Lame delegation test
How APNIC tests for lame delegations
APNIC has developed a system to test for lame DNS delegations within the in-addr.arpa and ipv6.arpa domains. A DNS delegation is the assignment of a zone to a nameserver. The system queries name servers for the zones they are supposed to be delegated to according to registration information in the APNIC Whois Database.
A nameserver is tested by asking for data that has to be present in a zone. If the nameserver responds with a positive answer and claims to be authoritative, the nameserver is okay for that zone. Any other answer indicates that the nameserver is lame for the tested zone. If there is no correct answer, the test is repeated over a 15-day period, and if there is persistently no correct answer, the name server is considered lame.
Example of a valid IN-ADDR.ARPA delegation:
; <<>> DiG 9.2.1 <<>> 28.12.202.in-addr.arpa @cumin.apnic.net soa +norec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17968 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;28.12.202.in-addr.arpa. IN SOA ;; ANSWER SECTION: 28.12.202.in-addr.arpa. 3600 IN SOA cumin.apnic.net. dns-admin.apnic.net. 2004010901 3600 1800 604800 3600 ;; Query time: 1 msec ;; SERVER: 220.127.116.11#53(cumin.apnic.net) ;; WHEN: Wed Sep 29 11:26:23 2004 ;; MSG SIZE rcvd: 101
- status: NOERROR
- flags: qr aa
- ANSWER: 1
Together, these indicate that the delegation of 28.12.202.inaddr.arpa to cumin.apnic.net is healthy and not lame.
Common lame responses may include ‘status: REFUSED’, or ‘status: SERVFAIL’. Flags include ‘rd ra’, which indicate that the server is performing recursion to find the answer and is not authoritative.