How can I delegate a domain registered with Netcup to use itself as the authoritative server on an external DNS system?

    I want to completely delegate a domain.com purchased at Netcup to an external DNS server, but I also want to make the domain its own DNS server, ie be able to set ns1.domain.com and ns2.domain.com system.


    From what I understand I must create 'A' records to the external DNS in the Netcup control panel, eg ns1.domain.com and ns2.domain.com, then select 'own nameserver' at the bottom of the panel and add ns1.domain.com and ns2.domain.com.


    Then I also have to create the ns1.domain.com and ns2.domain.com A records in at the external DNS configuration.


    Is this correct?


    From what I understand this is known as creating glue records.


    FWIW the external system is a CPanel system, but I assume the Netcup end of the configuration should be the same regardless of the external system.

    Zitat von vonHabsi

    […] then select 'own nameserver' at the bottom of the panel and add ns1.domain.com and ns2.domain.com. […]


    From what I understand this is known as creating glue records.

    There are input fields for IPv4/IPv6 addresses to create glue records.


    ccp-glue-records.png

    "Wer nur noch Enten sieht, hat die Kontrolle über seine Server verloren." (Netzentenfund)

    Gefällt mir 1
    Zitat

    Error: IP address ns2.domain1.de in incorrect format. Please enter an IP address in valid IPv4 or IPv6 format.

    Since the name server host name is the managed zone, you have to enter an IP address for it (glue record).

    You also need to specify at least 2 name servers for this domain.

    When I try it this is the error I get? I'm not sure whether the IPv6 address is also required.


    > Since the name server host name is the managed zone, you have to enter an IP address for it (glue record).


    This is the troublesome part because it doesn't say how the glue record must be added.


    There is another thread here on the topic which doesn't seem to have been resolved properly - https://forum.netcup.de/admini…r/16992-dns-glue-records/


    Does Netcup have a guide to setting glue records?

    The glue record is only a helper. The A/AAAA record has to pre-exist in your domain as well. Check if there is a trailing point to your ns's fqdn or not.


    What's the cause for this?

    Name service is constructed as a hierarchy.

    The registry's nameservers are on the top and usually serve a copy of the TLD's root zone.

    This zone will basically serve only NS records as fqdn (and in case of glue records: A/AAAA). For the moment, let's forget about DNSSEC and so on.

    If a zone is using name servers, that are addressing a host, that is a "child" within that very root zone, it won't be able to resolve that hostname in the first place.

    That is where your registrar is submitting that "glue record" to the registry's root servers with EPP.

    EPP will usually do checks on the zone. Therefore the zone has to exist on the name servers referred to in the glue, which has to deliver that zone. (and obviously with the very same serial number as the secondary ns, that will also be checked. It therefore needs to be included in the NS-recordset and in the case of a primary NS also within the SOA. Remember, that the zone and the contact in the SOA use the trailing point notation for hosts.


    That is not specific to netcup. The only difference between registrars is, that some selfcare tools require the trainling point, while others don't. That's confusing sometimes.

    Zitat von eripek
    The glue record is only a helper. The A/AAAA record has to pre-exist in your domain as well. Check if there is a trailing point to your ns's fqdn or not.


    Does it mean that if I enter host ns1.mydomain.com IP address 3.3.3.3 in the control panel, the Netcup panel's software will first query 3.3.3.3 to check if it serves mydomain.com before allowing the entry to succeed?


    If so how can check that the nameserver IP address I've been assigned by the service provider will reply whether or not it has been configured to serve my domain, eg query 3.3.3.3 to see if it provides name service for mydomain.com.


    The provider has given 2 IP addresses which I use for ns1.mydomain.com and ns2.mydomain.com in their DNS configuration page and both fqdns have trailing dots. They are automatically added if I miss the trailing dot. So I guess if they are correclty configured there must be a way of querying the IP directly to check if provides name service for the domain.

    You must enable custom (authoritative) DNS servers in the CCP and add your IPv4 and IPv6 addresses of `ns1.mydomain.com` and `ns2.mydomain.com`.

    In order to do so, the two nameservers must also serve DNS records for `mydomain.com`. Otherwise, netcup's system will refuse to propagate the entries to the authoritative nameservers of the `com` TLD.


    Zitat

    Does it mean that if I enter host ns1.mydomain.com IP address 3.3.3.3 in the control panel, the Netcup panel's software will first query 3.3.3.3 to check if it serves mydomain.com before allowing the entry to succeed?

    Exactly.


    Zitat

    If so how can check that the nameserver IP address I've been assigned by the service provider will reply whether or not it has been configured to serve my domain, eg query 3.3.3.3 to see if it provides name service for mydomain.com.

    For example, run `dig mydomain.com NS @3.3.3.3` or use an online DNS resolver website (if such a thing exists?).

    I am not sure which party is checking the zone - your tld registry or netcup, but in principle, you can also assume netcup does that.


    The linux und unix guys use dig, windows users can check with nslookup.


    an example to check with dig would look like this (assumption google resolver 8.8.8.8 represents the primary ns in this example):


    dig @8.8.8.8 -t soa mydomain.com


    dig +short @8.8.8.8 -t soa mydomain.com

    ns1.mydomain.com. hostmaster.mydomain.com. 2023072200 3600 1200 86400 43200


    to check all nameservers you can use a one-liner with a loop:


    for i in ns1.mydomain.com ns2.mydomain.org; do dig +short @${i } -t soa mydomain.com; done


    I am not a hardcore windows user, but I guess nslookup should work this way, too:


    nslookup -type=soa mydomain.com 8.8.8.8