Review target
skills/network/dns-security
Gap
The current DNS security skill covers DNSSEC, encrypted DNS, RPZ/protective DNS, and DNS tunneling, but it does not require authoritative delegation integrity evidence. A zone can pass DNSSEC-focused checks while still having parent/child NS mismatches, stale glue, lame nameservers, inconsistent SOA serials, exposed AXFR, or delegated nameservers that no longer belong to the organization.
Why this matters
Delegation failures create both availability and security risk:
- parent NS records can differ from the child apex NS set outside a planned migration window;
- in-bailiwick glue can point resolvers to stale or uncontrolled IPs;
- delegated nameservers can be lame, returning no authoritative answer for the zone;
- IPv6 glue/address paths can fail while IPv4 hides the issue;
- SOA serial drift can indicate broken secondary replication;
- stale third-party/cloud DNS hostnames can become dangling takeover targets;
- public AXFR can expose internal hostnames and zone structure.
Proposed evidence gates
Add a delegation integrity step requiring reviewers to check:
- parent/TLD NS set versus child apex NS set;
- glue A/AAAA records for in-bailiwick nameservers;
- authoritative responses and SOA from every delegated nameserver;
- dangling or uncontrolled NS hostnames;
- IPv4 and IPv6 parity;
- AXFR/IXFR restrictions;
- an output table summarizing delegation status per zone.
Suggested severity
- High: multiple lame delegated nameservers, stale glue to uncontrolled IPs, dangling delegated nameserver, or public AXFR exposure.
- Medium: parent/child NS mismatch outside a documented migration window, single lame nameserver with sufficient healthy redundancy, or SOA serial drift beyond the expected replication window.
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.
Review target
skills/network/dns-securityGap
The current DNS security skill covers DNSSEC, encrypted DNS, RPZ/protective DNS, and DNS tunneling, but it does not require authoritative delegation integrity evidence. A zone can pass DNSSEC-focused checks while still having parent/child NS mismatches, stale glue, lame nameservers, inconsistent SOA serials, exposed AXFR, or delegated nameservers that no longer belong to the organization.
Why this matters
Delegation failures create both availability and security risk:
Proposed evidence gates
Add a delegation integrity step requiring reviewers to check:
Suggested severity
Bounty request
Reviewer tier ($25) if this review is accepted. I can provide payment details if accepted.