DNS referral / delegation: which DNS is responsible; How to delegate the right way?

Question

Introduction

I bought the domain earechnung.at with Hetzner and am using my webspace at All-Inkl. I want to use the nameservers of my webhost (All-Inkl).

Zonefiles and Nameservers

As I registered the domain with Hetzner, nic.at (the austrian domain registry) lists the following nameservers (all the ones of Hetzner):

Nameserver (Hostname) 1: ns.second-ns.com
Nameserver (Hostname) 2: ns1.your-server.de
Nameserver (Hostname) 3: ns3.second-ns.de

Zonefile at Hetzner

The zonefile at Hetzner now looks like the following:

$TTL 7200
@   IN SOA ns5.kasserver.com. office.earechnung.at. (
    2014030300   ; serial
    14400        ; refresh
    1800         ; retry
    604800       ; expire
    86400 )      ; minimum

@                        IN NS      ns6.kasserver.com.
@                        IN NS      ns5.kasserver.com.

@                        IN A       85.13.135.165
mail                     IN A       85.13.135.165
www                      IN A       85.13.135.165
w3                       IN A       85.13.135.165
ftp                      IN CNAME   www
imap                     IN CNAME   mail
pop                      IN CNAME   mail
relay                    IN CNAME   mail
smtp                     IN CNAME   mail
@                        IN MX 10   mail

So what I wanted was to delegate everything to the All-Inkl nameservers (ns5/6.kasserver.com). Therefore I mentioned them as SOA and NS. However it seems like the Hetzner DNS directly responds to the requests.

All-Inkl Zonefile

The administration system of All-Inkl looks like the following for DNS:

DNS-Queries

nslookup from my windows client

>nslookup -type=A -debug w3.earechnung.at.
------------
...
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 2,  additional = 2

    QUESTIONS:
        w3.earechnung.at, type = A, class = IN
    ANSWERS:
    ->  w3.earechnung.at
        internet address = 85.13.135.165
        ttl = 4933 (1 hour 22 mins 13 secs)
    AUTHORITY RECORDS:
    ->  earechnung.at
        nameserver = ns5.kasserver.com
        ttl = 4608 (1 hour 16 mins 48 secs)
    ->  earechnung.at
        nameserver = ns6.kasserver.com
        ttl = 4608 (1 hour 16 mins 48 secs)
    ADDITIONAL RECORDS:
    ->  ns5.kasserver.com
        internet address = 85.13.128.3
        ttl = 3758 (1 hour 2 mins 38 secs)
    ->  ns6.kasserver.com
        internet address = 85.13.159.101
        ttl = 2220 (37 mins)

------------
Nicht autorisierende Antwort:
Name:    w3.earechnung.at
Address:  85.13.135.165

Online tracing

Tracing the DNS-file with simpledns.com outputs the following:

Tracing DNS delegation for "w3.earechnung.at":

Loading root server list (static data):
-> a.root-servers.net (198.41.0.4)
-> b.root-servers.net (192.228.79.201)
-> c.root-servers.net (192.33.4.12)
-> d.root-servers.net (128.8.10.90)
-> e.root-servers.net (192.203.230.10)
-> f.root-servers.net (192.5.5.241)
-> g.root-servers.net (192.112.36.4)
-> h.root-servers.net (128.63.2.53)
-> i.root-servers.net (192.36.148.17)
-> j.root-servers.net (192.58.128.30)
-> k.root-servers.net (193.0.14.129)
-> l.root-servers.net (199.7.83.42)
-> m.root-servers.net (202.12.27.33)
Sending request to "f.root-servers.net" (192.5.5.241)
Received referral response - DNS servers for "at":
-> r.ns.at (194.0.25.10)
-> d.ns.at (81.91.161.98)
-> ns9.univie.ac.at (194.0.10.100)
-> u.ns.at (195.66.241.82)
-> ns1.univie.ac.at (78.104.144.2)
-> n.ns.at (81.91.173.130)
-> j.ns.at (194.146.106.50)
-> ns2.univie.ac.at (192.92.125.2)
Sending request to "n.ns.at" (81.91.173.130)
Received referral response - DNS servers for "earechnung.at":
-> ns3.second-ns.de (no IP address)
-> ns.second-ns.com (no IP address)
-> ns1.your-server.de (no IP address)
Attempting to resolve DNS server name "ns1.your-server.de" (details not logged)
Resolved DNS server name "ns1.your-server.de" to IP address 213.133.106.251
Sending request to "ns1.your-server.de" (213.133.106.251)
Received authoritative (AA) response:
-> Answer: A-record for w3.earechnung.at = 85.13.135.165
-> Authority: NS-record for earechnung.at = ns5.kasserver.com
-> Authority: NS-record for earechnung.at = ns6.kasserver.com
Trace DNS Delegation for another domain name

Questions

My Questions now are:

1. Is there a best practice for this scenario (domain with Hoster A, webspace with Hoster B)?
   1. Should I give the SOA to the Hetzner dns or all-inkl?
   2. Should I change the nameserver directly at nic.at?
   3. In my understanding I did not provide a glue record (A record) for ns5 and ns6.kasserver.com. Do I need one or is this done automatically?
2. What if I want to use something like CloudFlare? How does the delegation between Hetzner, All-Inkl and Cloudflare works best?
3. Which server actually responds to the request?
   1. If I query w3.earechnung.at which is entered on both dns servers, it seems to me like Hetzners ns1.your-server.de responds with an anauthoritive answer and states, that ns5.kasserver.com is authoritive). Am I right?
   2. If I query ai.earechnung.at which is only registered on All-Inkls dns server, I receive something like ai.earechnung.at. wurde von UnKnown nicht gefunden: Non-existent domain or server can't find ai.earechnung.at: NXDOMAIN
4. I think I delegated the whole site to the all-inkl dns server. Is this correct or is there a better way? Do I have to setup every subdomain at the all-inkl server?

Research

I also looked at the following questions, but could not find an answer (or at least did not understand it):

• SOA and Primary NS record (DNS)
• What DNS is authoritative for my domain
• Purpose of an NS record for the current zone in a DNS zone
• DNS Subdomain delegation issue
• What is DNS Delegation?
• DNS - NSLOOKUP what is the meaning of the non-authorative answer?

Answer 1

Firstly, may I congratulate you on what I think is a well-written, clear, and well-researched question, and for not redacting the domain name; that last is hugely helpful in answering.

Let me address the substantive issue, if I may: the whois points to a different set of nameservers than those which you have set up to be authoritative:

[me@risby ~]$ whois earechnung.at
[Querying whois.nic.at]
[...]
domain:         earechnung.at
registrant:     MAT8777331-NICAT
admin-c:        AT8777330-NICAT
tech-c:         MH536567-NICAT
nserver:        ns1.your-server.de
nserver:        ns3.second-ns.de
nserver:        ns.second-ns.com
changed:        20121004 15:29:23
source:         AT-DOM

Note the three listed servers. I freely concede that you have those servers set up to serve NS records that point the query elsewhere - but you also have them set up with data to respond to the authoritative request, and their server believes itself to be authoritative for the zone and can therefore lawfully return authoritative negative responses for RRs it doesn't know about. The right thing to do in this case is go back to the registrar, which I think is Hetzner in this case, and change the nameserver records not in their DNS server, but in their registration server - the device that populates the whois for .at. - to return your two new servers ns5.kasserver.com. and ns6.kasserver.com.

The business of serving a set of NS records to delegate a subzone works perfectly when it's used to do that: delegate a subzone of the one which was followed to the current set of nameservers. Using them more like an HTTP 301 redirect is unusual, and - as you have found - may not work perfectly.

As to best practice, it's completely normal to use one provider for registration and another for DNS provision. That said, the two tasks are often so closely welded that some registrars can't cope with having a registered zone on any DNS servers but their own. If Hetzner is one such, you will need to move the domain registration to a different registrar.