Friday, September 21, 2012

Zone Delegation in DNS

Zone Delegation in DNS

DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. To delegate a zone is to create a new zone for a subdomain within a DNS namespace and give up authority of that new zone. For example, a company owning the domain google.com can delegate subdomains such as mail.google.com and uk.google.com to its various regional offices.

When to Delegate Zones

DNS delegations are automatically used to separate parent and child AD DS domains in a single forest. For example, if your organization originally includes a single AD DS domain google.com and then creates a child AD DS domain named mail.google.com the DNS namespace of the new child AD DS domain will automatically be configured as a new DNS zone and delegated subdomain of the parent zone. The authoritative DNS data for all computers in the child domain will be stored on DNS servers in that new AD DS domain.
When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.

How Delegations Work

For a delegation to be implemented, the parent zone must contain an NS record and an associated A record ( glue record) pointing to each authoritative server of the delegated domain. 

I have created a Namespace with google.com as parent and child with the name mail.google.com.

In the figure, a local DNS server named DNS1.google.com is authoritative for the domain google.com and has a configured delegation for the subdomain mail.google.com. If a client queries this local DNS server for the FQDN say "web.mail.google.com", the server consults the locally stored NS and A records that are configured for the delegation to determine that the authoritative name server for the mail.google.com domain is DNS1.mail.google.com, and that this server's IP address is 172.x.x.x. The local DNS server then queries DNS1.mail.google.com for the name web.mail.google.com. After the remote DNS server receives the query, it consults its locally stored database and responds to the querying DNS server with the IP address of the host web.mail.google.com, which is 172.y.y.y. The local DNS server then responds to the original querying client with the information requested.

























NOTE:- If you will open the DNS console then there will be only one RR i.e. NS record that will point to authoritative server for that zone.
Now the question is why I mentioned that there will two RR i.e. NS and A RR. The second RR for A is also there but it is hidden and you can check in the parent zone file that you have created on the server. Below screenshot will give you clearer picture on this.



These resource records include the following:
A name server (NS) resource record:-. This resource record dns2.mail.google.com. is an authoritative server for the delegated subdomain.
A host (A or AAAA) resource record:- It is also known as a glue record is necessary to resolve the name of the server that is specified in the NS resource record to its IP address.
Creating a Zone Delegation
To create a zone delegation, the domain to be delegated must already be created on a server that is authoritative for the DNS subdomain. Then, you can configure the New Delegation Wizard on the server hosting the parent zone by right-clicking the parent zone folder in the DNS console and selecting New Delegation.
To complete the Delegation Wizard, you will need to specify the name of the delegated subdomain and the name of name server that will be authoritative for the new zone. After you run the wizard, a new folder will appear in the DNS console tree representing the newly delegated subdomain.