33

In an answer to my previous question I noticed these lines:

It's normally this last stage of delegation that is broken with most home user setups. They have gone through the process of buying a domain with a registrar/service provider, but have then failed to configure the domain to point the delegation to their own name servers. You actually have to tell the registrar where your nameservers are before they can put glue records in place to get your step of the delegation to work.

What is a DNS Delegation? How does it work? A full explanation for the hypothetical domain abc.com would be helpful.

mwfearnley
  • 757
  • 9
  • 21
Nishan
  • 445
  • 1
  • 4
  • 8

3 Answers3

43

In physical terms, delegation is very similar to how a manager will delegate responsibility of tasks to his staff. The results are the same, however more than one person was involved in the process. The manager receives the request for work, passes on the responsibility to another member of staff and either the staff member or the manager returns with the work results. This is all on the proviso that the work the staff member does is actually correct and is what the original requester asked for (or that the requester actually asked for something that was valid in the first place!).

With DNS delegation, it is pretty similar. When the com name servers are asked for the place to find authority of the zone example.com, they often delegate this work off to separate name servers (in fact in the vast majority of cases, they do in fact delegate the response to other name servers). When you first register a domain, say our example.com domain, this is often done through a third party called a registrar. It is common practice by registrars to put in their name servers for the delegation and to serve a default zone from those name servers. This default zone includes the basic requirements to serve that zone on the internet (the SOA, NS and A records associated to those NS records).

Obviously if you yourself want to take control of the authority of the domain, you have to ask the registrar to delegate the domain to your nameserver instead. Different registrars refer to this in process in different ways, 'change nameservers', 'use third party DNS', 'Add Glue records' and so on. The mechanism underneath remains the same. You provide, generally, 2 or more "name server names" (for example ns0.example.com and ns1.example.com) and the IP addresses at which ns0 and ns1 are. They then process the request and the delegation is pointed away from your registrar to the nameservers you provided.

In technical terms, it's at this point you have to ensure your nameservers are up and running, serving the domain example.com, with a minimum of an SOA (start of authority record), 1 or more NS records and the A records (the IPs) that these NS records are resolved from:

example.com.   IN SOA ns0.example.com. hostmaster.example.com. ( 10 3600 900 604800 7200 )
           IN NS  ns0.example.com.
           IN NS  ns1.example.com.
ns0        IN A   192.0.2.8
ns1        IN A   192.0.2.44

(I've picked somewhat arbitrary values for the SOA values, the names for the NS records and the IPs those nameservers resolve to). These will all have to reflect the zone for which you are serving.

This DNS service has to be visible from anywhere on the internet, and not be firewalled (that is port 53 udp and tcp inbound have to be allowed). Also your service provider must not block that port either (which some providers do block inbound traffic destined to those ports).

Given my original comparison, the com nameservers are the DNS managers, who are delegating the zone example.com to the nameservers (the staff members) to do the work of providing the basic zone information (SOA, NS, A). You can also serve any additional records such as mail server records MX or may be an A record for your www.example.com address.

If that name server doesn't do the work, returns the wrong results, or has a 3rd party (firewall/ISP) blocking the work, you will not have working DNS and the delegation breaks.

It also may be worth noting that the domain does NOT have to be delegated to nameservers in the same domain, so ns0.example.net and ns0.example.org could both be valid nameserver who could have example.com delegated to them. Provided both those name servers served the example.com domain.

The reason that multiple name servers are required is to provide redundancy to the DNS clients, which is important for an internet which doesn't break.

Drav Sloan
  • 581
  • 4
  • 4
  • thank you @Dav Sloan, for explaining in such a plain language – Nishan Aug 13 '13 at 07:53
  • 2
    +1. I'd also add that in the last case, where the nameserver isn't part of the same domain, there is no need for a "glue" record, just a plain ns record in the registrar/gTLD. This often confuses people. – GnP Jun 23 '16 at 01:36
  • +1 on the answer! @GnP glue is needed only when there is a circular dependency. Since when the nameserver isn't part of the same domain, there is no circular dependency and that is why glue is not needed? Is this conclusion right? – Crazy Psychild Apr 21 '18 at 06:42
7

Within your domain you can define hosts as you like, for example mymailserver. To connect to your mailserver, I need to use the DNS to determine its IP-Adresses and to that end I need to know where in the name tree I should look for mymailserver.

Sounds, complicated, but that is exactly what we use the "fully qualified domain name" (FQDN) for. If you define a host mymailserver in your domain abc.com. that host has the FQDN mymailserver.abc.com.. With that information I can resolve that name to the correct IP-address.

You do not have to create all hosts of the form <hostname>.abc.com., you can also branch as you desire. You can have servers.abc.com. and put all your servers there, for example mymailserver.servers.abc.com.. You can do so, because the domain abc.com. was delegated to you. Which means you are the authority to ask for any domain and domain name that ends with abc.com.. Therefore you may define hosts and branch subdomains to your hearts content.

Delegation means that a domain owner yields full control over a branch to somebody else. Just like the owner of com. delegated the subdomain abc.com. to you, you may branch off subdomains, for example def.abc.com. and delegate it to me. Within my domain I can do/define whatever I want/like without having to ask or tell you or even the com. owners about.

How does it work? You simply put a piece of information in your DNS records that says "for information regarding def.abc.com please ask the DNS server hisdnsserver.def.abc.com.". Of course, to query that server one needs to know the IP-address of hisdnsserver.def.abc.com.. That's what glue records are for. You actually put 2 pieces of information, one the just stated, and the other being the IP-address of hisdnsserver.def.abc.com.. That way you provide anybody with a question about def.abc.com. with enough information to point them to the authority for that subdomain.

Why did programs ask you about def.abc.com. in the first place? Because you are the authority for abc.com. and the authority for com. gave the requestor two pieces of information about yourdnsserver and abc.com. ...

user1129682
  • 223
  • 2
  • 9
7

Delegation in terms of DNS means that the nameserver in the hierarchy above you will answer every request to your domain with a NS response.

So in case of abc.com you'd do:

$ dig com.
=>
com.        896 IN  SOA a.gtld-servers.net.  ...

Then query that nameserver specifically for abc.com:

$ dig abc.com @a.gtld-servers.net.
=>
;; AUTHORITY SECTION:
abc.com.    172800  IN  NS  sens01.dig.com.
abc.com.    172800  IN  NS  sens02.dig.com.
abc.com.    172800  IN  NS  orns01.dig.com.
abc.com.    172800  IN  NS  orns02.dig.com.

Glue records mean that in addition to the hostnames of your nameservers, the .com authority also knows about their IP addresses.

If glue records are set up, the above query will also give you A/AAAA responses for each of the nameservers.

hroptatyr
  • 181
  • 1
  • 4