Skip to main content

domain name system - DNS referral / delegation: which DNS is responsible; How to delegate the right way?





I bought the domain earechnung.at with Hetzner and am using my webspace at All-Inkl. I want to use the nameservers of my webhost (All-Inkl).





As I registered the domain with Hetzner, nic.at (the austrian domain registry) lists the following nameservers (all the ones of Hetzner):





Nameserver (Hostname) 1: ns.second-ns.com
Nameserver (Hostname) 2: ns1.your-server.de
Nameserver (Hostname) 3: ns3.second-ns.de




Zonefile at Hetzner



The zonefile at Hetzner now looks like the following:



$TTL 7200

@   IN SOA ns5.kasserver.com. office.earechnung.at. (
    2014030300   ; serial
    14400        ; refresh
    1800         ; retry
    604800       ; expire
    86400 )      ; minimum

@                        IN NS      ns6.kasserver.com.
@                        IN NS      ns5.kasserver.com.


@                        IN A       85.13.135.165
mail                     IN A       85.13.135.165
www                      IN A       85.13.135.165
w3                       IN A       85.13.135.165
ftp                      IN CNAME   www
imap                     IN CNAME   mail
pop                      IN CNAME   mail
relay                    IN CNAME   mail
smtp                     IN CNAME   mail
@                        IN MX 10   mail



So what I wanted was to delegate everything to the All-Inkl nameservers (ns5/6.kasserver.com). Therefore I mentioned them as SOA and NS. However it seems like the Hetzner DNS directly responds to the requests.



All-Inkl Zonefile



The administration system of All-Inkl looks like the following for DNS:
All-Inkl DNS Administration System






nslookup from my windows client



>nslookup -type=A -debug w3.earechnung.at.
------------
...
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR

        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 2,  additional = 2

    QUESTIONS:
        w3.earechnung.at, type = A, class = IN
    ANSWERS:
    ->  w3.earechnung.at
        internet address = 85.13.135.165
        ttl = 4933 (1 hour 22 mins 13 secs)
    AUTHORITY RECORDS:

    ->  earechnung.at
        nameserver = ns5.kasserver.com
        ttl = 4608 (1 hour 16 mins 48 secs)
    ->  earechnung.at
        nameserver = ns6.kasserver.com
        ttl = 4608 (1 hour 16 mins 48 secs)
    ADDITIONAL RECORDS:
    ->  ns5.kasserver.com
        internet address = 85.13.128.3
        ttl = 3758 (1 hour 2 mins 38 secs)

    ->  ns6.kasserver.com
        internet address = 85.13.159.101
        ttl = 2220 (37 mins)

------------
Nicht autorisierende Antwort:
Name:    w3.earechnung.at
Address:  85.13.135.165



Online tracing



Tracing the DNS-file with simpledns.com outputs the following:




Tracing DNS delegation for "w3.earechnung.at":



Loading root server list (static data):
-> a.root-servers.net (198.41.0.4)
-> b.root-servers.net (192.228.79.201)
-> c.root-servers.net (192.33.4.12)
-> d.root-servers.net (128.8.10.90)
-> e.root-servers.net (192.203.230.10)
-> f.root-servers.net (192.5.5.241)
-> g.root-servers.net (192.112.36.4)
-> h.root-servers.net (128.63.2.53)
-> i.root-servers.net (192.36.148.17)
-> j.root-servers.net (192.58.128.30)
-> k.root-servers.net (193.0.14.129)
-> l.root-servers.net (199.7.83.42)
-> m.root-servers.net (202.12.27.33)
Sending request to "f.root-servers.net" (192.5.5.241)
Received referral response - DNS servers for "at":
-> r.ns.at (194.0.25.10)
-> d.ns.at (81.91.161.98)
-> ns9.univie.ac.at (194.0.10.100)
-> u.ns.at (195.66.241.82)
-> ns1.univie.ac.at (78.104.144.2)
-> n.ns.at (81.91.173.130)
-> j.ns.at (194.146.106.50)
-> ns2.univie.ac.at (192.92.125.2)
Sending request to "n.ns.at" (81.91.173.130)
Received referral response - DNS servers for "earechnung.at":
-> ns3.second-ns.de (no IP address)
-> ns.second-ns.com (no IP address)
-> ns1.your-server.de (no IP address)
Attempting to resolve DNS server name "ns1.your-server.de" (details not logged)
Resolved DNS server name "ns1.your-server.de" to IP address 213.133.106.251
Sending request to "ns1.your-server.de" (213.133.106.251)
Received authoritative (AA) response:
-> Answer: A-record for w3.earechnung.at = 85.13.135.165
-> Authority: NS-record for earechnung.at = ns5.kasserver.com
-> Authority: NS-record for earechnung.at = ns6.kasserver.com
Trace DNS Delegation for another domain name







My Questions now are:




  1. Is there a best practice for this scenario (domain with Hoster A, webspace with Hoster B)?


    1. Should I give the SOA to the Hetzner dns or all-inkl?

    2. Should I change the nameserver directly at nic.at?


    3. In my understanding I did not provide a glue record (A record) for ns5 and ns6.kasserver.com. Do I need one or is this done automatically?


  2. What if I want to use something like CloudFlare? How does the delegation between Hetzner, All-Inkl and Cloudflare works best?

  3. Which server actually responds to the request?


    1. If I query w3.earechnung.at which is entered on both dns servers, it seems to me like Hetzners ns1.your-server.de responds with an anauthoritive answer and states, that ns5.kasserver.com is authoritive). Am I right?

    2. If I query ai.earechnung.at which is only registered on All-Inkls dns server, I receive something like ai.earechnung.at. wurde von UnKnown nicht gefunden: Non-existent domain or server can't find ai.earechnung.at: NXDOMAIN


  4. I think I delegated the whole site to the all-inkl dns server. Is this correct or is there a better way? Do I have to setup every subdomain at the all-inkl server?






I also looked at the following questions, but could not find an answer (or at least did not understand it):




Answer



Firstly, may I congratulate you on what I think is a well-written, clear, and well-researched question, and for not redacting the domain name; that last is hugely helpful in answering.




Let me address the substantive issue, if I may: the whois points to a different set of nameservers than those which you have set up to be authoritative:



[me@risby ~]$ whois earechnung.at
[Querying whois.nic.at]
[...]
domain:         earechnung.at
registrant:     MAT8777331-NICAT
admin-c:        AT8777330-NICAT
tech-c:         MH536567-NICAT
nserver:        ns1.your-server.de

nserver:        ns3.second-ns.de
nserver:        ns.second-ns.com
changed:        20121004 15:29:23
source:         AT-DOM


Note the three listed servers. I freely concede that you have those servers set up to serve NS records that point the query elsewhere - but you also have them set up with data to respond to the authoritative request, and their server believes itself to be authoritative for the zone and can therefore lawfully return authoritative negative responses for RRs it doesn't know about. The right thing to do in this case is go back to the registrar, which I think is Hetzner in this case, and change the nameserver records not in their DNS server, but in their registration server - the device that populates the whois for .at. - to return your two new servers ns5.kasserver.com. and ns6.kasserver.com.



The business of serving a set of NS records to delegate a subzone works perfectly when it's used to do that: delegate a subzone of the one which was followed to the current set of nameservers. Using them more like an HTTP 301 redirect is unusual, and - as you have found - may not work perfectly.




As to best practice, it's completely normal to use one provider for registration and another for DNS provision. That said, the two tasks are often so closely welded that some registrars can't cope with having a registered zone on any DNS servers but their own. If Hetzner is one such, you will need to move the domain registration to a different registrar.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more