[dns-operations] Underscore suffix glue record?

Mon Jan 6 19:23:04 UTC 2025

I have been working on a mechanism to fully automate provisioning of
devices that use ACME issued TLS certs.

By fully automate, I mean the user does nothing more than unpack the
device, scan a QR code and plug it in. I do not mean spend hours pouring
through the certbot documentation, configuring DNS, etc. etc. I mean fully
automate.

The way to do this is to automate both the DNS provisioning and the cert
provisioning through some form of service that lives either locally or in
the cloud or both which receives requests from the device and performs all
the interactions with the DNS via dynamic DNS and the CA using ACME.

My model here is that there will be service providers offering service on a
freemium model. So Alice starts off with the free service from
provider.test, she is given the subdomain alice.provider.test as her
personal 'place'.

Alice uses the service to bind her coffee pot which she can now reach as
https://coffee.alice.provider.test/

After a while, Alice decides to get her own domain, so she upgrades to the
paid service and now she reaches her coffee pot at
https://coffee.the-real-alice.test/

And Alice also has an OAUTH online handle bound to @the-real-alice.test
using the extensions to OAUTH proposed by BlueSky and people can mail or
message her using the Mesh protocols on the same ID.

The whole thing seems fairly clean and straightforward. But as I am
implementing, being OCD, I can't help but notice how ugly glue records are.
I would like to hide that away rather than make the user make a choice or
risk a collision when they buy a NayStation1 and try to give it the name
ns1.

So solutions coming to mind for the glue record name for example.com

Prefix the address like we do suffixes:
@ IN SOA _primary.example.com. hostmaster.example.com.
    IN      NS       _primary.example.com.
_primary.example.com. IN A 192.168.1.22

Use a non routed DNS address, does this work though?
@ IN SOA example.com.invalid hostmaster.example.com.
    IN      NS        example.com.invalid.
example.com.invalid. IN A 192.168.1.22

Use a random address
@ IN SOA d0cfc2e5319b82cdc71a33873e826c93d7.example.com.
hostmaster.example.com.
    IN      NS       d0cfc2e5319b82cdc71a33873e826c93d7.example.com.
d0cfc2e5319b82cdc71a33873e826c93d7.example.com. IN A 192.168.1.22

Yes, I get that all mean change. But the two are at least mnemonic and
could be reserved for the purpose.

The peculiar status of glue records has never set easily with me TBH.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250106/aea80273/attachment.html>