Multiple TLDs for NS (Was: [dns-operations] mcr.microsoft.com / trafficmanager.net again)

[Jeroen Massar]

> On 24 Sep 2025, at 00:00, Ondřej Surý <ondrej at sury.org> wrote:
> [..]
> FTR distributing the DNS among multiple TLDs does not increase resiliency. In fact, I believe
> using direct in-domain nameservers is the best option instead of this madness. I have an old
> blogpost on this I might revive and put somewhere again.

Yep, agree.

(TLDR: Hierarchical DNS means spreading NS to other TLDs does not help resilience but makes it more fragile ;)

The joke is that if a TLD of a domain breaks then there is no way to find the NS (even with the NS outside of the broken TLD) anyway, irrelevant in how many TLDs the NS are distributed. Hence it just makes things more fragile as that chance of a TLD breaking goes up.


One could argue that if you have hundreds/thousands of domains that migrating all of the NS from a broken TLD that hosts a NS would be cumbersome, but then again, if a TLD is broken that a NS is under then one already has resolver issues and delays. In this case Affilias is behind both .info and .org

Using well managed TLDs is the a better approach; or if you had the cash to get a TLD yourself using your own TLD if you really want to reduce risk, hey they got one: dnsX.nic.microsoft wonder why it is not being used...

Of course as disaster recovery method, being able to mass-migrate/change NS automatically could partially address TLD-for-NS loss, one will still have had a partial delay/outage. Anyway more TLDs => more risk.


For us normal people who cannot afford/get a TLD (which also makes sense due to global scaling, which is why there are TLDs in the first place); it would be awesome though if there was some kind of way to indicate TLD equivalence, though, that would mean a registry akin to a TLD where that lookup would have to be made as a side-lookup, and trust in that. Caching well-known TLDs (some allow AXFR or offer a way to get a copy) would be a better path then.
And that is kinda what the "public DNS" suggest to offer as an advantage over smaller DNS recursive instances.

Greets,
 Jeroen


PS: as for CNAMEs, outside of aliasing _acme-challenge labels to keep those in a dynamic, one should IMHO as good as never use them, it just causes so much complexity and fragility...