I own a domain (lets call it example.com) that is served by my own DNS server. (I asked my registrar to create glue records for ns1.example.com and ns2.example.com pointing to my server's IP address)
Now imagine that one of my friends get a new domain called new-domain.com and I want to help him manage his domain with my DNS server.
So in my DNS server, I created two A records as:
my1.ns.example.com -> some.ip.addr
and
my2.ns.example.com -> some.ip.addr
(some.ip.addr is the ip address of my DNS server)
and ask him to change his nameservers to
my.ns1.example.com
and
my.ns2.example.com
But he cannot set them because it gets invalid nameserver error in his domain panel!
We asked the support team of my friends's domain and they replied that those nameservers are not valid!
I contacted to my domain support and they said they've registered those names for me (I guess they created glue records!) and it started working.
Its my understanding that because example.com is working properly in DNS system and thus my1.ns.example.com and my2.ns.example.com are resolved to the IP address properly, so nothing can prevent them to be used as nameservers for new-domain.com
I searched around and found that some people say the nameservers should be registered. I understand registering when we have to ask for setting glue records, but for this case I have no idea why would we need to register those names.
Can someone explain what is happening in this scenario?
Update:
Here is the output of dig trace for a domain that is served by cloudflare.com dns system.
dig +trace +additional davat.info @8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> +trace +additional davat.info @8.8.8.8
;; global options: +cmd
. 67120 IN NS a.root-servers.net.
. 67120 IN NS b.root-servers.net.
. 67120 IN NS c.root-servers.net.
. 67120 IN NS d.root-servers.net.
. 67120 IN NS e.root-servers.net.
. 67120 IN NS f.root-servers.net.
. 67120 IN NS g.root-servers.net.
. 67120 IN NS h.root-servers.net.
. 67120 IN NS i.root-servers.net.
. 67120 IN NS j.root-servers.net.
. 67120 IN NS k.root-servers.net.
. 67120 IN NS l.root-servers.net.
. 67120 IN NS m.root-servers.net.
. 67120 IN RRSIG NS 8 0 518400 20170724170000 20170711160000 15768 . hOOzt9mqEniQLhLc+jNqChne/uMaCy0COI/3JObhMhpZWilJxm7g71q2 H4OIfgpxAdG77B/dsQbgPfScW7jemvKyZ+Jr72+Fuv0zQB5BoY0PQ9i/ JOoQQ9T6yqoxyMCV5+elx5KA8q95cFO1kQ0U7GwXnM5nGOE2M1Xs7cWh kdz05pErCoZ1I2V2+/DEHNrjOtpGtO/ysX0UBeKeWpGB88k2BLN/yLBN 2g8AkGlv6+S/cC+WuMHAAg25DxtrDm06jt5cwiQ+MNj6wOihZX+vRx41 AJU9SQg5vYY8P8KRtXn2sbzBrrqR/eJPWeWeouDUYQAomp6PUG3dsEjz /0iZZg==
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 9070 ms
info. 172800 IN NS a0.info.afilias-nst.info.
info. 172800 IN NS a2.info.afilias-nst.info.
info. 172800 IN NS b0.info.afilias-nst.org.
info. 172800 IN NS b2.info.afilias-nst.org.
info. 172800 IN NS c0.info.afilias-nst.info.
info. 172800 IN NS d0.info.afilias-nst.org.
info. 86400 IN DS 8674 7 1 197789A2CBABA6FECD0B5AC88C5BC414CE1FC309
info. 86400 IN DS 8674 7 2 EC9B6082B96B5F87143696F2B483ACC9B2C433DCE0C94E70F1FF5648 CA18008B
info. 86400 IN RRSIG DS 8 1 86400 20170727050000 20170714040000 15768 . RAOIKJ8CIq3gwj+WNN8pOdsNR+2KevOjFU22joZZORzuc3h30cIpi8jJ zFFRNVd0bXAzi9xPEZBhzy3o5MuDjPfeOtrROT8/SBTV64eoMoxJn31F myy0Aq5h1NLiw3LYJMGhQ/9JKXQc9PN/d0ifYer57rxtKvsS3PAtXwLu vP166UgoovFP7u37R6+Lr8vKpaRJu7P6RTP42Gzams6xnLkupsnnuFYt 6YcCJ4G2f9tDQLP4aaV2WtbKoNz79G9gyWdkwS5N1jGHDZRTVv+VlKER Mive01mOp+DfsqHLtanB7kLT2EOCOpO6ApREjVHcM6bM8bRK6pQn3FdM lh0Hdw==
a0.info.afilias-nst.info. 172800 IN A 199.254.31.1
a2.info.afilias-nst.info. 172800 IN A 199.249.113.1
b0.info.afilias-nst.org. 172800 IN A 199.254.48.1
b2.info.afilias-nst.org. 172800 IN A 199.249.121.1
c0.info.afilias-nst.info. 172800 IN A 199.254.49.1
d0.info.afilias-nst.org. 172800 IN A 199.254.50.1
a0.info.afilias-nst.info. 172800 IN AAAA 2001:500:19::1
a2.info.afilias-nst.info. 172800 IN AAAA 2001:500:41::1
b0.info.afilias-nst.org. 172800 IN AAAA 2001:500:1a::1
b2.info.afilias-nst.org. 172800 IN AAAA 2001:500:49::1
c0.info.afilias-nst.info. 172800 IN AAAA 2001:500:1b::1
d0.info.afilias-nst.org. 172800 IN AAAA 2001:500:1c::1
;; Received 813 bytes from 198.41.0.4#53(a.root-servers.net) in 2475 ms
davat.info. 86400 IN NS jobs.ns.cloudflare.com.
davat.info. 86400 IN NS nicole.ns.cloudflare.com.
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN NSEC3 1 1 1 D399EAAB ADOJ3MLQ5868PVF3LE0F5DCDGAVUTU55 NS SOA RRSIG DNSKEY NSEC3PARAM
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN RRSIG NSEC3 7 2 3600 20170804103358 20170714093358 30893 info. FB7zcjFKGziJ457Vh/pIPkWqLguFe+rabdfJTa9McavqzOBGJIZTyhx/ icNVIyE4qBIJQ9xe7f1OmN5UHVe41nxBCWpH+JNQYHshWYKOIYCgdYE8 gHepP1ZR5AQ2Ev5lE0f/9+GBPlwxF47IKRQOYdFT51C2icm/SUvtdCG/ 4Ak=
2jefac1stko456rdlfe7g88kmtsvu2qs.info. 3600 IN NSEC3 1 1 1 D399EAAB 2JFPEQI6J2CMI8JU5V4Q0UTP6UDK9RQD NS DS RRSIG
2jefac1stko456rdlfe7g88kmtsvu2qs.info. 3600 IN RRSIG NSEC3 7 2 3600 20170730151955 20170709141955 30893 info. RQ4jTb4j7Dkp+M53zGqEiq3cyP6aCLqqIYyX9R9N4TXHHuBdw5XY78ma 9EDQt8I5NAiABKpImwy0HHudP8yVvaMhL/30ffHbt+naPWYTx9XVP/z9 xXkNtWAvATjf8Z9ntQOU/FBIOQHdfwg2HIv42PX+xvmsIMlx7HPmsyOW J4o=
;; Received 591 bytes from 199.249.113.1#53(a2.info.afilias-nst.info) in 983 ms
davat.info. 300 IN A 82.102.11.201
;; Received 55 bytes from 173.245.58.211#53(nicole.ns.cloudflare.com) in 181 ms
For domain davat.info, two nameservers of cloudflare has been set.
jobs.ns.cloudflare.com.
nicole.ns.cloudflare.com.
I think if there were any glue records for those two nameservers, there were additional records after nameserver response.
davat.info. 86400 IN NS jobs.ns.cloudflare.com.
davat.info. 86400 IN NS nicole.ns.cloudflare.com.
But there is not!
If I enter these two nameservers of cloudflare in the domain control panel of mentioned new-domain.com domain, there will be no error!
So if it is true that for both jobs.ns.cloudflare.com and nicole.ns.cloudflare.com there are no glue records set, why would it works
for those names but not for my names in the domain control panel?
I need to know this because I need to be able to create dynamic nameservers programmatically and ask my users to enter their specific nameservers for their domains in their registrars.
Answer
Its my understanding that because example.com is working properly in
DNS system and thus my1.ns.example.com and my2.ns.example.com are
resolved to the IP address properly, so nothing can prevent them to be
used as nameservers for new-domain.com
I searched around and found that some people say the nameservers
should be registered. I understand registering when we have to ask for
setting glue records, but for this case I have no idea why would we
need to register those names.
The difference is where the glue lives. When you see an error about an invalid nameserver in a registrar control panel for an otherwise resolvable DNS entity, typically it is complaining about a missing glue record at the registry level. com cannot provide the glue for your friend's domain because the records are defined within example.com.
From a pure DNS perspective, an authoritative nameserver (such as those for com) should not perform any kind of recursion to learn the IP address of the nameservers that are defined in your example.com zone. Instead, the registry permits registrars to add glue records to the com domain, and those registrars can provide a user interface so that the owners of the domains that these custom nameservers live in can do so. (example: Namecheap - How do I register personal nameservers for my domain?)
(To address the elephant in the room...no, these glue records are not strictly required. But policies are policies, and if the registrar interface requires the registry level glue to be present, you have little choice in the matter.)
No comments:
Post a Comment