--- Begin Message ---
> On 24 Sep 2025, at 00:00, Ondřej Surý <[email protected]> wrote:
> [..]
> FTR distributing the DNS among multiple TLDs does not increase resiliency. In
> fact, I believe
> using direct in-domain nameservers is the best option instead of this
> madness. I have an old
> blogpost on this I might revive and put somewhere again.
Yep, agree.
(TLDR: Hierarchical DNS means spreading NS to other TLDs does not help
resilience but makes it more fragile ;)
The joke is that if a TLD of a domain breaks then there is no way to find the
NS (even with the NS outside of the broken TLD) anyway, irrelevant in how many
TLDs the NS are distributed. Hence it just makes things more fragile as that
chance of a TLD breaking goes up.
One could argue that if you have hundreds/thousands of domains that migrating
all of the NS from a broken TLD that hosts a NS would be cumbersome, but then
again, if a TLD is broken that a NS is under then one already has resolver
issues and delays. In this case Affilias is behind both .info and .org
Using well managed TLDs is the a better approach; or if you had the cash to get
a TLD yourself using your own TLD if you really want to reduce risk, hey they
got one: dnsX.nic.microsoft wonder why it is not being used...
Of course as disaster recovery method, being able to mass-migrate/change NS
automatically could partially address TLD-for-NS loss, one will still have had
a partial delay/outage. Anyway more TLDs => more risk.
For us normal people who cannot afford/get a TLD (which also makes sense due to
global scaling, which is why there are TLDs in the first place); it would be
awesome though if there was some kind of way to indicate TLD equivalence,
though, that would mean a registry akin to a TLD where that lookup would have
to be made as a side-lookup, and trust in that. Caching well-known TLDs (some
allow AXFR or offer a way to get a copy) would be a better path then.
And that is kinda what the "public DNS" suggest to offer as an advantage over
smaller DNS recursive instances.
Greets,
Jeroen
PS: as for CNAMEs, outside of aliasing _acme-challenge labels to keep those in
a dynamic, one should IMHO as good as never use them, it just causes so much
complexity and fragility...
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
