Why are there always at least two authoritative name servers for a registered domain

authoritativedomain-name-system

I see that almost all registered domains have at least two authoritative name servers configured (and for most of them, exactly two), and that using two servers provides redundancy against any kind of server failure. Technically there's no restriction on number of auth NS servers, so a single NS also works.

However, for some zones, there are already multiple addresses for one server configured, like ns1.qq.com (4 IPv4 addresses, auth NS for qq.com.). And for some other zones, the name servers are distributed using techniques like anycast, like ns3.cloudflare.com (one anycast IPv4 and one anycast IPv6).

In those cases, why would one still configure multiple authoritative name servers for a zone, when one NS entry can already provide redundancy against physical server failure?

Best Answer

In the early days of internet, registrars required you to have two DNS servers at different physical locations before they would register your domain. I don't know what today's requirements are, but I'm sure that historical tradition has carried on past the point where it was strictly necessary to provide redundancy. And a lot of the ones you see are probably the original NS pairs that were registered, and it just never changed.

It's also much simpler to do it that way than to set up anycast, hot failovers, etc.

Related Solutions

Why is BIND giving me a SERVFAIL in this case? (Notes inside)

You probably ran foul of the "EXPIRE" field in the SOA record - from §3.3.13 of RFC 1035:

EXPIRE          A 32 bit time value that specifies the upper limit on
                the time interval that can elapse before the zone is no
                longer authoritative.

This field tells a secondary server how long to serve a zone for if the master is no longer responding.

When you changed the zone file on "ns3" did you also reconfigure BIND so that the zone was listed as a "master" rather that a "slave" ? If so, it's that change rather than the change to the first SOA field that actually fixed it.

Windows – AD-integration of dns primary and secondary vs. stub zones (MS Windows Server)

The way Active Directory's multiple-master replication works is quite different from the DNS protocol's primary/secondary replication model. So a secondary copy of the records is truly "secondary", in that it is always refreshed from the master.
Not quite sure what you mean... Can you clarify?
We need secondary zones because that's the way every other DNS server in the world works, including the industry standard one, BIND. Many companies have their BIND services running on large UNIX servers, and the Windows AD/DNS servers just have a secondary copy.
Yes, each domain controller keeps a full copy of all the AD & DNS data (with some minor exceptions--read up on Global Catalogs and FSMO roles).
Sort of... there's no built-in command to do this, but you can use BIND tools and a copy of the data from the secondary to fill out a new primary zone. It's not advisable, though.
No, you still have full control over zone transfer security. The quoted line is saying that the SOA, NS and A-records which point to the zone's primary & secondary name servers are always available for all clients to read, which means that they could use the info to create their own stub zone if they wanted to.

Best Answer

Related Solutions

Why is BIND giving me a SERVFAIL in this case? (Notes inside)

Windows – AD-integration of dns primary and secondary vs. stub zones (MS Windows Server)

Related Topic