Is it possible to chain NS records?

Question

Is it 'legal' and possible in DNS to chain NS records like this:

com. NS:

example.com NS ns1.example.com.
ns1.example.com A a.b.c.d

example.com. NS:

example.com NS azuredns.com.
azuredns.com. A x.y.v.z

The reason why I'm attempting such configuration is that one of our non-technical departments wants us to have all domains configured on our DNS system; but some of them utilize features of "cloud" DNS providers. I'm not looking forward to do such abominations, but I owe due diligence to my company :-)

Not sure why I'm getting downvoted - I know it's a stupid idea, but it's worth asking why _exactly_ it's stupid idea. — StanTastic, Apr 18 '18 at 07:20

score 3 · Answer 1 · answered Mar 26 '18 at 07:28

3

The payload of an NS record is, as specified in RFC 1035, a domain name that specifies a host. A resolver will use that name to look up A and AAAA records, nothing else. The kind of pointer chasing you envision in your question will not happen.

answered Mar 26 '18 at 07:28

Calle Dybedahl

2,083
12
17

score 3 · Accepted Answer · answered Mar 26 '18 at 08:43

The NS records and their glue A & AAAA records on parent must match the NS records on the name servers, as specified in IANA Technical requirements for authoritative name servers.

Consistency between glue and authoritative data

For name servers that have IP addresses listed as glue, the IP addresses must match the authoritative A and AAAA records for that host.

Consistency between delegation and zone

The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.

This tells that if .com nameservers (*.m.root-servers.net.) has example.com. NS ns1.example.com., the NS records on ns1.example.com. must match.

However, you can delegate further sub-zones just like your example.com. is actually a sub-zone delegated by .com, which is a sub-zone delegated by root .. E.g. you could delegate control over all *.azure.example.com. to Azure by azure.example.com. NS azuredns.com. which doesn't need to match the NS records for example.com..

For the non-technical people in your company: a company policy can't override global policies, in this case the requirements regarding domain names and name servers. Actually, the IANA requirements are mostly based on technological limitations and best practices. They are unlikely to change as it would require the widely supported technical specifications to be changed accordingly.

Yes! Exactly what I thought, thank you for providing links! – StanTastic Mar 27 '18 at 07:05 — StanTastic, Mar 27 '18 at 07:05

Is it possible to chain NS records?

2 Answers2