0

I am trying to answer the following question:

I have domain example.com with a subdomain: subdomain.example.com which is realized as an own zone. I also have NS1 for example.com and NS2 as authoritative for subdomain.example.com If I want to access an entry in subdomain.example.com from example.com. When do I need an A-record for NS2 on NS1 or otherways, when is a NS-Record on NS1 sufficient.

I searched around and as far as I understand: If an A-Record for NS2 exists in the zone subdomain.example.com then I do not need an additional A-Record in example.com.

Is this correct?

As English is not my first language I apologize for grammar errors.

Seal
  • 1
  • 1
  • 1
    Your question might be easier to understand if you explain with the sample domain name `example.com` and records such as ns.example.com, www.subdomain.example.com and ns.subdomain.example.com - But I think this might explain more: http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records and https://serverfault.com/q/309622/37681 – HBruijn Oct 07 '19 at 13:35
  • You generally need. Just write FQDNs of all servers to be clear. If sub-zone NS has FQDN ns-sub.sub.main, and you have sub NS ns-sub.sub in the main zone, how ns-main and others would find ns-sub IP address in the first place, to know, whom to query for the information in the sub zone? – Nikita Kipriyanov Oct 07 '19 at 13:57
  • Tried to clear up the question a bit. Also trying to wrap my head around glue records – Seal Oct 07 '19 at 14:04

2 Answers2

1

NS and A records are completely different and achieve different goals.

An A record associates a name to an IP address. An NS record basically say: this zone is handled by this nameserver (name).

Your question would be fare simpler, including for you, if you were using real names.

If ns1.example.com and ns2.example.com are hostnames, that is something that need to be reachable because they host some services, then they need A records (or AAAA records if you stop using the legacy IPv4 Internet).

Since ns1.example.com (and ns2) is inside the example.com zone, the zonefile hosted by the authoritative nameservers of zone example.come need to have the A record.

Now if you say that subzone.example.com has to be delegated (remember that this not an automatic fact just because there is a dot, delegation happens only when needed and desired by the people in charge of a zone, as a matter of giving control of part of the tree to another entity), and if ns1 and ns2.example.com are to be authoritative nameservers for this subzone then you will need to have NS records in the example.com AND in the subzone.example.com zonefiles.

What about glues? It is conceptually simple but since it may create problems it is often best to avoid this route until you manage to fully grasp how the DNS is working. If a given domain name uses as authoritative nameservers some nameservers whose hostnames is inside the same zone, then the parent zone also needs to publish directly A (or AAAA) records for those hostnames, otherwise the resolution can not occur properly at all.

Said differently, you want to resolve www.example.com, and example.com has ns1.example.com and ns2.example.com as authoritative nameservers, then the following (simplified process occurs):

  1. You (from now on, you is in fact the recursive nameserver you are using) ask one root server (whose IP addresses are hardcoded and refreshed periodically) about www.example.com
  2. the root zone will tell you that it knows nothing about this name, but it knows about authoritative nameservers for .com since .com is delegated from . (the root)
  3. now you redo your query but this time towards one of the authoritative nameservers for com: they will tell you they know nothing about www.example.com but they know about example.com, since it is delegated; hence it will send you back the set of nameservers authoritative on example.com
  4. at this point, if you got only ns1.example.com and ns2.example.com to be able to contact them to ask them about www.example.com you obviously first need to resolve their names, for which you will need of course to start back from the first point in this list... hence you see the deadlock
  5. in reality for this specific reason, at step 3., the authoritative nameservers for .com will given you both the set of authoritative nameservers for example.com AND their IP addresses, which is what is called glue records: A/AAAA records in the parent zone that are needed to make the resolution happen.

You can see exactly the above process if you use dig +trace.

PS: something that normally simplifies understanding the system is to remember that no node is special in the tree (except the root one if you want), and anything can happen in the same way at any "level" or depth of the tree.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Wow, thank you this is really helping me, one last question: If the ns2.example.com is authoritative for www.example.com. And ns1.example.com is authoritative for example.com. Do I need an additional A-Record in example.com for ns2.example.com or is this already done through the glue records from the nameservers for .com? – Seal Oct 08 '19 at 06:06
  • "If the ns2.example.com is authoritative for www.example.com" why do you want to do that? It is rare for a name like that. `www.example.com` is typically an hostname (so has an A/AAAA record in the `example.com` zone) not a whole delegated zone. But if it really is, `ns2.example.com` will ONLY have a record in the `example.com` and NOT in the `www.example.com` zone, as its name is in the `example.com` zone and not in the `www.example.com` zone. It is only if `ns2.example.com` is authoritative for `example.com` that it will be a glue, that is A/AAAA records in the `.com` zone. – Patrick Mevzek Oct 08 '19 at 06:11
  • "why do you want to do that?" Because the question I got is: In which case, there is NO need for an A-Record for NS2 in NS1 if NS2 is the authoritative for the sub.example.com zone? – Seal Oct 08 '19 at 06:29
0

If you are running Windows Servers, then you are correct. As long as both NS1 and NS2 are in the same AD Forest then no other DNS setting are required to accomplish what you need it to.

That_Guy
  • 1
  • 1