1

We have a situation where sometimes we need to get our clients to set up the NS records to point to our service.

I'd like to make this as easy as possible and was wondering if I can create NS records that resolve to the real NS records.

For example the client adds:

joebloggs.com NS joebloggs.com.ns1.mydomain.com
joebloggs.com NS joebloggs.com.ns2.mydomain.com

And I add to mydomain.com:

joebloggs.com.ns1.mydomain.com NS the.real.ns1.server.com
joebloggs.com.ns2.mydomain.com NS the.real.ns2.server.com

Would this work? Is it good practice? Should I make each of the fake NS records point to both real NS records? (like this)

joebloggs.com.ns1.mydomain.com NS the.real.ns1.server.com
joebloggs.com.ns1.mydomain.com NS the.real.ns2.server.com

joebloggs.com.ns2.mydomain.com NS the.real.ns1.server.com
joebloggs.com.ns2.mydomain.com NS the.real.ns2.server.com

It looks like using CNAME is not appropriate. In DNS can an IN NS point to a CNAME?

Would the above be ok? Is there a better solution?

DomE
  • 13
  • 2
  • I have no idea if it will work, but if it does it will greatly increase DNS traffic (and thus slow down every access to that domain's resources requiring a DNS lookup) for no good reason. Just give them nameservers that actually exist. – Michael Hampton Feb 23 '18 at 05:56
  • What kind of service are you providing? Why do clients need to modify their Name Server records? – joeqwerty Feb 23 '18 at 14:43
  • @joeqwerty It is a PaaS where they control the domain. We don't need to change the NS records, I just thought it would be nicer for them. – DomE Feb 25 '18 at 02:07

1 Answers1

3

This will not work like that.

You would need to publish A/AAAA records for joebloggs.com.ns1.mydomain.com and joebloggs.com.ns2.mydomain.com since RDATA part of a NS record is an hostname that needs to be contacted and hence it must have A/AAAA records. The second set of NS records would never be queried as the labels are not zones with a SOA.

The NS RDATA could be a CNAME but this is not recommended.

I do not see exactly what you try to do/hide by doing things like that. You can instead do one of the following:

  1. give your clients the true NS records; this is the recommended solution, far above all the others
  2. give them any other kind of NS records while making sure they resolve to the same A/AAAA records as the true nameservers (this will make changing their IP addresses very complicated); as long as you provision them with their A/AAAA records, it can be joebloggs.com.ns1.mydomain.com etc. or even ns1.joebloggs.com etc. also called vanity nameservers; this last case involves however creating glue records at the registry through the sponsoring registrar which would create you far more work than desired for almost no benefit.

In short, why do you want to (try to) hide the real nameservers from your clients anyway?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Thanks that makes sense. I think solution 1 is what I was going to do before I came up with this crazy idea. – DomE Feb 25 '18 at 02:08