7

Is it correct to say a single Root Name Server and a TLD Name Server will have only a single Zone file inside them? and this single Zone file (within Root Name Server and a TLD Name Server) will only have NS records (& possibly Glue records)?

The reason I ask is Root Name Servers and TLD Name Servers are Authoritative only for root and TLD respectively whereas a Name Server like ns1.amazon.com could have multiple zone files inside them as it is Authoritative for multiple domains. Is it correct to say the number of Zone text files inside a Name Server depends on the number of domains that it is Authoritative for?

For example: ns1.amazon.com might have 2 separate txt Zone files for youtube.com and facebook.com. However, in the case of a TLD Name Server for .com, do they keep only a single Zone file with all records listed as below:

.com                NS      a.gtld-servers.net  
.com                NS      b.gtld-servers.net
--other gtld NS mapping follows--
youtube.com         NS      ns1.amazon.com  
youtube.com         NS      ns2.amazon.com  
facebook.com        NS      ns1.amazon.com  
facebook.com        NS      ns2.amazon.com
Abhishek Palakkal Kaliyath
  • 197
  • 5
  • About content of the zone: a TLD operator can technically put whatever content it wants. ICANN forbids gTLDs to have what they want, in response basically to the earlier SiteFinder fiasco. But in ccTLDs, things are open. You can find `TXT` records (see `fr.`), `SRV` records (see `_nicname._tcp.fr` which is not delegated of course), `A` and `MX` records for "dotless" operations (see `dk.`), etc. – Patrick Mevzek Jun 02 '20 at 21:11
  • "For example: ns1.amazon.com might have 2 separate txt Zone files for youtube.com and facebook.com. " It doesn't have such things. You are mixing authoritative and recursive nameservers, you should dig deeper into understanding this very important difference in the DNS. – Patrick Mevzek Jun 02 '20 at 21:12
  • Sorry, if ns1.amazon.com was the authoritative nameserver for facebook and youtube, isnt my question correct? – Abhishek Palakkal Kaliyath Jun 02 '20 at 21:16
  • 1
    The problem is in using names like that, it makes everything more difficult to understand, and does not correspond to reality (since this nameserver is certainly not currently authoritative on the 2 names you mention). Other than that, like Håkan said, the root zone is freely available and all gTLDs, so including `com.` (note that `.com` would be an invalid name, as there is an implict empty label before the dot, it should be `com.` instead) are also mostly available through some ICANN program. You would indeed see in them all `NS`/`A`/`AAAA`/`DS`/`RRSIG`/`NSEC`/`NSEC3` records needed – Patrick Mevzek Jun 02 '20 at 21:21
  • I agree - & thanks for pointing out the com. – Abhishek Palakkal Kaliyath Jun 02 '20 at 21:26
  • 1
    I doubt that Amazon's nameservers use text-based zone files at all. – womble Jun 25 '20 at 08:44

1 Answers1

7

There are several things to address here:

Zones vs files

It's probably more relevant to talk about how many zones they have, rather than how many files they have.
It will depend on the nameserver software how zone data is stored. (Eg individual files, data for all zones compiled into a combined file, an RDBMS, something else.)
What matters is the responses sent over the wire, not how the data is organized on the server.

Contents of the root zone

The root zone is delegation-only (as a policy), but that doesn't strictly mean that there are only NS records.
At the apex, there are the mandatory SOA+NS records, as well as the DNSKEY public keys for the keypairs used to sign the zone.
Then there is the bulk of the zone, which are the delegations (NS), including glue address records (A/AAAA) for the nameserver names as well as DS for any signed delegations.
And finally the RRSIG and NSEC records used to sign data that is there and prove non-existence of the things that are not there.
There is a copy of the full root zone accessible via HTTP, if you want to have a look.

Zones on the root servers

The "root servers" (a.root-servers.net, b.root-servers.net, etc) do in fact host other zones in addition to .. Not by necessity, but in practice it is set up that way.
I can immediately think of arpa, there could be some other zone as well.

Contents of TLD zones

The gTLDs are also essentially delegation-only (again, as a policy), so these zones essentially have the same kind of contents as what is described for the root zone above.

Some ccTLDs (TLDs for, and operated by, countries) have deviating policies, serving some other data straight in the TLD zone. However, the general expectation is that you more or less only have delegations in your TLD zone.

Zones on TLD servers

This varies a lot. Some have just a single zone, others multiple zones.

A long-standing example is that com and net are served off the same set of nameservers (a.gtld-servers.net, b.gtld-servers.net, etc).

Conclusion

There is nothing special conceptually about the root zone or the TLD zones. They work just like any other zones and the nameservers these zones are hosted on work just like any other nameservers.

There are some policies in place for these zones to maintain order more so than anything else. (Like the delegation-only policies.)

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • The arpa zone on Root Domain is very confusing & the circular references/dependencies of DNS is what I personally feel makes it harder to understand. My question - If tried a fictitious - "mydomain.arpa", the root zone will point back to itself and go in loops - right? where does arpa get delegated / resolved to? – Abhishek Palakkal Kaliyath Jun 02 '20 at 08:43
  • Ok you might say glue record for a.root-servers.net. - but at the IP address you are again seeing the same zone records for arpa - right? My question is - where and how can I find the 'A' record for "mydomain.arpa". – Abhishek Palakkal Kaliyath Jun 02 '20 at 08:52
  • 2
    @AbhishekPalakkalKaliyath As the set of nameservers for the `.` zone and the `arpa` zone are identical, you will not see a delegation response for `arpa`, you would get the authoritative response for `example.arpa` immediately. However, a validating resolver will still need to look up the `DS` at the zone cut, so there are implications of these being separate zones as opposed to for example letting `arpa` be a part of the `.` zone, even if they are hosted on the same nameservers. – Håkan Lindqvist Jun 02 '20 at 09:00
  • Sorry, what is a zone cut? – Abhishek Palakkal Kaliyath Jun 02 '20 at 09:02
  • 1
    @AbhishekPalakkalKaliyath Sorry, it's just a term used to refer to the border between a parent zone and a child zone. – Håkan Lindqvist Jun 02 '20 at 09:10
  • Thank you - When you say "at the zone cut", where is that border then - I mean is it a file / Name Server or a part of Zone? Sorry, I really need to get to the bottom of DNS :-) – Abhishek Palakkal Kaliyath Jun 02 '20 at 09:11
  • 1
    @AbhishekPalakkalKaliyath In the case of `.` and `arpa`, the `.` zone ends at `arpa` and the `arpa` zone starts at `arpa`. – Håkan Lindqvist Jun 02 '20 at 09:13
  • 1
    @AbhishekPalakkalKaliyath To hopefully clarify somewhat, what signals the end of the parent zone is the delegation `NS` records. It's probably more intuitive that the child zone starts where it starts. – Håkan Lindqvist Jun 02 '20 at 09:44
  • Thank you - so resolver does not need a second pass in this example but still would need to lookup DS record even if the delegated zone (arpa) is within same Name server - Is that what you meant? – Abhishek Palakkal Kaliyath Jun 02 '20 at 09:51
  • Root nameservers host the `root-servers.net` zone :-) – Patrick Mevzek Jun 02 '20 at 21:13