4

Question

As a general practice, is it a good idea to use multiple TLDs for the name servers?

How should I choose between which TLD would be a good candidate for being the root server for my NS name?

More Info

I am switching over 800 DNS zones to an outsourced DNS provider. I originally planned on setting the zone names to nsX.company.com, but think it would be best to have multiple TLDs such as .net , .org and .info

Since I plan on supporting DNSSec at company.com I think all the 1st tier Name servers must support it as well.

Part of the inspiration for this question came from our provider UltraDNS. In their configuration screen for our domains, they actively verify and alert us if our name servers aren't exactly:

  • pdns1.ultradns.net
  • pdns2.ultradns.net
  • pdns3.ultradns.org
  • pdns4.ultradns.org
  • pdns5.ultradna.info
  • pdns6.ultradns.co.uk
Community
  • 1
makerofthings7
  • 8,821
  • 28
  • 115
  • 196

1 Answers1

1

If you are worried about an outage caused by an entire gTLD disappearing, I wouldn't worry about it. The risk is very low and doesn't justify your extra effort.

If you are worried about the a performance different between resolvers having to follow referrals for multiple second-level domains (finding the IP addresses of ns1.example.net and ns2.example.org and ns3.example.info requires first finding the nameservers for example.net. example.org, and example.info which means 3 queries instead of 1), don't. I think that you will measure exactly zero difference here, and besides, most resolvers will cache this information pretty quickly AND it glue records will almost always be given out by gTLD servers as additional records anyway, so resolvers don't even usually have to do these queries.

The only thing you could potentially reasonably worry about is protecting yourself against a mistake that causes your domain example.com to disappear. It could be anything from forgetting to pay to renew that domain to a syntax error in the zone file for that domain that goes unnoticed. Even then things will probably "mostly" still work due to glue records. But to protect against this it's not unreasonable to use nameservers in multiple different domains. But they need not be under different TLDs, really. My advice is: find a good registrar that supports DNSSEC in some chosen gTLD, test it very well, and stick with it!

Celada
  • 6,060
  • 1
  • 20
  • 17
  • Perhaps one reason to use multiple TLDs is a DNSSec failure with that TLD? (e.g. one day .COM fails, at least .ORG can resolve the site securely) – makerofthings7 Oct 19 '12 at 21:36
  • If an entire TLD such as .com fails, then I think you'd have bigger things to worry about. – David W Oct 19 '12 at 21:44
  • Depends on the kind of failure: if the TLD becomes suddenly unsigned then a DNSSEC failure of a TLD would probably have few consequences for nameservers in that TLD because (1) resolvers will get glue records and never even query the TLD anyway, and (2) the address of your nameserver doesn't have to be certified by DNSSEC just because it certifies answers for the zones it serves itself. If, rather than the TLD becoming unsigned the TLD starts issuing bad/missing/wrong signatures, that might be a more significant issue, but it's the type of thing that happens rarely and get fixed real fast. – Celada Oct 19 '12 at 21:45