 80 checks for various IETF/RFC requirements and advice, government mandates, and registry guidelines, including for IPv6 and DNSSEC. This recent study looked at 1508 top-level domain names and found some interesting and significant errors, including DNSSEC failures.


The BJ authoritative nameserver(s) ns-bj.nic.fr. at and 2001:678:c::1 both returned REFUSED.


The CM NS record didn't have corresponding A and AAAA addresses:

CM.  86400 IN NS benoue.camnet.CM.


The following CX NS record had problems:

CX.      172800  IN     NS     ns.anycast.nic.CX.
due to DNSSEC failure (resulting in a SERVFAIL). Its signature was:
ns.anycast.nic.cx.    43 IN RRSIG A 8 4 3600 (
                     20200924012852 20200909142333 26133 nic.cx.
                     loiD8MqYe7Bb+9L5uKEG2lOGoEjaXki+nA4DNDw= )
We didn't see any DNSKEY with key id "26133". (The same problem was seen with other nic.cx records too.)


The DJ nameserver bow5.intnet.dj. returned a SERVFAIL for DJ.

(Also we found it interesting that a third-party "vps" domain with a number is used for a NS. This could lead to a dangling DNS exploit if not managed well. See our dangling DNS research.)


One of the JM NS records didn't have corresponding A and AAAA addresses:

JM.  1800 IN NS ns-jm.ripe.net.


The KE authoritative nameserver kenic.anycastdns.cz. (UDP) and (TCP) both returned REFUSED for KE. (Also see other TLDs in this report using these same nameservers.)


KM's authoritative nameserver(s) ns-km.afrinic.net. at 2001:43f8:120::46 and both returned a SERVFAIL. (Also see NE.)


The NS-delegated nameserver(s) na.anycastdns.cz. at and both returned REFUSED for NA. (These same nameservers also failed for other domains in this report.)


NE's authoritative nameserver(s) ns-ne.afrinic.net. at 2001:43f8:120::45 and both returned a SERVFAIL. (Also see KM.)


Several of the PROTECTION nameservers were not responsive (from different networks): b.nic.protection. UDP and TCP timeout
c.nic.protection. UDP and TCP timeout
d.nic.protection. UDP and TCP timeout
c.nic.protection. 2a02:e180:3::10 UDP and TCP timeout
d.nic.protection. 2a02:e180:4::10 UDP and TCP timeout
(We don't list all the time outs in this report, but this case was significant since many of their nameservers did have connectivity problems as seen from different networks.)


The SK authoritative nameserver e.tld.sk. 2001:67c:13cc::1:16 returned a SERVFAIL over TCP. (This was not seen for UDP and couldn't be repeated.)


The SS authoritative nameserver root.nic.ss. returned a SERVFAIL.

Also the SS authoritative nameservers ssnic.anycastdns.cz. at and returned REFUSED. (Also see other TLDs in this report using these same nameservers.)


The TL NS record's address failed due to a DNSSEC error (resulting in a SERVFAIL). The signature was missing its corresponding DNSKEY:

ns.anycast.nic.tl.   604800 IN RRSIG A 8 4 604800 (
                   20200925091803 20200911082333 55626 nic.tl.
                   PbooOyzeXgdi1OaJR7TeyqGINBn9KQgRjOdsh0o= )
We didn't see a DNSKEY for that key id 55626. (The same problem was for some other nic.tl records.)


The UNO NS record didn't have a corresponding address record:

UNO.      172800  IN      NS      e.nic.UNO.
(This could not be repeated.)

XN--D1ALF (North Macedonia)

The XN--D1ALF authoritative nameserver dns-mk.univie.ac.at. at and 2001:628:453:bb::4 both returned REFUSED for its domain.

XN--J1AMH (Ukraine)

The nameserver nsi.uanic.net. returned a SERVFAIL for XN--J1AMH.

The nameserver dns2.u-registry.net. timed out (UDP and TCP).

The nameserver dns1.u-registry.com. 2607:5300:60:2e43::5 timed out (UDP and TCP).

XN--MGBPL2FH (Sudan)

The XN--MGBPL2FH authoritative nameserver sd.cctld.authdns.ripe.net. at 2001:67c:e0::109 and both returned a REFUSED for this domain.

Also the XN--MGBPL2FH nameserver(s) ns-sd.afrinic.net. at and 2001:43f8:120::26 both returned a REFUSED for the domain.

XN--MGBTX2B (Iraq)

The NS authoritative nameserver(s) ns.cocca.fr. at and 2a03:dd40:3::93 both returned REFUSED for XN--MGBTX2B.

XN--MGBTX2B also had an authoritative server sns-pb.isc.org, a public-benefit secondary service, which no longer exists in DNS.

XN--YGBI2AMMX (Palestine)

The authoritative nameserver does not have a corresponding A or AAAA address record.

XN--YGBI2AMMX.      172800  IN      NS      idn.pnina.ps.
It does have a glue (additional section) record at the parent root server:
idn.pnina.ps.       172800  IN      A
which times out for UDP and TCP.


The ZM authoritative nameservers gransy.nic.zm. at and both returned REFUSED for it. (Also see other TLDs in this report using these same IPv4 nameservers.)

We also had nine TLDs with at least one TCP connection refused, 142 TLDs had at least one IPv4 UDP timeout, 124 TLDs had at least one IPv4 TCP timeout, 22 TLDs had at least one IPv6 UDP timeout, and 25 TLDs had at least one IPv6 TCP timeout.

The percentage of DNSSEC signed SOA records was 91% (1383) and 98% (1486) of the TLDs were available over IPv6 with one or more AAAA nameserver addresses. (Two of the TLDs had DNSSEC failures.)

Our analysis tool identified 109756 warnings and 60048 failures from its many TLD test combinations. For more information, see our DNS monitoring page.

For our DNS research updates, please follow us on Facebook and Twitter. Also see our Popularity Rankings for TLDs.

Contact Us | About | Site Map |  Gab |  Twitter