23

The brunt of the question is this -- What is the relationship between the primary nameserver specified in the SOA record and the nameservers specified in the NS records. How are these things linked?

When I query most websites, I get this:

dhamma@sansa:~$ host -t SOA arth.com
arth.com has SOA record ns1.comcastbusiness.net. domreg-tech.comcastbusiness.net. 2009072715 3600 7200 604800 7200

And I expect to see ns1.comcastbusiness.net as the primary nameserver, because when I query the NS record for the domain I get this:

dhamma@sansa:~$ host -t NS arth.com
arth.com name server ns1.comcastbusiness.net.
arth.com name server ns2.comcastbusiness.net.
arth.com name server ns3.comcastbusiness.net.

This always led to me thinking that the SOA records somehow auto-populated the primary NS record? Is that even remotely true?

Because here's where I'm most confused:

dhamma@sansa:~$ host -t SOA paulwarnk.com
paulwarnk.com has SOA record a.dns.hostway.net. hostmaster.siteprotect.com. 2009012319 86400 7200 86400 99999

But I'm told, and do, use these nameservers:

dhamma@sansa:~$ host -t NS paulwarnk.com
paulwarnk.com name server adns.cs.siteprotect.com.
paulwarnk.com name server bdns.cs.siteprotect.com.

Why is this nameserver adns.cs.siteprotect.com not listed as the primary nameserver in the SOA record?

scraft3613
  • 470
  • 1
  • 4
  • 12

2 Answers2

15

RFC 1035 says:

MNAME The <domain-name> of the name server that was the original or primary source of data for this zone.

although in practise this MNAME field in the SOA is mostly unused these days.

However if you're using DNS dynamic updates then it must refer to the name of the DNS server which is to receive the dynamic update messages.

See also this (expired) Internet Draft which talks about the MNAME field in detail, and how the DNS UPDATE message is the only current use for it.

Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • This is the reason. +1 for a short, readable answer. – womble Nov 17 '09 at 08:26
  • that's an excellent point...especially these days with Active Directory Integrated zones (which are evil, imho). While it doesn't matter if you rely solely on MS DNS servers or not (we don't), the SOA must point to the AD controller, which with an ADI zone, should be the closest AD box to your request. – Greeblesnort Nov 17 '09 at 17:31
  • Yes, AD integrated DNS is evil. :) – Alnitak Nov 18 '09 at 06:46
  • 2
    This answer is confusing. – briankip Dec 08 '15 at 11:53
  • @briankip what do you find confusing? – Alnitak Dec 08 '15 at 12:00
  • 1
    @Alnitak I'm not sure how your answer relates the NS records to the SOA record...? – Howiecamp Dec 28 '16 at 07:58
  • @Howiecamp it doesn't, because _they're not directly related_ – Alnitak Dec 28 '16 at 09:10
  • 1
    @Alnitak You might want to indicate that point in your answer because to a reader who doesn't already know the answer, that fact isn't clear from your response. Suggest simply put "they're not directly related" at top of your answer. I made the edit. – Howiecamp Dec 28 '16 at 13:19
11

Nameserver records are specified in your zone file. The SOA record indicates the primary nameserver for the zone. There is no automatic relationship between the two. Here is a good read regarding SOA records. The short answer is that the SOA record is the whole record containing the name, TTL, etc... Additionally, I'd strongly suggest picking up the O'Reilly DNS & Bind book. It's really quite useful.

Your records beyond the root servers for paulwarnk.com:

paulwarnk.com.      172800  IN  NS  adns.cs.siteprotect.com.
paulwarnk.com.      172800  IN  NS  bdns.cs.siteprotect.com.
;; Received 116 bytes from 192.55.83.30#53(M.GTLD-SERVERS.NET) in 152 ms

paulwarnk.com.      99999   IN  A   69.143.69.166
paulwarnk.com.      99999   IN  NS  adns.cs.siteprotect.com.
paulwarnk.com.      99999   IN  NS  bdns.cs.siteprotect.com.
;; Received 100 bytes from 64.26.28.8#53(adns.cs.siteprotect.com) in 12 ms

Now, what this means is that, at the root servers, adns & bdns.cs.siteprotect.com are listed as the authorities for paulwarnk.com. Then, on those servers (adns & bdns) there is an A record for the root record pointing to 69.143.69.166.

I think what you're asking is why the NS records appear to be different. The answer is that the NS records were specified, likely by your registrar, to point to their servers that are authoritative for the zone. However, this output would seem to indicate a problem, as the SOA nameserver does not appear to respond to a request for your records:

; <<>> DiG 9.2.4 <<>> @a.dns.hostway.net paulwarnk.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37849
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;paulwarnk.com.         IN  A

;; Query time: 10 msec
;; SERVER: 66.113.129.243#53(66.113.129.243)
;; WHEN: Mon Nov 16 23:03:04 2009
;; MSG SIZE  rcvd: 31

edit: The AUTHORITY: 0 means that the server a.dns.hostway.net did not answer authoritatively. It seems kinda obvious when the ANSWER: 0 section is there, but it's actually important to differentiate between an authoritative answer, and a non-authoritative one. Authority, in DNS, speaks to whether or not the server you've gotten your answer from can actually be trusted to know what it's talking about.

As to why there's a server listed in the SOA, I don't know that I've ever read the reason they put it there, but that server should be the master server for the zone, hence Start of Authority, or SOA. It's not always the case, as the SOA for all 1400+ of my domains lists a primary query server in the SOA, but the actual start of authority is on a hidden master that no one can access.

jameshfisher
  • 137
  • 1
  • 7
Greeblesnort
  • 1,739
  • 8
  • 10
  • Thanks so much, that clears a lot up. So what is the purpose then, of specifying a primary nameserver in the SOA? Is there a reason why it says AUTHORITY 0 in your query? Oh, so many questions. I will pick up the O'Reilly book. – scraft3613 Nov 17 '09 at 05:15
  • Your edit is wrong. The `AA` flag is used to indicate an authoritative answer. `AUTHORITY: 0` simply means that there are no answers in the "authority section" of the response. – Alnitak Nov 18 '09 at 06:48
  • Technically correct, but I don't think that makes my edit wrong in context. Without an aa flag, you're not getting an authoritative response. Thanks though, made me reread the documentation =) – Greeblesnort Nov 18 '09 at 14:28