[dns-operations] using different DNS providers together

Mike Jones mike at mikejones.in
Tue Nov 6 16:34:59 UTC 2012


On 6 November 2012 13:52, Mark Jeftovic <markjr at easydns.com> wrote:
>
>
> On 12-11-06 7:33 AM, Danny McPherson wrote:
>>
>> On Nov 6, 2012, at 4:40 AM, Feng He wrote:
>>
>>> 于 2012-11-6 17:08, Steven Carr 写道:
>>>> They all expect you to use their own custom DNS management tools for
>>>> managing the domain and expect that you only have it hosted with them,
>>>> I'm not even sure some of the providers would allow you to create
>>>> additional NS records so yes there could be problems in that the glue
>>>> would not match the NS returned by one of the providers, so it would
>>>> appear that some of the NS are stealth.
>>>
>>> That's great point. I totally agree with it.
>>
>> Or, if they're not in-baliwick it may require additional queries to prime things on recursive servers.
>>
>> DNSSEC of course addresses object-level security issues with authoritative servers.
>>
>
> What kind of problems would occur from the glue not matching the NS records?

Nothing compared to what I assume would happen if these providers
started supporting DNSSEC as primary-only in the same way they are
doing here. Different sets of servers each doing their own DNSSEC
signing with different keys and not publishing each others keys along
side them - I don't see that working too well.

NS mismatches just mean that a resolver might not "see" all the
possible servers and how queries get load balanced between them might
be non-obvious, but as long as the rest of the data is consistent
(this is the main problem!) it shouldn't cause any issues during
normal operation. If a resolver has a smaller cached NS set (for
example only the 2 cloudflare ones) and all of those servers are down
it might go back to the parent and find the other servers that are
still up. The "might" is the issue with this setup.

Will it automatically break stuff? no, but when something does break
it'll make it a lot harder to find out what.

- Mike



More information about the dns-operations mailing list