Lame Delegations
12,113,737 domains with lame delegations (4.49% of dataset)
Analysis by Ishan Karunaratne · Data from 2026-05-25
Domains Affected
12,113,737
% of Dataset
4.49%
Categories
6
| Category | Domains |
|---|---|
| parked N S | 17,879,999 |
| expired Domain | 4,864,915 |
| suspended N S | 668,481 |
| other | 413,434 |
| for Sale | 354,164 |
| lame Delegation | 40,212 |
What Is a Lame Delegation?
A lame delegation is a DNS misconfiguration where a domain’s NS (Name Server) records point to nameservers that do not actually serve authoritative DNS data for that domain. The term "lame" comes from RFC 1912 Section 2.8, which defines it as a nameserver that is listed as authoritative for a zone but does not actually serve that zone. When a resolver queries a lame nameserver, it receives a referral or SERVFAIL instead of an authoritative answer.
Lame delegations typically occur when a domain expires, a hosting account is deleted, nameserver infrastructure is decommissioned, or DNS configuration is migrated without updating all NS records. The result is that the domain becomes partially or completely unreachable — DNS queries fail, websites go offline, and email delivery stops.
Beyond availability issues, lame delegations create a security vulnerability: if the nameserver hostname’s domain becomes available for registration, an attacker can register it and set up a nameserver that responds authoritatively for every domain still pointing to it. This is known as a nameserver takeover or orphaned delegation attack.
How DNS Checker Detects Lame Delegations
DNS Checker analyzes NS records from gTLD zone files and cross-references nameserver hostnames against known indicators of expired, deleted, suspended, or non-functional delegations. Detection categories include: nameservers resolving to parking/expired pages, NS domains that no longer exist in DNS, nameservers returning REFUSED or SERVFAIL for the delegated zone, and NS hostnames matching known domain-expired or hosting-deleted patterns.
The analysis pipeline processes zone data daily, tracking changes in delegation health over time. Each lame delegation is categorized by type (expired domain, deleted hosting, suspended nameserver, unresponsive server) and severity based on the number of domains affected and the likelihood of nameserver takeover.
How to Fix Lame Delegations
- Use the DNS Checker DNS Inspector to query your domain’s NS records and verify that each nameserver responds authoritatively for your zone.
- If your domain points to nameservers from a previous hosting provider, update the NS records at your domain registrar to point to your current DNS provider’s nameservers.
- Remove stale NS records that point to decommissioned infrastructure. Most registrars allow you to edit nameserver records through their control panel.
- Set up monitoring to alert you when your domain’s DNS resolution fails or nameserver records change unexpectedly.
- If you operate DNS infrastructure, ensure that removing a customer’s zone from your nameservers is coordinated with NS record updates at the registrar to avoid creating orphaned delegations.
Frequently Asked Questions
What is the difference between a lame delegation and an expired domain?
An expired domain has lapsed at the registrar and may be in a redemption grace period or pending delete. A lame delegation is a DNS-level issue where the domain’s NS records point to non-functional nameservers — the domain itself may still be registered and active, but its DNS is broken. A domain can have a lame delegation without being expired, and an expired domain doesn’t necessarily have a lame delegation.
Can a lame delegation be exploited by attackers?
Yes. If a nameserver hostname’s domain becomes available for registration (because the hosting provider’s domain expired or was deleted), an attacker can register that domain, set up a nameserver, and gain control over DNS resolution for every domain still pointing to it. This is known as a nameserver takeover attack.
How does a lame delegation affect email?
When a domain has a lame delegation, MX record lookups fail because the authoritative nameserver cannot be reached. This causes email delivery failures — sending servers receive SERVFAIL responses and bounce the email. Even if the mail server itself is operational, email cannot be delivered if DNS resolution is broken.
What RFC defines lame delegations?
RFC 1912 ("Common DNS Operational and Configuration Errors") Section 2.8 defines lame delegations as a configuration error where NS records point to nameservers that are not authoritative for the zone. RFC 8906 ("A Common Operational Problem in DNS Servers: Failure to Communicate") also discusses delegation issues.