.TLD minimum number of nameservers rule

Tue Dec 13 11:08:35 UTC 2011

Actually, there's a simpler solution to meeting the rule for 2 NS.

Use any of the secondary nameserver services.  The come in a range of
prices/service levels.  (Price and delivered service don't always
correlate.)  Generally they act as slaves off your master; some are bind
based and use IXFR; others poll.  Besides the required redundancy, they will
meet the requirement for geographic separation.  There is at least one free
service that supports DNSSEC (though that's rare.)

Googgle "secondary DNS" or "backup DNS" for a starting point.  

---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed. 

-----Original Message-----
From: nudgemac at fastmail.fm [mailto:nudgemac at fastmail.fm] 
Sent: Tuesday, December 13, 2011 03:54
To: Fajar A. Nugraha
Cc: bind-users at isc.org
Subject: Re: Re: .TLD minimum number of nameservers rule

> 
> What IS the problem, exactly? You're describing two things that 
> doesn't seem to be related: number of NS for a zone, and PTR/DNAME 
> records.

My appologies if in an attempt to be succint, I failed to be clear.

> 
> If you don't "own" an IP address, then usually you don't need to 
> bother about PTR records at all. If you need to change PTR record for 
> an IP address that you use (e.g. VPS, colo, home connection, etc) you 
> usually need to ask your ISP to update/change it.

The company in question has a single public IP address connecting it's
internal lan with the internet. A classic NAT configuration.

> DNAME creates an alias for one or more subdomains of a domain. Chances 
> are you won't need it for common uses.

I'm not so sure I'd make that assumption.

> > For instance, would this be a problem when implementing a wide area 
> > bonjour subdomain using my own local dns server for clients that are 
> > mobile (internal/external) ?
> 
> Bonjour should work even without a DNS server.

Reminds me of Cool Hand Luke  <: what we have here is a failure to
communicate :>

> You could always create your own DNS server if you REALLY need those 
> record types :) The cheapest VPS is about $15/year, which should be 
> more than enough for a secondary DNS server.

I'm running Bind 9.6 and dnsextd (llq and tsig handling). I have split DNS
views based on source ip address and possession of a tsig key:
internal-trusted/external-trusted/internal-visitor/external-visitor. 
The DNS server and clients are all mac 10.6+ so I'm taking advantage of
mDNSResponder features such as looking in the system keychain for the tsig
keys. I have a WAB subdomain for dns-sd, etc. I've had to replace dnsextd
with an older version, since current macosx versions are dead.

I wondered if the limited access to DNS records at the top level of my
domain would be a problem. 
My first thought was to take over the DNS for this domain but rfc882 saying
a domain must have at least
2 nameservers rules that out. Frankly, I probably don't understand enough
about how glue records function... 

Thanks for your help