NS instead of SOA



Other topic got me thinking. Is there any technical difficulty that Cloudflare needs to be SOA for domain instead of just NS records? Maybe I’m not aware of something in RFC.

DNS and third level geographic domains

We should be SOA as well, by default I believe the first NS is also the SOA. When I do a dig on one of my personal domains it returns Cloudflare as the SOA.


Correct. But my question is - is it technically possible for domain to be somewhere else and just let root NS point to Cloudflare?

For example:

  1. Typical configuration:
    smth.com. 3599 IN SOA jake.ns.cloudflare.com. dns.cloudflare.com. 2024453909 10000 2400 604800 3600
    smth.com. 86399 IN NS jake.ns.cloudflare.com.
    smth.com. 86399 IN NS jo.ns.cloudflare.com.

  2. Configuration I talk about:
    smth.com. 899 IN SOA dns-external-master.amazon.com. root.amazon.com. 2010113951 180 60 3024000 60
    smth.com. 86399 IN NS jake.ns.cloudflare.com.
    smth.com. 86399 IN NS jo.ns.cloudflare.com.

In second possibility resolver should ask either jake or jo for smth.com root records (A,CNAME,TXT w/e), right? Or maybe I’m mistaken somewhere. If it works like than then Cloudflare doesn’t need to be SOA for domain does it?


Today you can’t set up Cloudflare in a master/slave configuration so I don’t think this would work.


Again, I’m asking about technical possibility. Is it technically possible or not?
I know that you cannot do something like this right now.


I don’t think it’s technically possible to sub-delegate the root.


I don’t agree.

I’ve just read most of DNS RFCs and none of them clearly states that either primary NS of root must be the same as one in SOA or you cannot delegate root of domain. Of course all examples makes you to think that it is proper but I fail to find any clear statement that you essentially must do it like that.

In RFC 1034 (https://tools.ietf.org/html/rfc1034) section 4.3.2. you can find an algorithm which describes how DNS request is being processed. Point 3.b. of that algorithm doesn’t state any exceptions regarding handling NS records therefor I think that it is possible to delegate whole root zone to remote name server (or generally speaking primary NS doesn’t have to be the same as one in SOA record). At least I cannot find any evidence that my thoughts are wrong (or at least not in RFCs but I think there’s no better DNS documentation than RFCs).


In RFC 2181 section 7.3 (https://tools.ietf.org/html/rfc2181#section-7.3), it is stated that:

the MNAME field of the SOA record should contain the name of the primary (master) server for the zone identified by the SOA

where MNAME, per RFC 1035 section 3.3.13 (https://tools.ietf.org/html/rfc1035#section-3.3.13) is defined as:

The <domain-name> of the name server that was the original or primary source of data for this zone.

Note the use of the word “should” there. So, the server in the MNAME field in the SOA record does not need to be equal to the server listed in the NS record.

Also, you may want to check this expired Internet Draft (https://tools.ietf.org/html/draft-jabley-dnsop-missing-mname-00). Note what the author said:

There are no implementations of authority-only servers known to the author which use the MNAME field to manage or perform zone transfers, however; for bootstrapping reasons, commonly-deployed implementations require master servers to be specified explicitly, usually by address rather than name.


So you agree with my statement that it should be possible?

Let’s clarify this with example:

  1. I order new domain tt123.com from OVH
  2. As registrar OVH point that domain to their DNS (whois data): dns.ovh.net/ns.ovh.net
  3. I go to zone configuration and change root domain NS records from default dns.ovh.net/ns.ovh.net to for example jake.ns.cloudflare.com/jo.ns.cloudflare.com
  4. It should work pretty much the same as if I did whole domain delegation to Cloudflare DNS

True or false? I would like to someone from Cloudflare techs to approve or disprove with arguments that thesis.


Any feedback from Cloudflare?
I’m not doing these kind of topics for nothing. In near future (call weeks) I will have to decide where to throw almost 1000 domains so… please at least respond with “no can do”.


Let me do some additional research and see if I can get some info for you.


if you’re looking for an immediate solution (within weeks) I’d suggest just signing up the domains directly with Cloudflare and using our DNS as it’s intended. That means changing the name servers to the ones we provide at signup.


What I’ve found is that while technically possible via workaround, it’s not something that we recommend or formally support. There aren’t any plans to change that on our end at this time.


I may come back to you with my case with support ticket. It’s not so easy and Cloudflare might not be good for that project anyway. Giving you domains with NS records was something that I would like to do for that project - that would make everything easier. But if you don’t support it then a part of domains will never be manageable by Cloudflare (due to reasons).


I’d like to get more specific details. I’ll message you directly to collect.