Using same authoritative NSes multiple times in delegation

Andrey G. Sergeev (AKA Andris) andris at aernet.ru
Thu Nov 19 00:36:57 UTC 2009


Greetings Kevin,


Wed, 18 Nov 2009 18:16:37 -0500 Kevin Darcy wrote:

> Andrey G. Sergeev (AKA Andris) wrote:
>> Greetings,
>>
>>
>> does the following setup violate any DNS RFCs or is it in the conflict 
>> with any best practices?
>>
>> ----------------------------------------------------------------------
>> [andris at strigidae ~]$ dig +nocmd +nocom +noque +nosta domain1.tld1. ns
>> domain1.tld1. 86400 IN NS ns1.domain1.tld1.
>> domain1.tld1. 86400 IN NS ns2.domain1.tld1.
>> domain1.tld1. 86400 IN NS ns1.domain2.tld2.
>> domain1.tld1. 86400 IN NS ns2.domain2.tld2.
>> domain1.tld1. 86400 IN NS ns1.domain3.tld3.
>> domain1.tld1. 86400 IN NS ns2.domain3.tld3.
>> ns1.domain1.tld1. 86400 IN A IP.Add.ress.1
>> ns2.domain1.tld1. 86400 IN A IP.Add.ress.2
>> ^^^^^^^^^^^^^
>> ns1.domain2.tld2. 86400 IN A IP.Add.ress.3
>> ^^^^^^^^^^^^^
>> ns2.domain2.tld2. 86400 IN A IP.Add.ress.4
>> ns1.domain3.tld3. 86400 IN A IP.Add.ress.2
>> ^^^^^^^^^^^^^
>> ns2.domain3.tld3. 86400 IN A IP.Add.ress.3
>> ^^^^^^^^^^^^^
>> ----------------------------------------------------------------------
>>
>> As we can see above, the ns2.domain1.tld1 / ns1.domain3.tld3 are 
>> actually the same physical host with the IP.Add.ress.2 and the 
>> ns1.domain2.tld2 / ns2.domain3.tld3 are actually the same machine
>> with the IP.Add.ress.3.
> The DNS standards only say that every zone must have at least 2 
> nameservers. That doesn't appear to be violated here. The fact that
> some of the nameservers have multiple names, doesn't reduce the 
> availability/robustness of the delegations (which is apparently the 
> whole point of the rule), the only minor negative effect is that
> there is some confusion over where the PTR records should point. But
> even that is pretty much irrelevant, since doing a reverse lookup of
> an authoritative nameserver is not required by any standard, nor
> something that is done in the normal course of operation.
>> What are the benefits of this setup?
> 4 nameservers are cheaper than 6 (??)

Hmm, may be. I suppose that this setup creates an added redundancy and
seems to be more reliable. If all of these 6 nameservers would be in the
same TLD, then simply cutting off this TLD from the DNS namespace would
be sufficient to cut off the delegated domain too:

domain1.tld1 delegated to:
   ns1.domain1.tld1
   ns2.domain1.tld1
   ns1.domain2.tld1
   ns2.domain2.tld1
   ns1.domain3.tld1
   ns2.domain3.tld1

In this scenario the tld1 is the single POF.

But if we have something like this

domain1.tld1 delegated to:
   ns1.domain1.tld1
   ns2.domain1.tld1
   ns1.domain2.tld2
   ns2.domain2.tld2
   ns1.domain3.tld3
   ns2.domain3.tld3

then we have an additional level of redundancy. The idea is that we
should distribute out authoritative nameservers not only across
different IP networks, ASes and ISPs, but also among different TLDs and
SLDs. It can be expensive to setup 6 completely different nameservers so
we can emulate the redundancy by creating the aliases for our existing
nameservers.

We're still vulnerable because if we have tld1 completely unavailable
then it would be rather difficult to determine the full list of
authoritative nameservers for any domains in tld1 - but don't forget
about the cached data.


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris)     http://www.andris.name/




More information about the bind-users mailing list