-----BEGIN PGP SIGNED MESSAGE----- - From our vantage point, it looks like most of the root nameservers have bad delegation data. Most of them return no delegation info for what should be working domains: roy@ns% foreach ns ( a b c d e f g h i j k l m ) do echo $ns.root-servers.net host -t ns digital.com $ns.root-servers.net host -t ns webcrawler.com $ns.root-servers.net echo done a.root-servers.net digital.com NS CRL.DEC.COM digital.com NS NS11.digital.com digital.com NS NS.DEC.COM webcrawler.com NS NS00.EXCITE.COM webcrawler.com NS NS01.EXCITE.COM webcrawler.com NS NSE00.EXCITE.COM webcrawler.com NS NSE01.EXCITE.COM b.root-servers.net digital.com does not exist at b.root-servers.net (Authoritative answer) webcrawler.com does not exist at b.root-servers.net (Authoritative answer) c.root-servers.net digital.com does not exist at c.root-servers.net (Authoritative answer) webcrawler.com does not exist at c.root-servers.net (Authoritative answer) d.root-servers.net digital.com does not exist at d.root-servers.net (Authoritative answer) webcrawler.com does not exist at d.root-servers.net (Authoritative answer) e.root-servers.net digital.com does not exist at e.root-servers.net (Authoritative answer) webcrawler.com does not exist at e.root-servers.net (Authoritative answer) f.root-servers.net digital.com does not exist at f.root-servers.net (Authoritative answer) webcrawler.com does not exist at f.root-servers.net (Authoritative answer) g.root-servers.net digital.com does not exist at g.root-servers.net (Authoritative answer) webcrawler.com does not exist at g.root-servers.net (Authoritative answer) h.root-servers.net digital.com NS NS.DEC.COM digital.com NS CRL.DEC.COM digital.com NS NS11.digital.com webcrawler.com NS NS00.EXCITE.COM webcrawler.com NS NS01.EXCITE.COM webcrawler.com NS NSE00.EXCITE.COM webcrawler.com NS NSE01.EXCITE.COM i.root-servers.net digital.com NS CRL.DEC.COM digital.com NS NS11.digital.com digital.com NS NS.DEC.COM webcrawler.com NS NS01.EXCITE.COM webcrawler.com NS NSE00.EXCITE.COM webcrawler.com NS NSE01.EXCITE.COM webcrawler.com NS NS00.EXCITE.COM j.root-servers.net digital.com NS record currently not present at j.root-servers.net webcrawler.com NS record currently not present at j.root-servers.net k.root-servers.net digital.com NS record currently not present at k.root-servers.net webcrawler.com NS record currently not present at k.root-servers.net l.root-servers.net digital.com NS record currently not present at l.root-servers.net webcrawler.com NS record currently not present at l.root-servers.net m.root-servers.net digital.com NS record currently not present at m.root-servers.net webcrawler.com NS record currently not present at m.root-servers.net To enable our resolvers to work properly, we've had to tell them to ignore the root nameservers which appear to have bad data. On a Bind 4.X system, one can do this with the 'bogusns' configuration directive: bogusns 128.9.0.107&255.255.255.255 192.33.4.12&255.255.255.255 128.8.10.90&255.255.255.255 192.203.230.10&255.255.255.255 192.5.5.241&255.255.255.255 192.112.36.4&255.255.255.255 198.41.0.10&255.255.255.255 193.0.14.129&255.255.255.255 198.32.64.12&255.255.255.255 198.32.65.12&255.255.255.255 For Bind 8.X servers, something like server 128.9.0.107 { bogus yes; } server 192.33.4.12 { bogus yes; } [etc...] should work, I think. - roy - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM84G8mx7n9NanyP9AQENvwP/dEYxFjxDh83OL9xvVImGrjO2202h4jts kK57u41y+DnnMehZitF9mtAhRPT0z469mmBrmWJC1EhgKlDjrm0YZwv7ZmHTgPQU 0GYcRMUPR8g7zYlnNwZxoEgUwpMzOj/SFbokL38Kojuy58CZDJZ7BrN5WFsV9/a9 Zc0s4eg+z8M= =fzlJ -----END PGP SIGNATURE-----