Hello,
I’d like to use various dns providers to resolve a domain,because DESEC’s service is slow in some regions(like China,has an average latency of over 400ms,using tcp ping on port 53,at platform ns1.desec.io:53_在线ping_tcp延迟测试_持续ping_禁ping_tcping_在线tcping_端口延迟测试), also add other providers’ nameservers could decline latency in specific regions.But the SOA record is locked,would the SOA edit available in the future?
And could users disable dnssec record for a domain?Not all providers support adding DS or DNSKEY record,and most browser do not check whether the DNSSEC signature is vaild. The DS and RRSIG will increase latency while do not have much use,considering a disable alternative would be better.
Hi mnet,
Thanks for your message, and welcome to deSEC! 
The SOA record does not need to be changed for this use case. (Which change would you want to make?)
To do a multi-provider setup, you need to edit the NS record set, and also coordinate DNSSEC. The easiest way to do that is to publish each provider’s DNSKEY records through the other provider.
It is deSEC’s mission to advance the use of DNSSEC (which will also make it more useful), so, no, you can’t disable it. See also §4 of our terms.
Stay secure,
Peter
2 Likes
Hello,
Thank you for your reply!
For example,DESEC is slow in China and Huaweicloud is fast in CN but slow in other regions ,thus I want to use both.First,I appoint example.com to Huaweicloud (because they support to return different record base on user’s iplocation).Then,I resolve subdomain ns1.example.com and ns2.example.com, set if user’s ip in China,return Huaweicloud dns servers’ ip,else return DESEC’s ip,then set a long TTL, and use tools to send dns queries from worldwide.After dns being queried several times record will be cache by ISP for a period of time,during the time,all Users in China could get ns1.example.com and ns2.example.com only Huaweicloud’s ip and users in other regions could only get DESEC’s ip.Then I set Dns1.example.com and ns2.example.com to only return DESEC’s ip.Afterwards,I add glue record and change naneservers to ns1.example.com and ns2.example.com.
If a user from China and want to get A record of example.com,the registry will return NS record with hostname ns1.example.com,ns2.example.com.Then client will query from the two server. Firstly,client need to get A record : ns1.example.com A 172800 <Huaweicloud’s ip>
ns2.example.com A 172800 <Huaweicloud’s ip>
Then,client will send query to Huaweicloud’s server to reduce latency.
If a user outside China want to get A record of example.com,the registry will return NS record with hostname ns1.example.com,ns2.example.com.Then client will query from the two server. Firstly,client need to get A record : ns1.example.com A 172800 <DESEC’s ip>
ns2.example.com A 172800 <DESEC’s ip>
Then,client will send query to DESEC’s server to reduce latency.
Thus,the new nameserves are not add both to registry record,the old SOA response seems to be an error,in this situation,customize SOA is required.
As for DS record,because registry do not support to return different records base on geoip,your idea of adding both is great.
I followed what you are trying to do, and maybe it works, but we won’t be able to provide support for setting this up reliably.
While I appreciate that there are two different SOA records, I still don’t see why you would need to edit them.
That’s part of it, but you’ll also have to publish each provider’s DNSKEY records through the other provider, as I said earlier; otherwise, validating resolvers may return SERVFAIL. For details, see RFC 8901 Section 2.1.2.
Stay secure,
Peter
1 Like