In our last episode, I was trying to reconfigure my 1and1 domains to use DNS servers I set up myself. I was able to configure some of the domains to use my DNS servers, but other domains were rejecting these very same DNS servers. Neither the 1and1 web site nor its “expert” customer service representatives were able to offer a coherent explanation for this.
I’ve managed to (mostly) figure out what’s going on on my own, no thanks to 1and1’s incomprehensible explanation. This allowed me to come up with the correct workaround for the problem that 1and1 is having with my DNS servers. However, I unfortunately can’t use that correct workaround, because 1and1 is Even More Broken And Stupid than I previously reported. Therefore I’ve managed to come up with another, less correct workaround, which will tide me over until my domains have been with 1and1 for 60 days and I am allowed to transfer them elsewhere (ICANN rules prohibit transferring a domain twice within 60 days).
The problem that 1and1 is having accepting the DNS servers I specified is actually of more general interest, so read on if you’re trying to use your own DNS servers and your registrar is saying their host names are invalid
DNS glue records
When a DNS server tries to resolve a host name, e.g., “mail.kamens.us”, it does the following:
- Ask the “root” DNS servers for the names of the DNS servers are for “.us”.
- Look up the addresses of the “.us” DNS servers from their names.
- Contact those addresses and ask for the names of the DNS servers are for “.kamens.us”.
- Look up the addresses of the “.kamens.us” DNS servers from their names.
- Contact those addresses and ask for the address of “mail.kamens.us”.
There are two problems with steps 2 and 4 of the process enumerated above:
- They add multiple extra queries to the process of looking up a host name, and thus make it significantly slower.
- Step 4 creates a circular dependency if the names of the DNS servers returned in step 3 are themselves within the “.kamens.us” domain. If so, then the DNS server goes back to step 1 to resolve the host names of the DNS server, but then is stuck trying to resolve the same names again at step 4, etc., forever. This does not work.
To prevent both of these issues, DNS has something called “glue records.” In particular, when a DNS server returns a list of the DNS servers for a particular domain, it can also return their addresses at the same time, so that they don’t need to be looked up separately. The reason why these glue records are special is because they’re being returned by DNS servers that normally would not be “authorized” to return information about those host names, because they are not the DNS servers for the domains in which the host names reside. Nevertheless, glue records are allowed for the specific case of when somebody looks up the DNS servers for a domain.
Now, technically speaking, you don’t need glue records unless the second problem above is in effect. In other words, if the host names of the DNS servers for a domain are not within the domain itself, the DNS server can look them up separately without getting into a circular dependency. Well, sort of. What if the DNS server for domain1.com is ns1.domain2.com, and the DNS server for domain2.com is ns1.domain1.com? So it’s not quite so simple. Because of this, and to make things run faster, current policy requires at least one glue record for each registered domain.
The problem of inter-TLD glue records
You might think there should be no problem using a DNS server whose host name ends in “.us” or “.edu” for a domain ending in “.com”, but you’d be wrong, and that’s where I ran into trouble with 1and1, although as noted above, they were completely incapable of explaining the problem coherently.
As best as I can tell, generally speaking, to use a host name in one top-level domain as the DNS server for a domain beneath another top-level domain, at least some of the time there has to already be a glue record for that host name on some other domain within its top-level domain. In other words, I can’t use ns1.domain1.edu as a DNS server for the domain1.net unless ns1.domain1.edu is already listed as a DNS server for domain2.edu. I think this is because different top-level domains are controlled by different registrars and served by different DNS servers, and different DNS servers are not supposed to return different addresses for glue records. To ensure this, each top-level domain’s registrar owns the “canonical” glue records for DNS server names within the domain, and other registrars are required to check and confirm that the IP addresses given to them for those host names match before allowing them to be used as glue records.
I know this is confusing, but I can’t think of a clearer way to write it, so let me explain it again by example:
- A registrant attempts to register domain1.net, specifying ns1.domain1.edu as its DNS server with the address 126.96.36.199.
- The registrar for domain1.net contacts the top-level registrar for .edu and ask, “Is ns1.domain1.edu with the address 188.8.131.52 a valid glue record?”
- If the .edu registrar says yes, then everything is copacetic, and the registrar for domain1.net is allowed to create a glue record for domain1.net with the host name ns1.domain1.edu and address 184.108.40.206.
- Otherwise, the registrar for domain1.net is required to reject the attempt to register the specified DNS server for the domain.
At least, I think this is what’s going on; I haven’t been able to find anything online confirming my interpretation in such straightforward terms. Maybe I’ve gotten it wrong, though it does explain 1and1’s problem. Of course, it doesn’t explain why 1and1 happily accepted the name servers I gave them for some of my domains and not for others, but that’s a different question and one to which I doubt I’ll ever know the answer.
The correct workaround for this problem and why I can’t use it with 1and1
The workaround for this annoying problem is simple: Whenever you set up the DNS servers for a domain, give them A records within the domain itself. Then, the glue records will always be hosted by the same top-level domain registrar as the domain you’re serving, so that registrar will always have the authority to accept and create the specified glue records.
Note that you can have any number of glue records in any number of domains resolving to the same address, so there’s no harm in having a single DNS server serving many domains and having a host name in every one of them.
So, why can’t I use this correct solution with 1and1? Because unlike any sane, competent, rational domain registrar, 1and1 doesn’t allow you to specify the IP address of your DNS servers when configuring your domains. Instead, you have to use 1and1’s cockamamie “subdomain” system, which is really intended for setting up multiple web servers within a single domain, to create records for each of your DNS servers, and configure those “subdomains” with the correct IP addresses.
This is incredibly asinine, inconvenient, and non-intuitive, but it would be barely tolerable if I actually could create the ten necessary subdomains, two for each of my five domains, since for redundancy I have two DNS servers. Alas, I can’t, because I am only allowed to create five subdomains, total, across my five domains. The funny thing is that if I had only one domain registered with 1and1 instead of five, I would also be allowed to create five subdomains. For some reason which is as inexplicable as every other problem I’ve had with 1and1, even though I’m paying a fee for each domain, I don’t get more subdomains the more domains I register. It’s utter and complete nonsense.
Let me be clear: every other domain registrar I’ve ever used allows you to specify the IP addresses of your DNS servers along with their host names when setting up a domain. This is how things are supposed to work. In contrast, 1and1’s moronic infrastructure won’t allow me to specify valid DNS servers for the five domains I’ve registered with them. This is too stupid for words.
I wrote to 1and1 and asked them to increase the subdomain limit on my account so that I could create the necessary DNS server records. They said they couldn’t do that and said, “The only work around we can suggest you is to transfer your other domains to another contract so you can have another 5 sub domains for free.” I wrote back and asked them to explain how to transfer some of my domains “to another contract” and whether I would have to pay more money for the privilege of working around their broken software, and they sent me back the following barely English and entirely incomprehensible response:
Regarding your concern, can you please provide us the domain name which you wanted to transfer to another contract for us to check on it? Regarding the charges, we would like to inform you that it would depend on the package where you are going to transfer it. If that would be on the same account then you will not get charge in it not unless the domain name is set as included in the losing package and will not be set as included in the gaining package. Please refer to this link http://faq.1and1.com/domains/domain_admin/ordering_domains/1.html to know more about Included Domains.
If the transfer would be from one account to another account then you will be charged for the domain however Included Domains supported in it will still matter. If that gaining account has a free slot for an included domain then if you are going to transfer one domain in it then you will not be charge since it will be set as included in the package.
As far as I can tell, the root cause of much of this incompetence is that 1and1 is actually a web hosting company, not a domain registration company. They’ve attempted to graft their domain registration business on top of their web hosting business, and they’ve done a singularly bad, incompetent job of it. If a domain registrar can’t handle the simple task of allowing users to specify valid DNS servers for their domains, then they’re complete and utter idiots and shouldn’t be allowed to register domains.
The incorrect workaround I’m using for the time being
I created 1and1 “subdomains” for the two DNS servers with host names within one of my five domains, and then updated that domain to use those DNS servers. Once I’d done that, I could be certain that those two host names were now valid glue records, and I was also able to use them with no trouble as the DNS servers for all of my other domains, even though they are beneath different top-level domains.
In 54 days, when the 60-day lockout for transferring my domains expires, I will transfer them to another registrar (probably NameCheap.com) and then fix them to use the correct DNS server host names within each domain.