Here we'll see precisely and completely the domain name delegation mechanism. We'll see how to setup the domain NS records, how to setup public authoritative DNS Servers, and how to check NS records throughout the Internet DNS hierarchy. We'll focus especially over IPv6
In the usual way of naming, NS ( Name Server ) and DNS Server have the same meaning, although the right naming is Name Server.
Likewise, domain name are zone have the same meaning, althought the right naming is zone.
The Domain Name Authority Delegation
Here is the Domain Name authority chain :
While granting authority over a domain name, access to the associated NS records is granted.
The access to the NS records is granted by means of the NS records access in the TLD ( top level domain ). These NS records state which NS servers are authoritative for this domain name.
Please notice that the Registrar is acting as a proxy : He is delagated the authority over the domain example.com to handle it to the custommer. The custommer has acces to the TLD example.com NS settings through the registrar management page. The registrar is a proxy :
The other setting in the TLD records that is accessible to the custommer is the glue records ( A or AAAA records : example.com DNS Servers hostname to IP address résolution ).
There are at least 2 authoritative DNS Servers for a zone ( ie domain name or subdomain name) : A primary Name Server ( Master ) and a Secondary Name Server.
The DNS servers which are given authority over this example.com domain must comply to a set of rules. They are :
. 2 distinct DNS Servers ( one primary and one secondary), located on topologically distinct networks ( ie different origin automomous system in the BGP routing table )
. they each contain one SOA record, 2 NS records, and the A/AAAA records coresponding to the two NS records.
. The SOA records and NS records are identical throughout the zone ( zone = domain name )
. At least 1 glue record must be on the TLD records
Here is the basic DNS Servers implementation :
3 possibilities of DNS Servers Delegations
There are 3 possibilities for DNS Delegation :
1. Registrar hosted DNS :
In this case, the registrar hosts a DNS server that the custommer has acces to. Only one DNS server is represented here :
2. Third-party hosted DNS
In this case, the DNS hosting is performed by a third party. The NS records point to this third-party DNS servers.
Only one DNS server is represented here :
3. Locally hosted Public DNS Servers :
In this case, the DNS Servers are hosted locally. Only one DNS Server is represented here :
Here is the full Network Map, with the minimum 2 DNS Server set required :
A Public DNS Servers set Setup
a few notes :
There is one primary server and at least 1 secondary server.
The secondary servers automatically update to the primary server.
They all contain the same basic information :
. same SOA record
. same NS records
. same A or AAAA records for the NS records hostnames resolution
. TCP and UDP ports 53 must be accessible ( DNS querries and Servers sync )
please note that all Name Servers have records that list all Name Servers for that zone ( ie ns1 has both ns1 and ns2 NS records, ns2 has both ns1 and ns2 records)
The SOA record
The SOA record states authoritative informations about a DNS zone.
. primary name server
. email of domain admin
. domain serial number
. timers related to zone refresh.
here is a typical SOA record :
example.com SOA 86400 ns1.example.com hostmater.example.com
2013072004 3600 600 86400 3600
here is the meaning :
[zone] SOA [Primary NameServer] [E.mail of domain admin]
[Serial Number] [T1] [T2] [T3] [T4]
[zone] is the domain name ( or subdomain )
[TTL] is the zone records time to live for outside DNS servers
[Primary NameServer] is the FQDN of the primary Name Server of the zone
[E.mail of domain admin] is noted with a dot instead of a '@'
[Serial Number] is an incremental number, upped at each of the Primary NameServer record change.It states to the secondary Name Servers of the zone the records have changed, and that they should sync.
It is written in the form [Year][Month][Day][Number]
[T1] Refresh time : time before the Secondary Name Servers recheck the Zone Serial Number ( in seconds )
[T2] Retry time : time before a Secondary Name Servers retries a zone transfert after a failed one ( in seconds )
[T3] Expire time : time of failed zone transfert, before a Secondary Name Servers expires its zone file, and stop answering querries ( in seconds )
[T4] minimum TTL : how long outside DNS servers should keep the zone datas in their caches.
NSLOOKUP and Name Servers Querries
To check the Name Servers records, we can use the NSLOOKUP command.
It is especially usefull, to check the contend of the TLD records, as well as differences between the TLD records and the authoritative Name Servers records.
let's check the example.com NS records :
nslookup -q=ns .
nslookup -q=ns com a.[root NS]
nslookup -q=ns example.com [.com NS]
first, we check the querry for the NS records of the root zone :
nslookup -q=ns .
we get answered with a list of valid NS records. Let's call [root NS] one of these answers.
then, we ask one of the returned root servers the authoritative NS records for the .com TLD :
nslookup -q=ns com [root NS]
we get answered with a list of valid NS records for the .com TLD.
Let's call [com NS] one of these answers
finally, we querry one of the returned .com name server for the example.com record :
nslookup -q=ns example.com [com NS]
This is the complete sequence. A shorter, and less prefect one, might be :
nslookup -q=ns com
nslookup -q=ns example.com [com NS]
We can compare it with our local [NS] records, making a direct querry :
nslookup -q=ns [Primary Name Server IP]