[dns-operations] auth servers in different TLDs

Klaus Darilion klaus.mailinglists at pernau.at
Fri May 4 21:23:25 UTC 2018 

As mentioned by others, there are various pros and cons. Here is my view.

Am 17.04.2018 um 06:23 schrieb Yonghua Peng:
> I saw some domains who have auth name servers in different TLDs.
> such as,
>
> ;; ANSWER SECTION:
> gmx.net.                84558   IN      NS      ns-gmx.ui-dns.de.
> gmx.net.                84558   IN      NS      ns-gmx.ui-dns.biz.
> gmx.net.                84558   IN      NS      ns-gmx.ui-dns.com.
> gmx.net.                84558   IN      NS      ns-gmx.ui-dns.org.
This makes sense. There is a "DNS provider" "ui-dns" which probably 
hosts many domains from various TLDs. In this concrete example, the 
domain is a .net domain, but all nameservers are within other domains. 
Hence, no glue records are used at all. Here it is an advantage, as if 
for example all nameservers would be within a single TLD, you have a 
second single point of failure (the first, non avaoidable, single point 
of failure is the .net TLD).

> easydns.com.            600     IN      NS dns4.easydns.info.
> easydns.com.            600     IN      NS      dns1.easydns.com.
> easydns.com.            600     IN      NS      dns2.easydns.net.
> easydns.com.            600     IN      NS      dns3.easydns.org.

In this case, it is not clearly an advantage. The "DNS provider" hosts 
its own domain. If it would use dns[1234].easydns.com it would benefit 
of glue records for all nameservers. Glue records improves the 
performance (on first lookups) and there is no need to rely on other 
domains, because if .com is down, it would not work anyways, and if .com 
is not down, everything works perfect.

It may even worse resolving as it introduces resolver-loops. Eg. the 
resolver asks for easydns.com and gets redirected to one of the above 
nameservers. If the resolver's algorithm is bad, it may choose the first 
nameserver, ie dns4.easydns.info. Hence, the resolver will ask for this 
nameserver and will receive as answer:

easydns.info.           86400   IN      NS      dns2.easydns.net.
easydns.info.           86400   IN      NS      dns3.easydns.org.
easydns.info.           86400   IN      NS      dns1.easydns.com.
easydns.info.           86400   IN      NS      dns4.easydns.info.

Choosing again the first nameserver it will ask for dns2.easydns.net and 
again receiving an answer like this:

easydns.net.            172800  IN      NS      dns3.easydns.org.
easydns.net.            172800  IN      NS      dns1.easydns.com.
easydns.net.            172800  IN      NS      dns2.easydns.net.
easydns.net.            172800  IN      NS      dns4.easydns.info.

Hence, they rely on resolvers to be smart enough to ignore the loops. 
Smart means: using the nameserver with glue record provided. Hence, the 
other nameservers in other domains, refering to again the other domains 
may be useless.

I guess the reason why the are nevertheless using nameservers in 
different domains is: they just want to use the same setup as for all 
their customer domains.

And in the end, both versions may work.

regards
Klaus

More information about the dns-operations mailing list