[dns-operations] Surprising ds.fedex.com NS RRset.

Scott Morizot tmorizot at gmail.com
Fri Mar 5 10:26:15 UTC 2021


On Fri, Mar 5, 2021 at 1:23 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> The below was just brought to my attention, a domain with 81(!) records
> in its NS RRSet (3201 bytes over TCP):
>

I can tell from the naming convention that's a DNS zone supporting an
Active Directory domain and those are the domain controllers. For a large
organization, that's not a particularly unusual number of
domain controllers. We have an AD domain in one of our forests with
probably a similar number. It's not as common for the DNS supporting an
active directory forest to be resolvable from the Internet, but in today's
network world that doesn't strike me as terribly odd. I can think of a
number of reasons an organization might make that decision.

I believe if you run Microsoft DNS Server in integrated active directory
mode every domain controller has to be an authoritative nameserver for the
zone. We haven't used Microsoft DNS Server in any significant capacity
supporting the DNS zones for our large forests in so many years, though, I
can't say with certainty.

Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210305/20c91a7d/attachment.html>


More information about the dns-operations mailing list