[dns-operations] Multiple TLDs for NS (Was: mcr.microsoft.com / trafficmanager.net again)
Gavin McCullagh
gmccullagh at gmail.com
Wed Sep 24 22:16:42 UTC 2025
Hi,
On Wed, Sep 24, 2025 at 2:16 AM Jeroen Massar via dns-operations <
dns-operations at dns-oarc.net> wrote:
> > On 24 Sep 2025, at 00:00, Ondřej Surý <ondrej at sury.org> wrote:
> > [..]
> > FTR distributing the DNS among multiple TLDs does not increase
> resiliency. In fact, I believe
> > using direct in-domain nameservers is the best option instead of this
> madness. I have an old
> > blogpost on this I might revive and put somewhere again.
>
> Yep, agree.
>
> (TLDR: Hierarchical DNS means spreading NS to other TLDs does not help
> resilience but makes it more fragile ;)
>
> The joke is that if a TLD of a domain breaks then there is no way to find
> the NS (even with the NS outside of the broken TLD) anyway, irrelevant in
> how many TLDs the NS are distributed. Hence it just makes things more
> fragile as that chance of a TLD breaking goes up
Where we're talking about the nameservers for one single domain, say
example.com, I agree. If the domain is under COM, you already have that
TLD as an SPoF, so ideally you might as well use it for the nameserver too.
For a DNS provider who hosts customer domains across thousands of TLDs
though, it's more complicated. If the customer is using example.org, putting
all of that customer's nameservers on e.g. com would expose them to
failures of a second TLD. In principle, giving that customer four glued
nameservers on the TLD of their domain would be optimal, but that's very
practically difficult. Not sure about this one, but many providers (my
employer included) offer guaranteed static nameserver IPs, allowing
customers to set up "white label nameservers", in-zone. But the extra work
involved is such that most DNS customers wouldn't even understand it, let
alone attempt it. So, using multiple TLDs for a DNS provider is
recognition that one can't guess what TLD the customer domain may use, so
you don't want to commit them to any one single TLD for their nameservers.
Outages/impairments of the big TLDs are rare, but they do happen.
Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20250924/44d870e3/attachment.html>
More information about the dns-operations
mailing list