[dns-operations] Cloudflare Rose and Rick in .com authoritative Nameserver

Raffaele Sommese raffysommy at gmail.com
Mon Apr 20 13:40:56 UTC 2020

On Mon, 20 Apr 2020 at 13:50, Tony Finch <dot at dotat.at> wrote:
> Different registries have different rules about glue records. Some require
> glue addresses for any nameserver that is a subdomain of the registry
> (.com in this case), not just for in-bailiwick delegations.
> I call this "sibling glue". There was a fairly informative discussion
> when I asked about it a few years ago: see the thread starting at
> https://lists.dns-oarc.net/pipermail/dns-operations/2015-June/013402.html

So, from what I understand here, to create an NS record in .com a
registrant must point it (for in-bailiwick) to an existing glue record
(or create one for the owned domain).
This automatically excludes pointing the NS record to NX domains or
subdelegations for which he does not have the control of parent SLD
(e.g. aws ec2 hostname).

On Mon, 20 Apr 2020 at 14:51, Vladimír Čunát <vladimir.cunat+ietf at nic.cz> wrote:
> Let me add resolver point of view.
> As noted, these records are not required but are in bailiwick of .com,
> so it's reasonable to trust their value and speed up resolution that
> way.  I believe there's nothing CloudFlare-specific in there.  (For
> example, Knot Resolver trusts these by default.)

This raises another question, registries do not enforce the
consistency between glue records and the same records served by the
authoritative nameservers, right?
In this case what could happen is that in the case of inconsistency,
out-of-bailiwick domain and in-bailiwick are resolved through
different nameservers IPs.

Thanks a lot for the answers.
Best Regards,

Raffaele Sommese
Mail:raffysommy at gmail.com
About me:https://about.me/r4ffy
Gpg Key:http://www.r4ffy.info/Openpgp.asc
GPG key ID: 0x830b1428cf91db2a on http://pgp.mit.edu:11371/

More information about the dns-operations mailing list