What is DNS Delegation?
Solution 1:
In physical terms, delegation is very similar to how a manager will delegate responsibility of tasks to his staff. The results are the same, however more than one person was involved in the process. The manager receives the request for work, passes on the responsibility to another member of staff and either the staff member or the manager returns with the work results. This is all on the proviso that the work the staff member does is actually correct and is what the original requester asked for (or that the requester actually asked for something that was valid in the first place!).
With DNS delegation, it is pretty similar. When the com
name servers are asked for the place to find authority of the zone example.com
, they often delegate this work off to separate name servers (in fact in the vast majority of cases, they do in fact delegate the response to other name servers). When you first register a domain, say our example.com
domain, this is often done through a third party called a registrar. It is common practice by registrars to put in their name servers for the delegation and to serve a default zone from those name servers. This default zone includes the basic requirements to serve that zone on the internet (the SOA
, NS
and A
records associated to those NS records).
Obviously if you yourself want to take control of the authority of the domain, you have to ask the registrar to delegate the domain to your nameserver instead. Different registrars refer to this in process in different ways, 'change nameservers', 'use third party DNS', 'Add Glue records' and so on. The mechanism underneath remains the same. You provide, generally, 2 or more "name server names" (for example ns0.example.com
and ns1.example.com
) and the IP addresses at which ns0
and ns1
are. They then process the request and the delegation is pointed away from your registrar to the nameservers you provided.
In technical terms, it's at this point you have to ensure your nameservers are up and running, serving the domain example.com
, with a minimum of an SOA
(start of authority record), 1 or more NS
records and the A
records (the IPs) that these NS records are resolved from:
example.com. IN SOA ns0.example.com. hostmaster.example.com. ( 10 3600 900 604800 7200 )
IN NS ns0.example.com.
IN NS ns1.example.com.
ns0 IN A 192.0.2.8
ns1 IN A 192.0.2.44
(I've picked somewhare arbitrary values for the SOA values, the names for the NS records and the IPs those nameservers resolve to). These will all have to reflect the zone for which you are serving.
This DNS service has to be visible from anywhere on the internet, and not be firewalled (that is port 53 udp and tcp inbound have to be allowed). Also your service provider must not block that port either (which some providers do block inbound traffic destined to those ports).
Given my original comparison, the com
nameservers are the DNS managers, who are delegating the zone example.com
to the nameservers (the staff members) to do the work of providing the basic zone information (SOA
, NS
, A
). You can also serve any
additional records such as mail server records MX
or may be an A
record for your www.example.com
address.
If that name server doesn't do the work, returns the wrong results, or has a 3rd party (firewall/ISP) blocking the work, you will not have working DNS and the delegation breaks.
It also may be worth noting that the domain does NOT have to be delegated to nameservers in the same domain, so ns0.example.net
and ns0.example.org
could both be valid nameserver who could have example.com
delegated to them. Provided both those name servers served the example.com
domain.
Solution 2:
Within your domain you can define hosts as you like, for example mymailserver
. To connect to your mailserver, I need to use the DNS to determine its IP-Adresses and to that end I need to know where in the name tree I should look for mymailserver
.
Sounds, complicated, but that is exactly what we use the "fully qualified domain name" (FQDN) for. If you define a host mymailserver
in your domain abc.com.
that host has the FQDN mymailserver.abc.com.
. With that information I can resolve that name to the correct IP-address.
You do not have to create all hosts of the form <hostname>.abc.com.
, you can also branch as you desire. You can have servers.abc.com.
and put all your servers there, for example mymailserver.servers.abc.com.
. You can do so, because the domain abc.com.
was delegated to you. Which means you are the authority to ask for any domain and domain name that ends with abc.com.
. Therefore you may define hosts and branch subdomains to your hearts content.
Delegation means that a domain owner yields full control over a branch to somebody else. Just like the owner of com.
delegated the subdomain abc.com.
to you, you may branch off subdomains, for example def.abc.com.
and delegate it to me. Within my domain I can do/define whatever I want/like without having to ask or tell you or even the com.
owners about.
How does it work? You simply put a piece of information in your DNS records that says "for information regarding def.abc.com
please ask the DNS server hisdnsserver.def.abc.com.
". Of course, to query that server one needs to know the IP-address of hisdnsserver.def.abc.com.
. That's what glue records are for. You actually put 2 pieces of information, one the just stated, and the other being the IP-address of hisdnsserver.def.abc.com.
. That way you provide anybody with a question about def.abc.com.
with enough information to point them to the authority for that subdomain.
Why did programs ask you about def.abc.com.
in the first place? Because you are the authority for abc.com.
and the authority for com.
gave the requestor two pieces of information about yourdnsserver
and abc.com.
...
Solution 3:
Delegation in terms of DNS means that the nameserver in the hierarchy above you will answer every request to your domain with a NS
response.
So in case of abc.com
you'd do:
$ dig com.
=>
com. 896 IN SOA a.gtld-servers.net. ...
Then query that nameserver specifically for abc.com
:
$ dig abc.com @a.gtld-servers.net.
=>
;; AUTHORITY SECTION:
abc.com. 172800 IN NS sens01.dig.com.
abc.com. 172800 IN NS sens02.dig.com.
abc.com. 172800 IN NS orns01.dig.com.
abc.com. 172800 IN NS orns02.dig.com.
Glue records mean that in addition to the hostnames of your nameservers, the .com
authority also knows about their IP addresses.
If glue records are set up, the above query will also give you A/AAAA
responses for each of the nameservers.