DNS Zone Delegation
Zone Delegation
in DNS
DNS provides
the option of dividing up the namespace into one or more zones, which can then
be stored, distributed, and replicated to other DNS servers. To delegate a zone
is to create a new zone for a subdomain within a DNS namespace and give up
authority of that new zone. For example, a company owning the domain google.com can delegate subdomains such as
mail.google.com and uk.google.com to its various regional
offices.
When to
Delegate Zones
DNS delegations
are automatically used to separate parent and child AD DS domains in a single
forest. For example, if your organization originally includes a single AD DS
domain google.com and then creates a
child AD DS domain named mail.google.com
the DNS namespace of the new child AD DS domain will automatically be configured
as a new DNS zone and delegated subdomain of the parent zone. The authoritative
DNS data for all computers in the child domain will be stored on DNS servers in
that new AD DS domain.
When delegating
zones within your namespace, be aware that for each new zone you create, you
will need delegation records in other zones that point to the authoritative DNS
servers for the new zone. This is necessary both to transfer authority and to
provide correct referral to other DNS servers and clients of the new servers
being made authoritative for the new zone.
How Delegations
Work
For a
delegation to be implemented, the parent zone must contain an NS record and an
associated A record ( glue record) pointing to each authoritative server of the
delegated domain.
I have created
a Namespace with google.com as parent and child with the name
mail.google.com.
In the figure,
a local DNS server named DNS1.google.com is
authoritative for the domain google.com and has a
configured delegation for the subdomain mail.google.com. If a client
queries this local DNS server for the FQDN say "web.mail.google.com", the server
consults the locally stored NS and A records that are configured for the
delegation to determine that the authoritative name server for the mail.google.com domain is
DNS1.mail.google.com, and that this
server's IP address is 172.x.x.x. The local DNS server then queries DNS1.mail.google.com for the name
web.mail.google.com. After the remote DNS server
receives the query, it consults its locally stored database and responds to the
querying DNS server with the IP address of the host web.mail.google.com, which is 172.y.y.y. The
local DNS server then responds to the original querying client with the
information requested.
NOTE:- If you will open the DNS console then there will be only one RR i.e. NS record that will point to authoritative server for that zone.
Now the
question is why I mentioned that there will two RR i.e. NS and A RR. The second
RR for A is also there but it is hidden and you can check in the parent zone
file that you have created on the server. Below screenshot will give you clearer
picture on this.
These resource
records include the following:
A name server
(NS) resource record:-. This resource record dns2.mail.google.com. is an
authoritative server for the delegated subdomain.
A host (A or
AAAA) resource record:- It is also known as a glue record is necessary to
resolve the name of the server that is specified in the NS resource record to
its IP address.
Creating a Zone
Delegation
To create a
zone delegation, the domain to be delegated must already be created on a server
that is authoritative for the DNS subdomain. Then, you can configure the New
Delegation Wizard on the server hosting the parent zone by right-clicking the
parent zone folder in the DNS console and selecting New Delegation.
No comments:
Post a Comment