Skip to main content

domain name system - Clarification of why DNS zone files require NS records




This question was originally asked here:
Why do DNS zone files require NS records?



To summarise:
"When I go to my registrar and purchase example.com , I will tell my registrar that my nameservers are ns1.example.org and ns2.example.org".



But please can somebody clarify the following:



After registration, the .com registry will now have a record that tells a resolver needs to visit ns1.example.org or ns2.example.org in order to find out the IP address of example.com. The IP address resides in an A record in a zone file on ns1.example.org and has a identical copy on ns2.example.org.




However, inside this file, there must also be 2 NS records which list ns1.example.org and ns2.example.org as the nameservers. But since we are already on one of these servers, this appears do be duplicated information.



The answer originally given to the question said the nameservers listed in the zone file are "authoritative". If the nameservers didn't match, then the authoritative nameservers would take precedence. That's all very well and good, but the resolver arrived at the nameserver using the nameservers listed in the .com registry, and if the nameserver's didn't match, then the resolver would be looking for the zone file on the wrong nameserver and wouldn't be able to find it.



Or is it a case of the .com registry extracts nameserver information from the zone file ns record? (But then I suppose if you change the ns record the zone file without telling the registry, then it would have no way of knowing where to look.)



Thanks


Answer



Let's break it down a little.




The NS records in the TLD zone (for example, example.com NS ... in com) are delegation records.



The A and AAAA records in the TLD zone (for example, ns1.example.com A ... in com) are glue records.



The NS records in the zone itself (that is, example.com NS ... in example.com) are authority records.



The A and AAAA records in the zone itself (ns1.example.com A ... in example.com) are address records, plain and simple.



When a (recursive) resolver starts out with no cache of your zone's data and only the root zone cache (which is used to bootstrap the name resolution process), it will first go to ., then com.. The com servers will respond with an authority section response which basically says "I don't know, but look here for someone who does know", same as the servers for . do about com. This query response is not authoritative and does not include a populated answer section. It may also include a so-called additional section which gives the address mappings for any host names the particular server knows about (either from glue records or, in the case of recursive resolvers, from previously cached data). The resolver will take this delegation response, resolve the host name of a NS record if necessary, and proceed to query the DNS server to which authority has been delegated. This process may repeat a number of times if you have a deep delegation hierarchy, but eventually results in a query response with the "authoritative answer" flag set.




It's important to note that the resolver (generally, hopefully) won't try to break down the host name being resolved to ask about it piece by piece, but will simply send it in its entirety to the "best" server it knows about. Since the average authoritative name server on the Internet is non-authoritative for the vast majority of valid DNS names, the response will be a non-authoritative delegation response pointing toward some other DNS server.



Now, a server doesn't have to be named in the delegation or authority records anywhere to be authoritative for a zone. Consider for example the case of a private master server; in that case there exists an authoritative DNS server that only the administrator(s) of the slave DNS servers for the zone are aware of. A DNS server is authoritative for a zone if, through some mechanism, in its opinion it has full and accurate knowledge of the zone in question. A normally authoritative DNS server can, for example, become non-authoritative if the configured master server(s) cannot be reached within the time limit defined as the expiry time in the SOA record.



Only authoritative answers should be considered proper query responses; everything else is either a delegation, or an error of some kind. A delegation to a non-authoritative server is called a "lame" delegation, and means the resolver has to backtrack one step and try some other named DNS server. If no authoritative reachable name servers exist in the delegation, then name resolution fails (otherwise, it'll just be slower than normal).



This is all important because non-authoritative data mustn't be cached. How could it be, since the non-authoritative server doesn't have the full picture? So the authoritative server must, on its own accord, be able to answer the question "who is supposed to be authoritative, and for what?". That's the information provided by the in-zone NS records.



There's a number of edge cases where this can actually make a serious difference, primarily centered around multiple host name labels inside a single zone (probably fairly common e.g. with reverse DNS zones particularly for large dynamic IP ranges) or when the name servers list differs between the parent zone and the zone in question (which most likely is an error, but can be done intentionally as well).







You can see how this works in a little more detail using dig and its +norec (don't request recursion) and @ server specifier features. What follows is an illustration of how an actual resolving DNS server works. Query for the A record(s) for unix.stackexchange.com starting at e.g. a.root-servers.net:



$ dig unix.stackexchange.com. A @a.root-servers.net. +norec


Look closely at the flags as well as the per-section counts. qr is Query Response and aa is Authoritative Answer. Notice that you only get delegated to the com servers. Manually follow that delegation (in real life a recursive resolver would use the IP address from the additional section if provided, or initiate a separate name resolution of one of the named name servers if no IPs are provided in the delegation response, but we'll skip that part and just fall back to the operating system's normal resolver for brevity of the example):



$ dig unix.stackexchange.com. A @a.gtld-servers.net. +norec



Now you see that stackexchange.com is delegated to (among others) ns1.serverfault.com, and you are still not getting an authoritative answer. Again follow the delegation:



$ dig unix.stackexchange.com. A @ns1.serverfault.com. +norec
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35713
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:

;unix.stackexchange.com. IN A

;; ANSWER SECTION:
unix.stackexchange.com. 300 IN A 198.252.206.16


Bingo! We got an answer, because the aa flag is set, and it happens to contain an IP address just as we'd hoped to find. As an aside, it's worth noting that at least at the time of my writing this post, the delegated-to and the listed-authority name servers lists differ, showing that the two do not need to be identical. What I have exemplified above is basically the work done by any resolver, except any practical resolver will also cache responses along the way so it doesn't have to hit the root servers every time.



As you can see from the above example, the delegation and glue records serve a purpose distinct from the authority and address records in the zone itself.




A caching, resolving name server will also generally do some sanity checks on the returned data to protect against cache poisoning. For example, it may refuse to cache an answer naming the authoritative servers for com from a source other than one that has already been named by a parent zone as deleged-to for com. The details are server-dependent but the intent is to cache as much as possible while not opening up the barn door of allowing any random name server on the Internet to override delegation records for anything not officially under its "jurisdiction".


Comments

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?

ubuntu - Monitoring CPU, Mem, disk, on a single server

I've been looking for a simple starter solution for monitoring my [currently] single server hosted solution. Other than Nagios and similar, are there other good (simple) solutions people are using? Answer Everything depends on what you want. For example Munin is very simple, you can install and configure it in less then 10 minutes (on one server), it can sends alarms, make graphs from monitoring cpu, mem. apache connections, eaccellerator, disk io and many many more (it has many plugins). But if you are planning in future get some more machines, munin may not be enough. For example in munin you cant monitor state of individual processes, can't monitor changes in files (for security purpose). So if you wanna only see what is the utilization of basics parameters on your server and don't plan to buy some more servers Munin is what you are looking for, but if you wanna be alarmed when some of your service is down, take more control on what is happeninig on...

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits, ...