Zone Delegation in DNS
DNS
provides the option of dividing up the namespace into one or more
zones, which can then be stored, distributed, and replicated to other
DNS servers. To delegate a zone is to create a new zone for a subdomain
within a DNS namespace and give up authority of that new zone. For
example, a company owning the domain google.com can delegate subdomains such as mail.google.com and uk.google.com to its various regional offices.
When to Delegate Zones
DNS
delegations are automatically used to separate parent and child AD DS
domains in a single forest. For example, if your organization originally
includes a single AD DS domain google.com and then creates a child AD DS domain named mail.google.com
the DNS namespace of the new child AD DS domain will automatically be
configured as a new DNS zone and delegated subdomain of the parent zone.
The authoritative DNS data for all computers in the child domain will
be stored on DNS servers in that new AD DS domain.
When
delegating zones within your namespace, be aware that for each new zone
you create, you will need delegation records in other zones that point
to the authoritative DNS servers for the new zone. This is necessary
both to transfer authority and to provide correct referral to other DNS
servers and clients of the new servers being made authoritative for the
new zone.
How Delegations Work
For
a delegation to be implemented, the parent zone must contain an NS
record and an associated A record ( glue record) pointing to each
authoritative server of the delegated domain.
I have created a Namespace with google.com as parent and child with the name mail.google.com.
In the figure, a local DNS server named DNS1.google.com is authoritative for the domain google.com and has a configured delegation for the subdomain mail.google.com. If a client queries this local DNS server for the FQDN say "web.mail.google.com",
the server consults the locally stored NS and A records that are
configured for the delegation to determine that the authoritative name
server for the mail.google.com domain is DNS1.mail.google.com, and that this server's IP address is 172.x.x.x. The local DNS server then queries DNS1.mail.google.com for the name web.mail.google.com.
After the remote DNS server receives the query, it consults its locally
stored database and responds to the querying DNS server with the IP
address of the host web.mail.google.com, which is 172.y.y.y. The local DNS server then responds to the original querying client with the information requested.
NOTE:- If you will open the DNS console then there will be only one RR i.e. NS record that will point to authoritative server for that zone.
Now
the question is why I mentioned that there will two RR i.e. NS and A
RR. The second RR for A is also there but it is hidden and you can check
in the parent zone file that you have created on the server. Below
screenshot will give you clearer picture on this.
These resource records include the following:
A
name server (NS) resource record:-. This resource record
dns2.mail.google.com. is an authoritative server for the delegated
subdomain.
A
host (A or AAAA) resource record:- It is also known as a glue record is
necessary to resolve the name of the server that is specified in the NS
resource record to its IP address.
Creating a Zone Delegation
To
create a zone delegation, the domain to be delegated must already be
created on a server that is authoritative for the DNS subdomain. Then,
you can configure the New Delegation Wizard on the server hosting the
parent zone by right-clicking the parent zone folder in the DNS console
and selecting New Delegation.
To
complete the Delegation Wizard, you will need to specify the name of
the delegated subdomain and the name of name server that will be
authoritative for the new zone. After you run the wizard, a new folder
will appear in the DNS console tree representing the newly delegated
subdomain.
No comments:
Post a Comment