Difference between multiple NS and NS having multiple A

Shane Kerr shane at isc.org
Tue Feb 19 10:13:17 UTC 2013 

Mark & Alexander,

On Monday, 2013-02-18 08:43:32 +1100, 
Mark Andrews <marka at isc.org> wrote:
> 
> In message
> <CABUciRkAPvEyFr1s5ygu8=KfxDfLbJadauY4AsB4W_kWs5-tJQ at mail.gmail.com> ,
> Alexander Gurvitz writes:
> > Is there any practical difference between the following two:
> > 
> > 1.
> > example.com. NS ns1.example.com.
> > example.com. NS ns2.example.com.
> > ns1.example.com. A 1.1.1.1
> > ns2.example.com. A 1.1.1.2
> > 
> > 2.
> > example.com. NS ns.example.com.
> > ns.example.com. A 1.1.1.1
> > ns.example.com. A 1.1.1.2
> 
> Yes.  It makes fault isolation harder.

I don't see much difference in the examples that Alexander submitted,
except resolvers tracking the TTL of each name server separately. So,
in the second case we may have the TTL of ns.example.com time out and
both 1.1.1.1 and 1.1.1.2 are no longer usable for example.com at the
same time.

I think this is better demonstrated by a setup something like this:

    ns1.example.com. A 1.1.1.1
    ns2.example.net. A 1.1.1.2

Versus:

    ns1.example.com. A 1.1.1.1
                     A 1.1.1.2

In the first case, since you're using different domains, you could get
some fault isolation.

> > Is there any possible difference in the resolvers behavior ?
> > How bind9(10?) threats that ?
> > 
> > If someone knows about not-bind DNS resolvers I'd be happy to know
> > that too.
> > 
> > Reason: We run a public DNS hosting. I think it would be more
> > user-friendly if once we add more nameservers, we would just add
> > them as A records under the same ns1/ns2, instead of advising each
> > user to add ns3..nsX to their parent zones.

This actually makes sense. Having to work with the parent can indeed
be a pain. (I recently renumbered at home and had to change NS RRSET
and glue with 3 different registrars... it must be horrible in any real
production environment.)

My own take on it would be that any extra redundancy beyond the normal
2 domain names is unlikely to outweigh the administrative hassle. So, I
think Alexander's approach makes sense. :)

> Add some AAAA address as well.

Speaking of AAAA addresses, in the interests of fault isolation, it
would seem to make sense to use different names for IPv6 servers:

   ns1.example.com. A 1.1.1.1
   ns2.example.net. A 1.1.1.2
   ns3.example.org. AAAA 1:2:3:4::1
   ns4.example.nl.  AAAA 1:2:3:5::1

Cheers,

--
Shane

More information about the bind-users mailing list