Hacker News new | ask | show | jobs
by wahern 1463 days ago
> I'm afraid that it would be difficult to maintain configuration across multiple DNS providers

A secondary host should be able to pull zones from the primary using standard AXFR, optionally using TSIG authentication. The primary can also notify a secondary using DNS NOTIFY for near instantaneous synchronization.

For some of my domains I prefer hosting primary myself, along with e-mail, web, etc. I just find it easier managing NSD configs and zone files the old fashioned way (version controlled, of course), rather than mucking about with GUIs or proprietary APIs. But in those cases I'll often use EasyDNS for secondary or tertiary. Whenever I edit and reload a zone file for one of these domains, NSD automatically pings EasyDNS, which then AXFR's the new zone. Easy peasy, at least once you wrap your head around AXFR, TSIG, and NOTIFY.

Your domain registrar is the gatekeeper for glue NS records, so if your primary DNS host[1] ever had a sustained down period, it's still relatively simple and fast to update your nameservers as needed.

[1] Yourself or another service--hopefully not the same as your registrar as that would defeat the purpose.
1 comments
toast0 1463 days ago
> Your domain registrar is the gatekeeper for glue NS records, so if your primary DNS host[1] ever had a sustained down period, it's still relatively simple and fast to update your nameservers as needed.

It's simple, but not exactly fast. .com and .net glue records have a TTL of 2 days, so expect significant delay. Different tlds have different times though, .org is only 1 hour, and I'm not looking up anything else ;)

link
wahern 1463 days ago
Good point, I forgot about TTLs in the recursive chain.

How common is it for recursive resolvers to cache glue records? Is it more common for in-bailiwick NS domains?

(This issue exists regardless of setup, so I hope the OP and others aren't dissuaded from exploring their options.)

link
toast0 1463 days ago
I'd expect all caching recursive resolvers to cache glue records as well as the requested records. It's part of the deal; if they didn't, the root servers would have an insane load. (After all, you need to get glue records for .com, etc, too)

Of course, there's probably exceptions, and cache size is limited. I can say that some resolvers seem to cache glue records for a long time, more than the published TTL; when I switched NS records for a popular domain, we continued to get requests on the old domain for more than 4 weeks (at which point we needed to end the previous service).

link