Lame Delegation — DNS Panopticon

Short Description

Lame delegation occurs when parent NS records point at servers that are not authoritative for the child zone.

Users experience random timeouts and inconsistent answers, making incidents harder to diagnose quickly.

Registrar NS records drift from actual zone authorities or legacy name servers are decommissioned but still delegated.

Run dig NS domain.com @tld-server, then query SOA at each delegated NS to verify authority behavior.

Align parent and child NS sets, remove dead servers, verify TCP/UDP reachability, and revalidate after TTL expiry.

One stale NS host remained at registrar after migration and introduced intermittent lookup failure.

Parent-child NS parity checks, lame-server probing, and delegation drift evidence.

Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.

Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
Document the root cause and the final fix in your runbook to shorten future incidents.