23

This question was originally asked here: Why do DNS zone files require NS records?

To summarise: "When I go to my registrar and purchase example.com , I will tell my registrar that my nameservers are ns1.example.org and ns2.example.org".

But please can somebody clarify the following:

After registration, the .com registry will now have a record that tells a resolver needs to visit ns1.example.org or ns2.example.org in order to find out the IP address of example.com. The IP address resides in an A record in a zone file on ns1.example.org and has a identical copy on ns2.example.org.

However, inside this file, there must also be 2 NS records which list ns1.example.org and ns2.example.org as the nameservers. But since we are already on one of these servers, this appears do be duplicated information.

The answer originally given to the question said the nameservers listed in the zone file are "authoritative". If the nameservers didn't match, then the authoritative nameservers would take precedence. That's all very well and good, but the resolver arrived at the nameserver using the nameservers listed in the .com registry, and if the nameserver's didn't match, then the resolver would be looking for the zone file on the wrong nameserver and wouldn't be able to find it.

Or is it a case of the .com registry extracts nameserver information from the zone file ns record? (But then I suppose if you change the ns record the zone file without telling the registry, then it would have no way of knowing where to look.)

Thanks

Lars
  • 407
  • 3
  • 10

2 Answers2

28

Let's break it down a little.

The NS records in the TLD zone (for example, example.com NS ... in com) are delegation records.

The A and AAAA records in the TLD zone (for example, ns1.example.com A ... in com) are glue records.

The NS records in the zone itself (that is, example.com NS ... in example.com) are authority records.

The A and AAAA records in the zone itself (ns1.example.com A ... in example.com) are address records, plain and simple.

When a (recursive) resolver starts out with no cache of your zone's data and only the root zone cache (which is used to bootstrap the name resolution process), it will first go to ., then com.. The com servers will respond with an authority section response which basically says "I don't know, but look here for someone who does know", same as the servers for . do about com. This query response is not authoritative and does not include a populated answer section. It may also include a so-called additional section which gives the address mappings for any host names the particular server knows about (either from glue records or, in the case of recursive resolvers, from previously cached data). The resolver will take this delegation response, resolve the host name of a NS record if necessary, and proceed to query the DNS server to which authority has been delegated. This process may repeat a number of times if you have a deep delegation hierarchy, but eventually results in a query response with the "authoritative answer" flag set.

It's important to note that the resolver (generally, hopefully) won't try to break down the host name being resolved to ask about it piece by piece, but will simply send it in its entirety to the "best" server it knows about. Since the average authoritative name server on the Internet is non-authoritative for the vast majority of valid DNS names, the response will be a non-authoritative delegation response pointing toward some other DNS server.

Now, a server doesn't have to be named in the delegation or authority records anywhere to be authoritative for a zone. Consider for example the case of a private master server; in that case there exists an authoritative DNS server that only the administrator(s) of the slave DNS servers for the zone are aware of. A DNS server is authoritative for a zone if, through some mechanism, in its opinion it has full and accurate knowledge of the zone in question. A normally authoritative DNS server can, for example, become non-authoritative if the configured master server(s) cannot be reached within the time limit defined as the expiry time in the SOA record.

Only authoritative answers should be considered proper query responses; everything else is either a delegation, or an error of some kind. A delegation to a non-authoritative server is called a "lame" delegation, and means the resolver has to backtrack one step and try some other named DNS server. If no authoritative reachable name servers exist in the delegation, then name resolution fails (otherwise, it'll just be slower than normal).

This is all important because non-authoritative data mustn't be cached. How could it be, since the non-authoritative server doesn't have the full picture? So the authoritative server must, on its own accord, be able to answer the question "who is supposed to be authoritative, and for what?". That's the information provided by the in-zone NS records.

There's a number of edge cases where this can actually make a serious difference, primarily centered around multiple host name labels inside a single zone (probably fairly common e.g. with reverse DNS zones particularly for large dynamic IP ranges) or when the name servers list differs between the parent zone and the zone in question (which most likely is an error, but can be done intentionally as well).


You can see how this works in a little more detail using dig and its +norec (don't request recursion) and @ server specifier features. What follows is an illustration of how an actual resolving DNS server works. Query for the A record(s) for unix.stackexchange.com starting at e.g. a.root-servers.net:

$ dig unix.stackexchange.com. A @a.root-servers.net. +norec

Look closely at the flags as well as the per-section counts. qr is Query Response and aa is Authoritative Answer. Notice that you only get delegated to the com servers. Manually follow that delegation (in real life a recursive resolver would use the IP address from the additional section if provided, or initiate a separate name resolution of one of the named name servers if no IPs are provided in the delegation response, but we'll skip that part and just fall back to the operating system's normal resolver for brevity of the example):

$ dig unix.stackexchange.com. A @a.gtld-servers.net. +norec

Now you see that stackexchange.com is delegated to (among others) ns1.serverfault.com, and you are still not getting an authoritative answer. Again follow the delegation:

$ dig unix.stackexchange.com. A @ns1.serverfault.com. +norec
...
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35713
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;unix.stackexchange.com. IN A

;; ANSWER SECTION:
unix.stackexchange.com. 300 IN A 198.252.206.16

Bingo! We got an answer, because the aa flag is set, and it happens to contain an IP address just as we'd hoped to find. As an aside, it's worth noting that at least at the time of my writing this post, the delegated-to and the listed-authority name servers lists differ, showing that the two do not need to be identical. What I have exemplified above is basically the work done by any resolver, except any practical resolver will also cache responses along the way so it doesn't have to hit the root servers every time.

As you can see from the above example, the delegation and glue records serve a purpose distinct from the authority and address records in the zone itself.

A caching, resolving name server will also generally do some sanity checks on the returned data to protect against cache poisoning. For example, it may refuse to cache an answer naming the authoritative servers for com from a source other than one that has already been named by a parent zone as deleged-to for com. The details are server-dependent but the intent is to cache as much as possible while not opening up the barn door of allowing any random name server on the Internet to override delegation records for anything not officially under its "jurisdiction".

user
  • 4,267
  • 4
  • 32
  • 70
  • Thank you very much for this detailed answer. So imagine the delegation record sends the resolver to ns4.serverfault.com. This is not listed in the zone file's NS records. Does the resolver notice the mismatch and backtrack? (a lame delegation)? I suppose that then begs the question, why would ns4.serverfault.com. be listed as a delegation record if it isn't listed in the zone file? – Lars Jul 26 '13 at 00:59
  • @Lars No, ns4.serverfault.com would still be authoritative; authoritiveness (is that even a word?) is independent of whether the server in question is named in the NS records or not, either in the zone itself or in the delegation. It is only a lame delegation if **a delegated-to server responds in a non-authoritative fashion** (that is, the `aa` flag is not set on the response). – user Jul 26 '13 at 10:32
  • @a CVn - "For example, it may refuse to cache an answer naming the authoritative servers for com from a source other than one that has already been named by a parent zone as deleged-to for com" - this is a pretty long sentence I am trying to break down. Can you give an example? Do you mean to say if a delegation for say facebook.com is received from a .net Nameserver, this response will not be cached by the recursive resolver? – Abhishek Palakkal Kaliyath Jun 03 '20 at 16:33
  • @a CVn - Regarding "private master server", I am assuming it will still be listed as an NS record in the zone file on all Nameservers - correct? & if a resolver caches this information along with the other NS records i.e. together with NS records for slave DNS servers, what if the next time the resolver tries to reach the private master server? It will never be able to find this private master server - isnt it? – Abhishek Palakkal Kaliyath Jun 03 '20 at 18:21
1

The .com registry is the "glue record" which has the location of your nameservers as an IP address. The resolver has no way of knowing the "identity" of your DNS server so it uses the NS record to ensure the numbers match.

DNS Request -> .com registry (ip is x.x.x.x) -> DNS (NS x.x.x.x) matches, resolve.

If they don't match or exist, then it's a non-authoritative answer for the domain.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • Thanks but I'm still a little confused. The resolver uses the IP address in the glue record in the .com registry to go to the zone file stored at that IP address. It can now retrieve the A record. Why does it need to check that this nameserver IP matches the NS record in the zone file? – Lars Jul 25 '13 at 17:09
  • So that it knows it's looking in the right place. For example, if you had a subdomain whose A records resided on a *different* server, NS records would tell the resolver where to look. Kind of like breadcrumbs. – Nathan C Jul 25 '13 at 17:36
  • "The .com registry is the "glue record" which has the location of your nameservers as an IP address. " This is incorrect. If `example.com` has `ns1.whatever.example` as nameserver, the "com registry" certainly does not have and does not publish the IP address of `ns1.whatever.example` because this names is not in registry zone. Glue records exists only in some cases, not in all cases. – Patrick Mevzek Oct 02 '20 at 19:29