Home / Blogs

TLD Operators: Cleaning Up Lame Delegations

ICANN’s Security and Stability Advisory Committee (SECSAC) recently released some recommendations regarding the DNS infrastructure, specifying among other things, that sub-zone delegation be kept up-to-date.

“A zone and its parent must work together to ensure the parent always has the correct referral information and the parent must update the referral information upon request in a timely fashion.”

Translation: TLD operators need to work with ICANN to clean up their lame delegations.

The SECSAC report doesn’t mention, but I believe is trying to address, is the alarming fact that nearly 10% of the name servers listed in the root zone are lame, either they aren’t authoritative for the zones they are supposed to be, or they are unreachable much of the time.

Discussions of the matter on the DNSOP mailing list seem to indicate that this problem cannot be fixed by ICANN alone, but that the TLD registry operators must be more proactive in ensuring their root-listed name servers are kept in order.

Another potential problem that appears is the root-listed name server records not agreeing with the in-zone name server records. The TLD operators should be conscious of any variance and impact.

The problem of recursion, which is not mentioned in the SECSAC recommendations, also looms large. Many of the root-listed name servers have recursion enabled, which makes them more vulnerable to cache-poisoning attacks.

The complete report is available here. The detection of delegation problem with TLDs has been made easier, as daily reports for ccTLDs and gTLDs are being made available to diagnosis such matters.

By Mark Foster, System Administrator

Filed Under


Karl Auerbach  –  Jan 15, 2004 7:00 PM

It isn’t all that hard to do a lame check - Go to http://dnscheck.se and run it.

The code is in perl and easily downloaded.

It would take ICANN only a couple of minutes to create a script that would do this check on every TLD every day and post the results onto a set of web pages.

Jothan  –  Jan 23, 2004 6:34 PM

Recursion can be present with some of the earlier experimental IDN solutions that sent binary on the wire (circa 1998-2000), yet it largely is present as a legacy issue, where servers require updates to their software and / or configuration.

I ran root-listed nameservers for more than 8 years on 4 ccTLDs, and can say that there was little value to allowing recursion.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC