European Nameserver TLDs now available

1

Hi all,

We have just set up the following nameservers:

  • ns.desec.ch
  • ns.desec.cz
  • ns.desec.li

Technical Details

Each of these nameserver hostnames points to the IP addresses of both anycast networks; there is no distinction between ns1 and ns2. (When you resolve the above names, you will see that you get the IP addresses of both ns1.desec.io and ns2.desec.org).

This provides some extra resilience so that both anycast networks continue to receive queries even when one of the nameserver hostnames does not resolve for any reason. For technical background, see the explanation of a similar feature by Cloudflare.

Note that some registries will not let you use such nameservers in a delegation, because they insist that nameserver hostnames must point to distinct IP addresses. The most notable case is .de; if you find any others, please let us know!

Why these TLDs

We are aware that our name is also available under other European TLDs. We have picked .ch, .cz, and .li because these registries are at the forefront of advancing secure DNS.

In particular, they have led the pack of European ccTLDs for implementation of automated DS provisioning, and we’d like to acknowledge their engagement by using those names in public.

We’d also like to acknowledge .sk, another European ccTLDs that uses DS automation. Unfortunately, that suffix is not supported by our registrar.

Note that .li and .ch are both run by SWITCH. Depending on what redundancy you want, make sure to pick an organizationally diverse set of hostnames.

We will be happy to include other European ccTLDs in our set of nameservers, and we promise to do so once the associated registry supports DS automation! :slight_smile:

Status

Service under the above hostnames is currently experimental.

We expect that it will work at least as reliably as the existing service, so you can feel confident using it. However, we’d like to collect some user feedback before removing the experimental label – so, please let us know about your experience!

(Once the experimental label is removed, we’ll also make the classic ns1 and ns2 subdomains available with the new TLDs.)

Stay secure,
Peter

6 Likes
2

Awesome improvement, great work, thanks a lot!

3

Thanks Peter! Yeah I can confirm that these experimental nameservers are not accepted by DENIC. Unfortunately, I only use .de Domains :smiley: Looking forward to you deploying the classic ns1and ns2setup on these domains. Concerning the setup, I need to manually change NS records in my zone, correct? Other changes required (SOA)?

4

I also see that the new domains themselves still depend on ns1.desec.io and ns2.desec.org as nameservers. Wouldn’t it make sense for them to use glue records to get rid of this dependency?

5

Surprisingly, Denic accepts the io and org nameservers, but when you add one of the new names as a third, without removing either of the old ones, suddenly those same ip addresses are no longer diverse enough.

Anyway, if you’re OK with glue records, you can create names for the Desec nameservers under your own domain and use those names in the parent registry, thus making you independent of all other TLD registries.

(If you do this, monitor the IP-address records of the official nameserver names, as they may change.)

1 Like