First, let's address the question in the title.
Is it possible to have a secondary managed DNS provider to quickly delegate to
"Quick" and "delegation" do not belong in the same sentence together when we're talking about the delegation for the top of the domain. The nameservers operated by the top level domain (TLD) registries typically serve up referrals that have TTLs measured in days. The authoritative NS
records that live on your servers may have lower TTLs that end up replacing the TLD referrals, but you have no control over how often companies on the internet choose to drop their entire cache or restart their servers.
Simplifying this, it's best to assume that it's going to take at least 24 hours for the internet to pick up a nameserver change for the top of your domain. With the top of your domain being the weakest link, that's what you have to plan around the most.
What are some options in terms of reducing dependency on a SINGLE external managed DNS provider?
This question is much more solvable, and contrary to popular opinion the answer isn't always "find a better provider". Even if you use a company with a very good track record, recent years have demonstrated that no one is infallible, not even Neustar.
- Large, well-established DNS hosting companies with good reputations are harder to crush, but bigger targets. They are less likely to go dark because someone is trying to take your domain offline, but more likely to be taken offline because they host domains that are more appealing targets. It may not happen frequently, but it still happens.
- On the opposite extreme, running your own nameservers means that you're less likely to be sharing nameservers with a target that is more appealing than you, but it also means that you're much easier to take down if someone decides to target you specifically.
For most people, option #1 is the safest option. An outage may only happen once every few years, and if an attack does happen, it will be dealt with by people who have more experience and resources to deal with the problem.
That brings us to the final, most reliable option: a mixed approach using two companies. This provides resiliency against the problems that come with having all of your eggs in one basket.
For the sake of the argument, let's assume that your current DNS hosting company has two nameservers. If you add two nameservers managed by another company into the mix, then it takes a DDoS against two different companies to bring you offline. This will protect you against even the rare event of a giant like Neustar taking a dirt nap. The challenge instead becomes finding a way to reliably and consistently deliver updates for your DNS zones to more than one company. Typically this means having an internet facing hidden master that allows a remote partner to perform key based zone transfers. Other solutions are certainly possible, but I'm personally not a fan of using DDNS to fulfill this requirement.
The cost of the most reliable form of DNS server availability is, unfortunately, more complexity. Your problems are now much more likely to be the result of problems which cause these servers to become out of sync. Firewall and routing changes that break the zone transfers are the most common problems. Worse, if a zone transfer problem goes unnoticed for a long period of time, the expiry timer defined by your SOA
record may be reached and the remote servers will drop the zone entirely. Extensive monitoring is your friend here.
To wrap all of this up, there are a number of options, and each have their drawbacks. It's up to you to balance reliability against the respective tradeoffs.
- For most, it's enough to have your DNS hosted with a company who has a great reputation for dealing with DDoS attacks...the risk of going down once every few years is good enough for the simplicity.
- A company with a less iron-clad reputation for dealing with DDoS attacks is the second most common option, especially when one is looking for free solutions. Just remember that free typically means no SLA guaruntee, and if a problem does happen you'll have no way to drive urgency with that company. (or a person to sue, if your legal department requires that sort of thing)
- The least common option is, ironically enough, the most robust option of using multiple DNS hosting companies. This is due to cost, operational complexity, and perceived long term benefits.
- The worst, at least in my opinion, is deciding to host your own. Few companies have experienced DNS admins (who are less likely to create accidental outages), experience and resources for dealing with DDoS attacks, willingness to invest in a design meeting the criteria outlined by BCP 16, and in most scenarios a combination of all three. If you want to play around with authoritative servers that only face the inside of your company, that's one thing, but internet facing DNS is an entirely different ballgame.