Lame DNS Reverse Delegation

DNS reverse delegations are considered lame if some or all of the registered DNS nameservers are unreachable or badly configured. Lame DNS reverse delegations can cause several problems across the Internet, such as:

  • Delays in service for clients using affected address ranges
    These delays come from timeouts in reverse-address lookup when the receiving party tries to resolve the calling source address
  • Refusal of service due to failures during DNS processing
  • Increased DNS traffic between caching DNS nameservers and the listed authorities down from the root processing requests, which can only fail after timeout
    This represents a measurable load on critical infrastructure, which the RIRs have been requested to investigate and reduce.

Lame DNS reverse delegations can affect both the users of the network in question and unrelated third parties. The hierarchical nature of authoritative delegation means that end users cannot resolve the problem themselves. If the network administrators do not correct errors in their DNS configurations, the only other way to reduce the impact of those errors is for the RIR to resume control of the delegated domain and disable the listing of the misconfigured servers so that a valid NXDOMAIN DNS response can be sent.

Reverse delegations currently identified as lame

The APNIC Secretariat identifies lame DNS name servers for delegations associated with address blocks allocated, assigned, or administered by APNIC. Upon identification of a lame delegation, APNIC will attempt to contact the people responsible for that resource. The contact process will at least follow this sequence until the lame delegation is repaired:

  • Email the admin-c and tech-c contacts associated with the delegation in the APNIC Whois Database.
  • Telephone the admin-c and tech-c associated with the whois records.

After attempting to contact the domain holder and confirming that the lame delegation persists for a minimum of 45 days after first being declared lame, APNIC will update the resource record with a text marker including:

  • This marker will identify the DNS delegation as ‘administratively blocked’ and will cause the delegation to be withdrawn.
  • The marker may be removed by the domain holders at any time, using normal APNIC Whois Database procedures.

While the delegation remains blocked, APNIC will send monthly email reminders to each admin-c and tech-c.