Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: NetworkSolutions.com lost the ability to update root DNS w/ custom DNS
82 points by LinuxBender 9 months ago | hide | past | favorite | 46 comments
This is mostly just for the DNS admins and hobbyists out there. If you have domains with web.com / networksolutions.com and you have defined custom nameservers meaning you put in an IP with a domain name and in the past it updated the root DNS servers then do not change it. The UI will let you change it but they no longer have the ability to update the root DNS servers with your custom nameservers that you or your company manage yourselves. The NetworkSolutions.com UI will let you do it, but it won't actually do anything. This is per their support team. I do not know when or why they lost this ability. I am also no longer able to call anyone there, it's web chat only.

To be clear(er) this is for custom name servers that you manage yourself, not their name servers and not for DNS servers that are already defined in the root anycast clusters. If anyone is not clear what I am talking about this probably doesn't apply to you.




I once worked for a firm that used NetworkSolutions and spent a lot of time in their online portal and with their support. I do not have anything nice to say about them, their services, or their billing practices.


Network Solutions was the original registrar. Since then they have done absolutely nothing to build on that, beyond cashing in on the inertia of people who haven't left. They are the America Online of domain registration.


I have had a domain via network solutions since the start. I have had zero drama.

Remember, people who manage servers want nothing to change, ever.


This is fairly surprising and indeed, alarming. They've been in the game forever. If anyone should be able to do basic functions of their company, it should be them.

I wonder how much value has been extracted in the name of efficiency that it's gotten to the point they've lost the ability to perform the basic functions of being a registrar?


They excel in sucking so much that people are afraid to move away and continue to pay $100 a year or more to just register a domain with "features" that aren't of use to anyone.


I think the term you're looking for is "glue records", not "root DNS". Using that term with NetSol support may get you better results.


They did understand but said that function no longer works. I don't know why the UI still exists. To be clear you can add name servers that were already defined to your zones in the root servers but can not create new ones. So I could for example add pdns196.ultradns.org as an authoritative NS for my zones but if I rack mount a server and expose DNS using one of my domains then people will only learn about it when they query my NS records from other DNS servers that are already defined such as ultradns, google, etc... because they already queried NS from pdns196 meaning to your point that one I just provisioned will lack glue records in the root DNS servers.


This has nothing to do with root zones. The root zones tell a resolver where to send the next query to find .org domains, for example. They don’t know about your zone, nor should they.

> pdns196.ultradns.org as an authoritative NS for my zones

Okay, sounds like what most registrars can do. (Although Cloudflare seems to have very odd concepts of what DNS means…)

> but if I rack mount a server and expose DNS using one of my domains

I can’t parse this. Are you saying you have a server with a fixed IP address and it’s running an authoritative DNS server for one of your domains?

> people will only learn about it when they query my NS records from other DNS servers that are already defined such as ultradns, google, etc...

This almost sounds like common recursive resolvers like 8.8.8.8 can find you, which is what you would expect.

> because they already queried NS from pdns196

Queried NS for what domain?

> meaning to your point that one I just provisioned will lack glue records in the root DNS servers.

Of course it lacks glue records in the root servers. It’s the servers for the level in which you are registered that should have the records.

Maybe post the output from dig +trace [domain] and explain how the output differs from what you expect?


I'm going to try to translate a bit.

OP is running one or more DNS servers, and wants to have "vanity" nameservers for their domain (e.g. ns1/ns2.example.com for example.com, rather than ns1/ns2.theirhostingprovider.net). This is generally inadvisable, but it's their prerogative.

Setting this up typically requires OP to set up glue records at the registry so that the .com (or whatever TLD is applicable) can return IP addresses in the delegation to ns1/ns2.example.com, so that resolvers don't get "stuck" trying to resolve the domain. Typically this is done through the registrar, but apparently NetSol isn't cooperating. I've never heard of a registrar refusing to do this before; I'm not sure it's even permitted by the registrar agreement.


OP is running one or more DNS servers, and wants to have "vanity" nameservers for their domain (e.g. ns1/ns2.example.com for example.com, rather than ns1/ns2.theirhostingprovider.net). This is generally inadvisable, but it's their prerogative.

Eh, since when is having in-bailiwick name servers not advisable? Is it stated in some BCP or draft? In-bailiwick servers and glue records have been standard practice as long as DNS existed.


Adding to this if I am not running my own nameservers I can not watch DNS requests to see how bots are evolving. I sometimes take evasive maneuvers to trip up the bots. Some ... well most ... would say I should be using Cloudflare for such things but I am not even going to write up a blog on why I will not. I run my own servers for anything I can and then my hobby is to play blue team with the bots and skiddies. I can't do that with other peoples nameservers.


So is their official solution for customers to change name servers to move the domains to a different registrar?


So is their official solution for customers to change name servers to move the domains to a different registrar?

I don't know. Either that or perhaps they might expect people using them as a registrar to also use them for DNS or to use another one of the paid DNS provider services. I only had a short conversation on their web chat and that person had to ask others.


Their ui is horrendous. It wouldn't let a customer add a TXT record recently because 'a txt record already exists for that domain', lol


People still use Network Solutions? Is there a reason?

They disappeared from my view after their domain front-running fiasco (wow, in 2008, how time flies).


They are an incredibly shitty company.

As late as last year, and possibly even now, they were STILL charging extra if you wanted to use TLS connections for email. Otherwise, they're more than happy to allow connections with passwords over cleartext.

Their failure modes for all sorts of things is to default to pointing everything at their servers.

I wouldn't be surprised if they decide to charge extra for "premium" registrar features like adding glue for nameservers.

Anyone using them should move away as soon as humanly possible, even though they make it incredibly difficult to do so.


One of the reasons I am using it (I inherited it, looking to move) is due to being able to delegate some responsibilities to other staff without giving them the whole thing.

What other services would you recommend that provide the same? I reached out to their support because I couldn't update contact info and the spam to my company phone line was so ridiculous I had to send it to voice mail for a month.

I'd love a service that lets me delegate some technical aspects to others. Godaddy is a non-option.

All the services I use personally are, well, for personal use and don't seem to support multiple accounts.


I use Namecheap and have for years (moved off godaddy when I didn’t want to give that poacher Bob Paraons any more money).

Looks like they have that feature:

https://www.namecheap.com/support/knowledgebase/article.aspx...


AWS Route53? https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ac...


That might be an option as we do use AWS. I'll have to investigate, thank you!


Gandi.


Sadly, it seems Gandi has been getting slimy lately as well

https://news.ycombinator.com/item?id=36321783

https://news.ycombinator.com/item?id=35080777

https://news.ycombinator.com/item?id=22001822


I have been registered with them since pre-icann. I never had a reason to change. I paid for my domain for a 100 years and now I just pay yearly automatically the last time I dealt with them.

I have my DNS handled by panix.com.


If you paid for 100 years why do you also have to pay yearly?


to stay a 100 years ahead. If something goes wrong with payment processing I will always have a 100 years to straighten it out.

When I first did it I was worried some might try to take my 4 letter plural proper noun domain name. I figured if I had a contract for a 100 years it would definitively define my ownership of the domain name.


>People still use Network Solutions? Is there a reason?

I'm with them since time immemorial.

The cost and headaches, both actual and potential, of the downtime incurred changing providers exceeds the potential savings in annual bills.


Are we talking thousands of domains or something? It’s been quite simple in my personal experience, just first creating matching DNS records anywhere else, then do the NS change for the domain, then do the registrar transfer. I’ve never had downtime.


I can warmly recommend switching to a more customer-oriented registrar. Porkbun seems to be quite popular. Personally, I’ve had very good experiences with Dynadot. They both support glue records. Porkbun also offers phone support.

https://kb.porkbun.com/article/112-how-to-host-your-own-name...

https://www.dynadot.com/community/help/question/register-nam...


This is one of those "excuse me, what?" moments.


1. How can you tell if a DNS server is already defined in the root anycast clusters?

2. What's a good domain registry for an important domain? One where you own the domain, like Gandi, rather than just renting it from the domain registry, as with current NetSol terms?


> One where you own the domain, like Gandi, rather than just renting it from the domain registry, as with current NetSol terms?

I don't think this distinction exists in the way you think it does. Different registrars may use different phrasing when referring to the registrant of a domain, but no matter whether the registrar uses the words "owner" or "rent", you're paying to be temporarily treated as the registrant of a domain name.

(There are some weird registrars like Njalla where the customer explicitly isn't even listed as the registrant of the domain, but that's probably not what you mean.)


How can you tell if a DNS server is already defined in the root anycast clusters?

One way is to query one of the root servers responsible for that TLD

If example.net, then adding extra steps to make it more explicit what's happening.

    # get the root servers for .net
    dig NS net
    net.   7 IN NS e.gtld-servers.net.
    [snip...]

    # just adding this step to make it more descriptive of whats happening
    dig +short e.gtld-servers.net
    192.12.94.30

    dig @192.12.94.30 +all +norecurse +nocookie -t ns example.net

    ;; AUTHORITY SECTION:
    example.net.  172800 IN NS a.iana-servers.net.
    example.net.  172800 IN NS b.iana-servers.net.
    [snip ... extra data ignored]
What's a good domain registry for an important domain? One where you own the domain, like Gandi, rather than just renting it from the domain registry, as with current NetSol terms?

All domains are rented. Premium registrars like MarkMonitor have monitoring options to see if someone managed to change the root servers for your domain and will try to fix it but I have no idea if they still do that or if they are still any good. They are meant for businesses.


> 1. How can you tell if a DNS server is already defined in the root anycast clusters?

Is it yours? Then did you define it?

Is it someone else's? Then yes.

> 2. What's a good domain registry for an important domain? One where you own the domain, like Gandi, rather than just renting it from the domain registry, as with current NetSol terms?

That's not how any of that works.

The registry is the TLD.

The registrar is Gandi or Network Solutions.

You are always renting a domain from the registry, subject to the terms and whims of the registry and registrar.


> You are always renting a domain from the registry, subject to the terms and whims of the registry and registrar.

That is usually true today. It wasn't true for Gandi until this change in their terms in 2020. Until then, they did not have the contractual authority to arbitrarily cancel a domain registration. Note the change to their terms at 4(ii).

Slowly, over the years, domain registrars have claimed more and more control over domains. Domain names have been considered property in a few cases, but it's not settled law.[2]

This led big companies to become registrars themselves. At one time, most of the big names - "google.com", "facebook.com" were registered with Network Solutions, when it was a standalone company or part of Verisign. Now, the big guys have in-house registrars, for safety. They don't want to trust those Web.com guys in Florida.

[1] https://www.icann.org/en/system/files/files/terms-of-service...

[2] https://circleid.com/posts/20180628_domain_names_considered_...


Okay, first off, that TOS is about ICANN's websites, in the update called their "platform". It has nothing to do with domains and ICANN is not the registry. I'm not even sure who the "they" you're talking about is. Were you trying to say that somehow changed something relevant to Gandi as opposed to every other registrar?

It was absolutely true for Gandi, just like for everyone else. Domains have always been cancellable for various reasons.

Yes, many registrars are now acting as registries or have in the past (or been part of other companies who were involved in the operation). That changes nothing of what I said.

Even those big guys with their own registrar, are still subject to the whims of the registries (for other TLDs).


Probably the best "Solution" is to just move to another registrar.

As someone with dozens of domains, unaffiliated, I can recommend:

- PorkBun: No-bullshit UI, no absurd first-year promotions to trick you with a higher renewal fee, and support for DNSSEC and Glue records. Domain transfer auth codes are shown in the UI, not emailed to you. Free URL redirects with HTTPS.

- SpaceShip: From Namecheap, but with none of Namecheap stuf. Slow UI, modern UI, easier for bigger portfolios. DNSSEC and Glue records.

No matter the registrar, I recommend not to use their (free or otherwise) Authorative DNS service, URL redirects, email hosting, etc.

Unlike what it may look like, DNS hosting, emails, etc. are value-adds registrars provide. The only things you need registrars are to buy/renew the domains, set nameservers (and optionally Glue records), update DNSSEC records, and update WHOIS.


It may be trival, but head to icaan accredited registrar list and you have more than 2800 competitors to transfer your domain to.

Pick one that supports glue records, ipv6 glue, and dnssec, but unfortunately the icaan list does not provide this information...

The one I use for 20+ years is gkg.net. they support all of the above, and "hosts" (glue records) supports ipv4 and ipv6, but also multiple addresses per name.

Gkg IANA number is 93 so they are here for a long time.


They also don't yet fully support DNSSEC unless you use their DNS servers.


Have you tried disabling transfer lock before editing the glue records? On Hover this is necessary for either changing nameservers or glue records (otherwise it fails with a weird error). Although I'm not sure if it is a registrar mechanic or just a Tucows/OpenSRS thing.


Can we get a fix for the headline typo? "solTUTions".


I emailed the mods.


Sorry I missed that.


Last I interacted with their support, they had plaintext view of my customer's password. They used it for verification.

Terrible company. Terrible practices. Pathetic.


Ugh, flashbacks to Hostgator, where random employees (like literally all of the customer support trainers and supervisors?) had access to view not only the customer's "security PIN" but also their full, unredacted CC#... (And everyone else could see 10 digits of the CC#, i.e. only 6 digits were masked!)


Mods: typo in title networksolTutions.com


Fixed. Thanks!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: