Last updated May 26, 2021.
This zone file contains 1,426+ records for 935 FQDNs.
Download CSV or TXT format.
Vatican City is the smallest, independent nation state in the world. As a nation it was given the .va ccTLD. This country code top-level domain is restricted for usage by Vatican City (also known as the Holy See) and represents the religion of Catholicism at large. One would suspect that there would be a relatively small network behind such a small nation, but the reality is quite surprising. The Vatican .va (Holy See) ccTLD operates around two hundred apex domains, encompassing over seven hundred subdomains, which connect the various aspects of Vatican City's internal operations and publicly facing websites. As it stands there is no offical way to request the zone file from Vatican City. Furthermore, it has been over a decade since the 2007 VA ccTLD zone file was published (originally by Robert Baskerville). This lead me to develop my own zone file as part of a research initiative, which I am making available for interested researchers.
The va-zone.txt file is tab delimited and contains a running list of each record identified, whereas the va-zone.csv file contains seperate columns for record name, record type, and record value for easy sorting and filtering.
Unlike many nameservers, apex domains in the VA zone may forward traffic directly with a CNAME, as opposed to using an A record. For example,
www.vaonly has a CNAME pointing towww.vatican.va.
Typically when navigating to a domain, if the website resides at
www.example.comthen navigating toexample.comwill redirect you to the former. This is not the case within the VA zone. For example,vatican.vacontains no A or CNAME records and will never resolve to a website directly, whereaswww.vatican.vacontains a CNAME record and will resolve to the main Vatican City website.
While most of the internet now redirects all
httptraffic tohttps, this is not the case with most domains within the VA zone. For example, you can access eitherhttps://www.vartican.vaorhttp://www.vatican.vawithout being redirected.
Quite a few domains registered in the zone appear to be used exclusively for email addresses (neither the apex domain nor the
wwwequivalent contained A or CNAME records) and no subdomain records appear to exist.
Research began with the Vatican City's two autonomous systems (AS8978 and AS202865). Almost all Vatican City networks and servers operate within these two IP address blocks (with very few exceptions). With research on the scope of the ccTLD over the past twenty years obtained from the Internet Archive I was able to construct a fairly robust map of the primary domains in the zone. This project would have been impossible without Caffix's amass project, which allowed me to perform subdomain enumeration on each valid apex domain automating what would have taking dozens of hours to complete by hand. Finally, DNS records for each valid domain and subdomain were collected into the final zone data presented above.
This zone file was not obtained via a zone transfer, but instead created by compiling data collected through various methods, consequently this zone data does not necessary contain every record that exists within the real .va ccTLD Zone File operated by Vatican City. Additionally, most of the domains use the same nameservers as the SOA for va. I did not include additional NS records unless they differed from the SOA.