Purpose of an NS record for the current zone in a DNS zone

Two cases :

Case 1- example.com's zone file :

@      IN    SOA    dns.example.com.    info.example.com.    (1 8H 8H 8H 8H)
       IN    NS     dns
dns    IN    A      123.123.123.123

How are the second and third line useful? I understand that they may be necessary in order for dns.example.com to be defined. Is there another use?

Case 2- foo.com's zone file :

@      IN    SOA    dns.example.com.    info.foo.com.    (1 8H 8H 8H 8H)
       IN    NS     dns.example.com.

In this case, is the second line necessary? Why would it be useful to have this NS record for the foo.com's zone if we are already IN the zone?

Additionally, is it necessary that the first and second line both point to the same server? If no, in which situation would they be different?

Gradient

Posted 2013-07-17T21:28:46.780

Reputation: 531

Answers

The reason why you need to have the NS records in the zone itself relates to the more fundamental concepts of zones/delegation/authority in DNS.

I will show how this applies to the NS record but the same reasoning can be applied to the A/AAAA record(s) that the NS points to if it resides inside that same zone:

example.com/IN/NS is part of the example.com zone for which your nameservers are the authority.

The nameservers for the parent zone (com in this example) will obviously serve delegatory example.com/IN/NS records (and glue as appropriate) but those are not authoritative, only directing the client to the actual authority.

If someone looks up example.com/IN/NS they will follow the chain of delegations and in the end ask your servers to receive the actual authoritative data. If you were to somehow not have these records that would mean that your nameservers, the authority for this zone, would claim that they know for a fact that there are no example.com/IN/NS records.

And then of course their negative response for example.com/IN/NS would most likely end up cached, meaning that next time it is already known that the example.com zone has no nameservers.

Håkan Lindqvist

Posted 2013-07-17T21:28:46.780

Reputation: 916

The first name after "SOA" is the primary name server. "SOA" is short for "Start of Authority". It indicates authority for the zone, but doesn't define a name server (NS) record, even though it provides the hostname of the primary server. The SOA also defines how long DNS data should be cached and refreshed (and other things).

Name servers need to be defined explicitly, so you also create a NS record for the primary name server (or not). The server in the NS record doesn't necessarily need to be the same as the server in the SOA line. This is often the case when you don't want others to query your primary server.

You need at least one NS record in your zone, so that the NS info can be cached when someone queries multiple hostnames in your zone (keeps others from having to repeatedly ask root where the name server is). You can, however, have multiple NS records. This is valuable in high traffic environments.

The A record tells you the IP address of the name server. This is needed when you use a hostname in the NS record. Otherwise, visitors' computers won't know how to find your name server. (Hostnames are mostly for humans' use, IP addresses are mostly for computers' use.)

The reason for all these records is so that the data can be cached. If someone queries multiple hostnames in your zone, their computer should (at most) only need to ask the root server once for the NS record for your server.

Clear as mud, right?

joat

Posted 2013-07-17T21:28:46.780

Reputation: 466