I am trying to change the nameservers for a domain that is being transferred to another register. The process takes between 5 to 7 days.
The former domain register is refusing to update the nameservers while the transfer is taking place.
I searched the transfer policy on ICANN but I did not find anything that prohibits me from changing the nameservers while the domain is being transferred.
Is there another ICANN policy that defines this?
The answer depends on the TLD.
In the most frequent case (that is using EPP without specific extension), a transfer of domain name is made without any change to its current technical configuration. So the nameservers can be changed just before the transfer is started or just after it is completed but not during it.
You can not change anything on the domain name while the transfer is pending because the domain will be in pendingTransfer EPP status, and no update on a domain name is allowed when it is under a "pending" status.
The former registrar can do nothing even if it wanted to, as soon as the transfer is started, as this under control of the registry. This is not an ICANN policy, this is a technical rule described in the EPP RFCs (see STD69 at https://www.rfc-editor.org/info/std69)
In gTLDs, the transfer can typically last up to 5 days, but this is for administrative reasons, not technical ones. You can speed it up by explicitely allowing it at the current sponsoring registrar (for those allowing their customers to have this option).
Note that in some TLDs you can specify, at the moment you do the transfer, the new nameservers to use, but this will be done after the transfer is finished also.
You can get the same behaviour with any competent registrar for any TLD to which you would have decided to transfer the domain to: it can record both your order to do the transfer and the new nameservers you would like, so that it can, as soon as the transfer finishes, put the new nameservers automatically for you.
Related
Suppose that I own example.com that is served by my own DNS server and I can create every records that I want.
Now imagine that one of my friends get a new domain called new-domain.com and I want to help him manage his domain with his own DNS server.
So in my dns system for example.com, I create two A records as:
my.ns1.example.com -> some.ip.addr
and
my.ns2.example.com -> some.ip.addr
(some.ip.addr is the ip address of his DNS server)
and ask him to set my.ns1.example.com and my.ns2.example.com as name servers for his domain.
But he cannot set them because it gets invalid nameserver error!
Its my understanding that because example.com is working properly in DNS system and thus my.ns1.example.com and my.ns2.example.com are resolved to the IP address properly, so nothing can prevent them to be used as nameservers.
I searched around and found that some people say the nameservers should be registered. I understand registering when we have to ask for setting glue records, but for this case I have no idea why would we need to register those name.
To be more specific with real life example, why would jobs.ns.cloudflare.com is a valid nameserver but www.cloudflare.com is not?
I asked the same question on serverfault.com with this link
There, I quote important part of the answer here,
From a pure DNS perspective, an authoritative nameserver (such as those for com) should not perform any kind of recursion to learn the IP address of the nameservers that are defined in your example.com zone. Instead, the registry permits registrars to add glue records to the com domain, and those registrars can provide a user interface so that the owners of the domains that these custom nameservers live in can do so. (example: Namecheap - How do I register personal nameservers for my domain?)
(To address the elephant in the room...no, these glue records are not strictly required. But policies are policies, and if the registrar interface requires the registry level glue to be present, you have little choice in the matter.)
While the answer does not answer my updated part of the question, I picked it as the answer and decided to ask another question.
The problem does not lie in the names: my.ns1.example.com and my.ns2.example.com are fine.
The registry, and sometimes even the registrar, normally perform a few checks before approving a nameserver change. If your nameservers are rejected as invalid they are most likely not yet correctly configured for your friend's domain. I mean, the servers at my.ns1.example.com and my.ns2.example.com do not contain the minimum required records for new-domain.com.
That said, the registrar support team should be able to provide more details: if it's them who reject the change they should let you know what part of the automatic tests fails and even provide the test output so you can see by yourself. On the other hand, if they just pass the change to the registry (your friend should see a "operation pending at registry level" notice in his control panel for some time) they could do the extra effort of helping you out by providing hints based on their experience with that particular TLD. That is, if your friend didn't grab a promo offer in the 0.99$-5.99$ a year range for the domain: if he pays them something in the 20$-50$ a year range then he should expect and demand a proper, helpful support. I use one of the cheapest registrars and if my nameserver change gets rejected I still get a full report:
Dear customer,
The registry did not accept the nameservers you tried assigning to
new-domain.com because they did not pass the registry tests. Please
check the report we got from the registry below, fix the errors
and try assigning the nameservers again.
Nameservers Resolvable Test: ERROR
my.ns1.example.com. ERROR Unresolvable host my.ns1.example.com.
my.ns2.example.com. ERROR Unresolvable host my.ns2.example.com.
my.ns3.example.com. OK
my.ns4.example.com. OK
SOAQueryAnswerTest: ERROR
my.ns1.example.com. ERROR java.net.SocketTimeoutException
my.ns2.example.com. ERROR java.net.SocketTimeoutException
my.ns3.example.com. OK
my.ns4.example.com. OK
... ... ...
Update: The OP posted an update saying that as soon as the nameservers were registered with the registry, they were accepted in his friend's control panel. It appears that particular registrar checks for glue records and rejects the nameservers if they have none. This is an unnecessary check because glue records are only needed if the nameservers are within the same domain they serve, as explained in these questions. Registrars usually explain this very clearly or at least mention this above the nameserver change form:
Please note that in most cases the ip address is not required and will actually be ignored. It is only necessary if the nameservers you are entering are sub-domains of the selected domain (also called custom nameservers or vanity nameservers).
We can conclude that the friend's registrar performs an unnecessary blocking test and does not respond to user inquiries in a helpful matter. Since the OP has the following need (citation from his updated post on serverfault):
I need to be able to create dynamic nameservers programmatically and ask my users to enter their specific nameservers for their domains in their registrars.
I warmly recommend he does some research looking for a decent and reasonably priced registrar he can point his customers/friends to in case they have any issues with their current ones.
We are whitelabeling some website software, but in order to use it, our clients must point their domains to the software's nameservers. We'll say ns1.softwareco.com and ns2.softwareco.com.
Since we're whitelabeling, I don't want our clients to see Software Co's name in the name servers.
I could easily mirror Software Co's DNS settings, but if Software Co updates them in the future, my settings would be incorrect.
Is it possible to just point my nameservers ns1.whitelabelco.com and ns2.whitelabelco.com to Software Co's nameservers?
Your best way of achieving this is to follow the lead of other companies.
For example, if you look at how github allows the configuring of custom domain names for their pages product. Which is whitelabelling in effect.
The two options you have are basically, that you have a static IP address that will last for the lifetime of your service. Which would mean you would need to buy that address, complete with a contract to ensure it didn't need to be changed. You could place that address infront of load balancers etc, so it could be directed to multiple servers at the backend (even multiple locations)
The simpler option is to offer a CNAME redirection to your clients.
You tell your clients that you have service.example.com and they should point their servers to that with a CNAME record. so their clients will see www.domain.com but that will be redirected to your site.
The downside of a CNAME record over an IP Address, is that the end user can see that it is a whitelabel product. The problem is that DNS is an open system, and no matter what you do with it the end user will be able to see what you've done and find out that you are hosting that site.
The only way around that is to use an IP Address.
My domain registrar gives me the option of locking my domain as a security feature for prevent unauthorized transfers and stuff like that.
I thought the only way to do unauthorized transfers was if the attacker has access to my account on the registrar... but in that case he also can unlock the domain, so at the end of the day I dont understand what is the utility of domain locking... I mean... if the only way he could do something is having access to my registrar panel, then he also can unlock the domain before do transfers and stuff. :-/
So my question is, is there any scenario where an attacker could transfer or do something to my domain WITHOUT having access to my registrar panel and the only way to prevent it is having the registrar-locking activated?
Thanks
There could be several attack vectors, including but not limited to privilege escalation, DNS exploit, SSH and so on. I'll cover two classical measures taken to protect (at least a little) a DNS zone. This answer is mainly for future reference since I neither know which registrar you are using nor how he protects its domains.
My reference DNS server here is Bind, but the same logic applies to NSD, Unbound and the rest.
The first thing is the transfer of a zone using an AXFR / IXFR request. This is done using a simple "dig #[dns_ip] [dns_zone_name] AXFR" (the IXFR query needs an additional serial parameter but is the same kind of query). To block these, ensure that your DNS server uses the following statement:
allow-transfer { none; }; (1)
Note that if you use slave DNS servers, you would have to put their IP addresses (or better, use keys to secure the transaction).
The second possible kind of "attack" is updating the zone itself. This is easily blocked if you use the following statement:
allow-update { none ; }; (2)
Use this kind of configuration only if you use your registrar's panel, because it will prevent DDNS updates. Like the allow-transfer statement, it is possible to use keys / IP addresses to have a fine-grained control over your update policy.
These two statements are for the sake of the example, and there is many ways to configure a DNS server without having to use a web configuration panel.
I hope this response was clear enough and helpful.
1: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
2: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
Is there a big difference between setting a DNS Zone to have type foward;, and setting an NS record for another name server in the zone file? Does one have better performance/speed? Or am I completely missing the point, and they are completely different?
So there is a difference between the two scenarios... adding NS records is creating a delegation (and you can only do so for subzones when you are authoritative for the parent zone, adding forwarders are simply that. Performance/speed don't really come into it as they are used for different purposes.
Delegation is used when you want delegate the management of a subzone to another server. E.g. you own corp.com, you could delegate the subzone of engineering.corp.com to the engineering team's name server. This is how the whole Internet DNS hierarchy works, zones are delegated down from the root.
Conditional forwarding is used when you want to directly bounce queries sideways to a specific name server which is responsible for a specific domain. If the owner of corp.com bought company.com then during the merging phase when you want internal DNS access available to both companies, you may want to add forwarders for each company in the other's name server, the servers then know where to forward queries to directly instead of traversing the Internet hierarchy and getting the external name servers for either company.
Steve
I was wondering if it's possible to dynamically add subdomains that point to dynamic IP addresses, and how I would go about doing that? In other words, "how is dyndns/no-ip implemented" :-)? (The part I don't get is adding/changing the DNS entries... I understand how the client sends a packet every few minutes -___-). I can tell all my users to just use DynDNS/No-IP, of course, but having it integrated with the application would be much cooler.
Thanks,
Robert
To be able to directly update/control where a domain/subdomain resolves to, you must have your own name server. When you register a domain under a TLD (for example, .com), that TLD has a nameserver. Anytime a client needs to look up the IP to something.com, they ask the .com nameserver where to find the nameserver for something. That nameserver in turn returns data about the domain or subdomain.
When you register a domain at a place like GoDaddy or Network Solutions, and you use their online tools to point your various subdomains to IP addresses, you are creating entries on their nameserver. When a client requests your domain, the root nameserver tells them to check with GoDaddy's nameserver. If you look through the configuration options of your registrar, you'll generally find a place to specify your own nameserver instead of entering domain IPs. Setting that will tell the chain of nameservers to defer resolution of your subdomains to that nameserver. Obviously at that point, having direct control over the mechanism of name-address resolution, you can do whatever you like.
Here's one list of open-source name servers. There are many others, ranging from free OSS to custom, proprietary and very expensive. Technically you could also write your own, as BIND is a public, standard format.
As you've partially said, the way DynDNS and other dynamic IP services work is that they update their server's DNS records based on a heartbeat from a client every few minutes.
The trick is that they use extremely short TTL times so that caches for the record expire very quickly and need to re-query the DynDNS server (which makes dynamic IP changes propagate quickly).
If you wanted to implement this, either find a DNS host that offers an API, or programatically update the DNS on your own server with a short TTL.