External (not in the same domain) name server
Hello, I searched if this issue has been around previously, but neither google or Nanog list search produced anything recent and relevant. There has been some discussion on whois host entries etc, however. The real issue, why this seems impossible with many registrars, is explained in the end of this email. Background: (I use private IP addresses in this example, but in the real life they would be normal routable IP addresses) I have in my mind a setup where: - There is one main domain, which is used for "master" name servers: mxx1.net NS ns1.mxx1.net mxx1.net NS ns2.mxx1.net mxx1.net NS ns3.mxx1.net mxx1.net NS ns4.mxx1.net ns1.mxx1.net A 10.1.1.2 ns1.mxx1.net A 10.1.2.2 ns1.mxx1.net A 10.2.1.2 ns1.mxx1.net A 10.2.2.2 ns1, ns2, ns3 and ns4 are well connected and quite permanently in their IP addresses. - There are a number of cooperating organizations each having one dedicated name server (which can also handle other tasks, like act as an secondary SMTP server etc.) - Organizations are (there may be tens or hundreds of them): cxx-1.com cxx-2.com . . - Each cxx-n.com has its domain registered like this: cxx-1.com NS ns1.cxx-1.com.e.mxx1.net. cxx-1.com NS ns2.cxx-1.com.e.mxx1.net. cxx-1.com NS ns3.cxx-1.com.e.mxx1.net. cxx-1.com NS ns4.cxx-1.com.e.mxx1.net. cxx-1.com NS ns5.cxx-1.com.e.mxx1.net. , cxx-2.com NS ns1.cxx-2.com.e.mxx1.net. cxx-2.com NS ns2.cxx-2.com.e.mxx1.net. cxx-2.com NS ns3.cxx-2.com.e.mxx1.net. cxx-2.com NS ns4.cxx-2.com.e.mxx1.net. cxx-2.com NS ns5.cxx-2.com.e.mxx1.net. etc. - Each cxx-n.com.e.mxx.1.net zone name server offers records like this: ns1.cxx-1.com.e.mxx1.net 600 A 10.20.1.2 ; server at cxx-1's location ns2.cxx-1.com.e.mxx1.net 600 A 10.20.2.2 ; server at cxx-2's location ns3.cxx-1.com.e.mxx1.net 600 A 10.20.3.2 ; server at cxx-3's location ns4.cxx-1.com.e.mxx1.net 600 A 10.20.4.2 ; server at cxx-4's location ns5.cxx-1.com.e.mxx1.net 600 A 10.20.5.2 ; server at cxx-5's location ns1.cxx-4.com.e.mxx1.net 600 A 10.20.4.2 ; server at cxx-4's location ns2.cxx-4.com.e.mxx1.net 600 A 10.20.5.2 ; server at cxx-5's location ns3.cxx-4.com.e.mxx1.net 600 A 10.20.6.2 ; server at cxx-6's location ns4.cxx-4.com.e.mxx1.net 600 A 10.20.7.2 ; server at cxx-7's location ns5.cxx-4.com.e.mxx1.net 600 A 10.20.8.2 ; server at cxx-8's location Pro: - {ns1,ns2,ns3,ns4}.mxx1.net don't have to handle all NS requests to different cxx-n.com domains. - Each cxx-n.com.e.mxx.net name server can monitor if each of its name servers is alive and change the A record to more suitable address when necessary. Con: - Needs careful configuration - Requires more DNS requests than simpler setup: + To resolve eg. www.cxx-1.com A (traditional setup): www.cxx-1.com:A --> A.GTLD-SERVERS.NET cxx-1.com NS ns-1.cxx-1.com 10.20.1.2 ns-1.cxx-1.com A 10.20.1.2 www.cxx-1.com:A --> 10.20.1.2 www.cxx-1.com A 10.20.1.3 is 2 transactions + New setup: www.cxx-1.com:A --> A.GTLD-SERVERS.NET cxx-1.com NS ns1.cxx-1.com.e.mxx1.net ns1.cxx-1.com.e.mxx1.net:A --> A.GTLD-SERVERS.NET mxx1.net NS ns1.mxx1.net ns1.mxx1.net A 10.1.1.2 ns1.cxx-1.com.e.mxx1.net:A --> 10.1.1.2 ns1.cxx-1.com.e.mxx1.net A 10.20.1.2 www.cxx-1.com:A --> 10.20.1.2 www.cxx-1.com A 10.20.1.3 is 4 transactions and if we separate each cxx-1.com.e.mxx1.net zone in a different name server, we get 5 transaction. The difference is that we can adjust with TTL values which parts of the name resolution are short lived and which are long lived. And now the problem with some registrars (or is it the same with all of them): godaddy.com: Does only allow to use "registered hosts" as name servers in .com and .net domains. If the name server host is in com or net domain and it is not in the same domain, it needs to be a registered host which basically means that it has to be (or have been) a NS of its SLD with glue record (an A record). But for example, any .fi ending (Finland) host name can be entered as a name server and it gets automatically "registered" without an A record. joker.com: Same as godaddy.com but doesn't allow foreign (like .fi) host names as name servers if they have too many dots in the host name. I didn't dare to try Network Solutions because it was very slow last time I tried the WWW interface. To summarize: I have read this <URL:http://cr.yp.to/djbdns/notes.html#gluelessness> and understand that point of view. Am I trying accomplish something which is not really needed or would such an approach be useful in some situations?
And now the problem with some registrars (or is it the same with all of them):
godaddy.com:
Does only allow to use "registered hosts" as name servers in .com and .net domains. If the name server host is in com or net domain and it is not in the same domain, it needs to be a registered host which basically means that it has to be (or have been) a NS of its SLD with glue record (an A record). But for example, any .fi ending (Finland) host name can be entered as a name server and it gets automatically "registered" without an A record.
joker.com:
Same as godaddy.com but doesn't allow foreign (like .fi) host names as name servers if they have too many dots in the host name.
I didn't dare to try Network Solutions because it was very slow last time I tried the WWW interface.
To summarize:
I have read this <URL:http://cr.yp.to/djbdns/notes.html#gluelessness> and understand that point of view.
Am I trying accomplish something which is not really needed or would such an approach be useful in some situations?
Hmm let me see, our .net domain has glue records set up for the nameservers... all domains we register use those nameservers. No problem. Your variation if I understand it is you dont wish to use those addresses you want to use a subdomain to which your point is perfectly okay that one references the other and the other has glue in place. So you are saying that these registrars only allow you to register against nameservers which have glue records? Seems kind of a silly restriction as this would appear to be how ccTLDs resolve (which require recursion to find the cc nameservers and the glue there etc).. I guess the obvious answer is as these are your domains dont use registrars who impose such restrictions on you? Just looking thro what you're doing tho, I dont follow that the ns*.mxx1.net nameservers have a reduced load, also its not clear what the gain is in this setup when DNS loads are so small anyway? Steve
On 2 Mar 2004, at 19:06, Antti Louko wrote:
And now the problem with some registrars (or is it the same with all of them):
godaddy.com:
Does only allow to use "registered hosts" as name servers in .com and .net domains.
This is a requirement of Verisign registry, and should be true for all net/com registrars.
Does only allow to use "registered hosts" as name servers in .com and .net domains. This is a requirement of Verisign registry, and should be true for all net/com registrars.
s;net/com;; presuming you mean that there should be registered host rr for all known servers. otherwise, i suspect the servfails will get even worse. sadly, forcing an A RR does not ensure that the server is in fact serving the zone. i would not be unhappy if the registrar or registry would test this occasionally. randy
<quote who="Randy Bush">
i would not be unhappy if the registrar or registry would test this occasionally.
For what values of occasionally? And for what operational benefit? Removal of the record(s) certainly wouldn't be appropriate so what would you like to see happen? A CIDR Report style email to nanog-l? *yawn* -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
i would not be unhappy if the registrar or registry would test this occasionally. For what values of occasionally?
i can thing of a lot of values more interesting than zero
And for what operational benefit? Removal of the record(s) certainly wouldn't be appropriate
why not? what is the use of a zone that is not being served? randy
<quote who="Randy Bush">
And for what operational benefit? Removal of the record(s) certainly wouldn't be appropriate
why not? what is the use of a zone that is not being served?
A query not being answered to you or the verifier is not the same thing as a zone not being served. (I would also assume that a failed check would result in the zone being perhaps "queued" for more re-testing or asking the netop to autoack something.) I still don't see the operational benefit in removing these records. (Checking them could be worthwhile (see below), but removing them...why?) <quote who="Tim Wilde">
You mean http://www.cymru.com/DNS/lame.html ? Team Cymru have been doing that for ages. Doesn't actually force the issue anywhere, but it does get checked and published, using contributed resolver logs.
Three comments: 1) I think there is some operational value in tracking this data for the in-addr.arpa tree but less benefit to getting this data for general forward nameservice (except maybe to people like you and me). 2) For Cymru's page to be of much benefit it needs a lot more resolver contributions. If some large, end-user ISPs submitted data it would become much more useful. The problem (in getting data) with this project is that the people who submit are not necessarily the people who benefit which provides less incentive for sysops to participate. 3) With this data published someone could check the list for lame delegations and come to our site and setup those domains and begin using them. This could be used by spammers and other sludge to "borrow" domains. A solvable problem but one which would become substantially easier if there was a comprehensive list of lame delegations that could be correlated with third-party dns services. -davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------
On Tue, 2 Mar 2004, David A. Ulevitch wrote:
A CIDR Report style email to nanog-l? *yawn*
You mean http://www.cymru.com/DNS/lame.html ? Team Cymru have been doing that for ages. Doesn't actually force the issue anywhere, but it does get checked and published, using contributed resolver logs. -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic Network Services, Inc. http://www.dyndns.org/
presuming you mean that there should be registered host rr for all known servers. otherwise, i suspect the servfails will get even worse.
sadly, forcing an A RR does not ensure that the server is in fact serving the zone. i would not be unhappy if the registrar or registry would test this occasionally.
randy
ah... the good ol days. when this was checked. :) --bill
participants (7)
-
Antti Louko
-
bill
-
David A. Ulevitch
-
Joe Abley
-
Randy Bush
-
Stephen J. Wilcox
-
Tim Wilde