• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Chicken-and-egg with slaving .no domain

Started by sesse, September 26, 2022, 03:27:54 AM

Previous topic - Next topic

sesse

Hi,

I hit a bit of a conundrum today, and I thought I'd share the workaround if anyone else hits the same issue:

I wanted to move a .no domain to HE's DNS slaves. .no is special in that the registry (NORID) refuses to change NS for a domain unless the name servers are actually correctly set up—they need to answer for the domain, serial must be the same, DNSSEC must be correctly set up if enabled, etc.

However, HE refuses to set up slaving for a domain unless the domain is already set up to point to ns*.he.net; you'll get the dreaded error "You must delegate to one or more of the slave nameservers". So there's a chicken-and-egg situation here.

The solution I eventually ended on was: Add the domain as a _master_  in HE. Set up some reasonable entries so that it's not _entirely_ broken. Now, ns[1-5].he.net will answer for the domain, so you can disable DNSSEC on the registrar and point name servers to HE. (.no updates only every four hours or so, so there's a delay here.) Then you can delete the domain in HE, and set it up as a slave. Since delegation is OK, HE will happily do that, and after clicking "validate" and waiting a few minutes, it actually pulled the domain from the master. So now I could re-enable DNSSEC, and voila!

sesse

There was an extra step before this that I seemingly forgot to write, as I had to do it again with another domain:

HE will also not create a master zone unless it thinks it's delegated. But it won't check the parent zone; it will just do a fully recursive lookup for an NS record. So if you set up the domain with two non-HE nameservers, you can add NS ns1.he.net. as a third record in your zone only, and HE will believe that this means you've delegated DNS to them. After that, you can use your newly created master zone to change the delegation to ns[1-5].he.net as described in the previous message, then delete that and create a slave zone.