1

If I'm not wrong, within a domain name a company owns, their administrators have complete freedom to create as many cuts (zone delegations) inside the domain tree as he wants, but, inside his own freedom, when it is good time for creating new subzones inside the domain tree instead of having every subdomain in the same zone? or am I wrong about the administrator's "licentiousness" and is there some well stablished "policies" (for example, creating only new zones when authoritative answers have to come for different name servers)?

Peregring-lk
  • 489
  • 5
  • 18
  • You don't create a zone within a zone, you *delegate* parts of the namespace to additional zones – Mathias R. Jessen Oct 30 '14 at 16:58
  • You're right. I've upload my question to be more "precise" with terminology. The real questions is, however, the same. – Peregring-lk Oct 30 '14 at 17:04
  • 1
    You *can* however define additional zones as subdomains, and it will be treated as a zone cut with its own `SOA` and `NS` records. An example of this would be declaring both `example.com.` and `sub.example.com.` in your configuration; any records falling below `sub` in the `example.com.` zone would effectively be masked by the other zone. This is often done with larger domains to simplify the management, but `named-checkzone example.com` will not know about the existence of the cut without NS record hints. – Andrew B Oct 30 '14 at 19:03

1 Answers1

2

You're correct that it's technically possible to delegate any number of subdomains.


The original concept of zones is that you would delegate when you want some other party to administer some part of the namespace. (Essentially when you want the set of authoritative nameservers to be different.)


Then there are of course other reasons, of which I can think of a few:

Some parameters in DNS itself, in addition to the set of authoritative nameservers (NS), are defined per zone. This includes things such as the SOA values (eg the negative cache TTL - MINIMUM) as well as DNSSEC signing (a zone is either not signed at all or all of it is signed with the same key).

Your nameserver software likely has some zone-level settings, if you need different settings that can be a reason to have separate zones.

On occasion there can be a situation where it makes sense from an administrative point of view to force separation, regardless which nameservers are used.


The reason why one does not generally want to delegate all the things is that it causes both some overhead both administratively as well as for the actual operation (more steps in the lookup process, at least when the sets of nameservers are different).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90