[dns-operations] Registrar for .net and .com fails to accept an NS in .edu
John W.O'Brien
obrienjw at upenn.edu
Tue Dec 4 15:31:08 UTC 2018
Mariano,
Thank you for the time you took to explain glue records.
On 2018/12/04 09:27, Mariano Absatz - gmail wrote:
>
> --
> Mariano Absatz - El Baby
> www.clueless.com.ar <http://www.clueless.com.ar>
>
>
>
> On Tue, 4 Dec 2018 at 09:50, John W.O'Brien <obrienjw at upenn.edu
> <mailto:obrienjw at upenn.edu>> wrote:
>
> Hi Duane,
>
> Thank you for chiming in on this. This information is convergent with
> what I've been learning via off-list responses and from tech support
> contacts at various organizations.
>
> A thing that is still causing me some grinding of gears---and this feels
> like I may be wandering into unknowing-n00b territory---is the use of
> the term "glue records" in this context. This is a Verisign business
> logic-based process step, not a DNS protocol-based one. Right?
>
>
> Hi John,
>
> "glue record" /is/ a DNS protocol-based term (and an old one indeed).
>
> You need a glue record when you do in-zone delegations, for example, if
> you want to delegate the domain example.com <http://example.com> to
> ns1.example.com <http://ns1.example.com> and
> ns2.example.com <http://ns2.example.com> if it weren't for the glue
> records you get yourself into
> a chicken-and-egg problem.
>
> If you just put the delegation (NS) records in the .com authoritative
> servers, a resolver querying any of those about www.example.com
> <http://www.example.com> would
> get a response with AUTHORITY set to ns1.example.com
> <http://ns1.example.com> and ns2.example.com <http://ns2.example.com>.
>
> Then the resolver tries to resolve ns1.example.com
> <http://ns1.example.com> and, querying the
> .com name servers it gets a response with AUTHORITY set to
> ns1.example.com <http://ns1.example.com> and ns2.example.com
> <http://ns2.example.com>.
>
> To find out the IP address of ns1.example.com <http://ns1.example.com>
> you first need to know the
> IP address of ns1.example.com <http://ns1.example.com>. Not good.
>
>
> Glue records are "A" or "AAAA" records for a child (delegated) zone that
> you put in the parent zone regardles that the parent has no longer
> authority on the now delegated zone. Even when these records are not
> authoritative in the parent server, they allow you to break the circle.
>
> In this case, in the .com zone you'd put the "A" and "AAAA" records for
> ns1.example.com <http://ns1.example.com> and ns2.example.com
> <http://ns2.example.com>. For this to happen, you must inform
> your registrar about the IP addresses of your in-zone name servers. It's
> not a Verisign specific issue. Any registry or registrar should allow
> for glue records.
>
>
> Given your specific case, my guess is that Verisign may be overzealous
> requiring anyone to register any authoritative name server within their
> TLDs that serves any domain within their TLDs.
>
> If uphs{1,2,3}.uphs.upenn.edu <http://uphs.upenn.edu> are *not* used to
> serve anything under
> upenn.edu <http://upenn.edu> glue records are not needed.
>
> What's more, if uphs{1,2,3}.uphs.upenn.edu <http://uphs.upenn.edu> were
> to serve uphs.upenn.edu <http://uphs.upenn.edu>,
> you could place glue records for these servers in the upen.edu
> <http://upen.edu> name
> servers (assuming the name servers for upenn.edu <http://upenn.edu> are
> not within
> uphs.upenn.edu <http://uphs.upenn.edu>), but my guess is that Verisign
> is overzealous just to
> prevent you from shooting your own foot (that is you, me or any DNS
> administrator).
>
>
>
> I have succeeded in delegating a .org name to a name server in each of
> the .edu and .net domains, and a .net name to a .org NS, and a .com name
> to a .us NS, and none of the receiving servers are registered. What then
> is the purpose of the consistency checks among COM, NET, and EDU from
> Verisign's perspective? Is there any possibility of relaxing or removing
> them? What harm is prevented that names and name servers in other TLDs
> remain susceptible to?
>
> On 2018/12/03 16:55, Wessels, Duane wrote:
> > John,
> >
> > .com, .net, and .edu share the same backend registry database.
> The message that you're getting when attempting to register the .net
> and .com domains is saying that there should be glue records for
> uphs{1,2,3}.uphs.upenn.edu <http://uphs.upenn.edu> in that shared
> database.
> >
> > So you would have to go to your .edu registrar and add these hosts
> under the upenn.edu <http://upenn.edu> account in order to make it work.
> >
> > DW
> >
> >
> > On 12/3/18, 10:35 AM, "dns-operations on behalf of John
> W.O'Brien" <dns-operations-bounces at dns-oarc.net
> <mailto:dns-operations-bounces at dns-oarc.net> on behalf of
> obrienjw at upenn.edu <mailto:obrienjw at upenn.edu>> wrote:
> >
> > Good day DNS Operators,
> >
> > I am having some trouble making uphs{1,2,3}.uphs.upenn.edu
> <http://uphs.upenn.edu> authoritative
> > for a number of domains in net and com. The registrar claims
> that the
> > name servers have to be "registered" but doesn't appear to
> provide a
> > mechanism for doing so. There is already appropriate glue in
> edu for the
> > upenn.edu <http://upenn.edu> NS, and in upenn.edu
> <http://upenn.edu> for the uphs.upenn.edu <http://uphs.upenn.edu>
> NS, and they are
> > all happily answering queries for those domains. I'm struggling to
> > understand what it means to be registered and how to do it.
> >
> > Could someone wiser than I in the ways of registrars and TLD
> operators
> > shed some light on my predicament?
>
--
John W. O'Brien
University of Pennsylvania
OpenPGP key ID:
0xD97D135B02EC753B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181204/8fae041c/attachment.sig>
More information about the dns-operations
mailing list