Hello,
I searched if this issue has been around previously, but neither
google or Nanog list search produced anything recent and
relevant. There has been some discussion on whois host entries etc,
however.
The real issue, why this seems impossible with many registrars, is
explained in the end of this email.
Background:
(I use private IP addresses in this example, but in the real life they
would be normal routable IP addresses)
I have in my mind a setup where:
- There is one main domain, which is used for "master" name servers:
mxx1.net NS ns1.mxx1.net
mxx1.net NS ns2.mxx1.net
mxx1.net NS ns3.mxx1.net
mxx1.net NS ns4.mxx1.net
ns1.mxx1.net A 10.1.1.2
ns1.mxx1.net A 10.1.2.2
ns1.mxx1.net A 10.2.1.2
ns1.mxx1.net A 10.2.2.2
ns1, ns2, ns3 and ns4 are well connected and quite permanently in
their IP addresses.
- There are a number of cooperating organizations each having one
dedicated name server (which can also handle other tasks, like
act as an secondary SMTP server etc.)
- Organizations are (there may be tens or hundreds of them):
cxx-1.com
cxx-2.com
.
.
- Each cxx-n.com has its domain registered like this:
cxx-1.com NS ns1.cxx-1.com.e.mxx1.net.
cxx-1.com NS ns2.cxx-1.com.e.mxx1.net.
cxx-1.com NS ns3.cxx-1.com.e.mxx1.net.
cxx-1.com NS ns4.cxx-1.com.e.mxx1.net.
cxx-1.com NS ns5.cxx-1.com.e.mxx1.net.
And now the problem with some registrars (or is it the same with all
of them):
godaddy.com:
Does only allow to use "registered hosts" as name servers in .com and
.net domains. If the name server host is in com or net domain and it
is not in the same domain, it needs to be a registered host which
basically means that it has to be (or have been) a NS of its SLD with
glue record (an A record). But for example, any .fi ending (Finland)
host name can be entered as a name server and it gets automatically
"registered" without an A record.
joker.com:
Same as godaddy.com but doesn't allow foreign (like .fi) host names as
name servers if they have too many dots in the host name.
I didn't dare to try Network Solutions because it was very slow last
time I tried the WWW interface.
To summarize:
I have read this <URL:http://cr.yp.to/djbdns/notes.html#gluelessness>
and understand that point of view.
Am I trying accomplish something which is not really needed or would
such an approach be useful in some situations?
Hmm let me see, our .net domain has glue records set up for the nameservers...
all domains we register use those nameservers. No problem.
Your variation if I understand it is you dont wish to use those addresses you
want to use a subdomain to which your point is perfectly okay that one
references the other and the other has glue in place.
So you are saying that these registrars only allow you to register against
nameservers which have glue records?
Seems kind of a silly restriction as this would appear to be how ccTLDs resolve
(which require recursion to find the cc nameservers and the glue there etc).. I
guess the obvious answer is as these are your domains dont use registrars who
impose such restrictions on you?
Just looking thro what you're doing tho, I dont follow that the ns*.mxx1.net
nameservers have a reduced load, also its not clear what the gain is in this
setup when DNS loads are so small anyway?
Steve
This is a requirement of Verisign registry, and should be true for all net/com registrars.
Does only allow to use "registered hosts" as name servers
in .com and .net domains.
This is a requirement of Verisign registry, and should be
true for all net/com registrars.
s;net/com;;
presuming you mean that there should be registered host rr
for all known servers. otherwise, i suspect the servfails
will get even worse.
sadly, forcing an A RR does not ensure that the server is
in fact serving the zone. i would not be unhappy if the
registrar or registry would test this occasionally.
randy
Actually, no. Verisign registry requires host records with addresses for nameservers named under com and net, and requires host records without addresses for nameservers named within other domains.
Most other registries do not follow the verisign schema of inter-relational host and domain objects; typically nameservers are stored as fields in the records for their dependant domains. In those registries no "registration of hosts" is required.
Joe
<quote who="Randy Bush">
i would not be unhappy if the
registrar or registry would test this occasionally.
For what values of occasionally?
And for what operational benefit? Removal of the record(s) certainly
wouldn't be appropriate so what would you like to see happen?
A CIDR Report style email to nanog-l? *yawn*
-davidu
i would not be unhappy if the registrar or registry would test
this occasionally.
For what values of occasionally?
i can thing of a lot of values more interesting than zero
And for what operational benefit? Removal of the record(s)
certainly wouldn't be appropriate
why not? what is the use of a zone that is not being served?
randy
You mean http://www.cymru.com/DNS/lame.html ? Team Cymru have been doing
that for ages. Doesn't actually force the issue anywhere, but it does get
checked and published, using contributed resolver logs.
<quote who="Randy Bush">
And for what operational benefit? Removal of the record(s)
certainly wouldn't be appropriate
why not? what is the use of a zone that is not being served?
A query not being answered to you or the verifier is not the same thing
as a zone not being served. (I would also assume that a failed check
would result in the zone being perhaps "queued" for more re-testing or
asking the netop to autoack something.)
I still don't see the operational benefit in removing these records.
(Checking them could be worthwhile (see below), but removing them...why?)
<quote who="Tim Wilde">
You mean The Team Cymru Weekly Lame Name Server Report - ON HIATUS ?
Team Cymru have been doing
that for ages. Doesn't actually force the issue anywhere, but it does get
checked and published, using contributed resolver logs.
Three comments:
1) I think there is some operational value in tracking this data for the
in-addr.arpa tree but less benefit to getting this data for general
forward nameservice (except maybe to people like you and me).
2) For Cymru's page to be of much benefit it needs a lot more resolver
contributions. If some large, end-user ISPs submitted data it would
become much more useful. The problem (in getting data) with this project
is that the people who submit are not necessarily the people who benefit
which provides less incentive for sysops to participate.
3) With this data published someone could check the list for lame
delegations and come to our site and setup those domains and begin using
them. This could be used by spammers and other sludge to "borrow"
domains. A solvable problem but one which would become substantially
easier if there was a comprehensive list of lame delegations that could be
correlated with third-party dns services.
-davidu