It's not the only reason. There are also delegations to inaccessible DNS servers for internal-only zones.
-
-
Currently, the BRs require fail close if the zone is DNSSEC-signed. This has been a huge fiasco, because no off-the-shelf DNS resolver makes it easy to tell if a zone is DNSSEC-signed. CAs came up with a variety of creative solutions.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.