Subdomains and Delegation

In Chapter 1, I discussed the importance of delegation of domains from root server to TLD server to subdomain and possibly even subdomain of that again, as in the case of ifi.uio.no. In practice, delegation is quite simple.

penguin.bv wants to open new offices on the other side of the island, and it decides to delegate a DNS domain for that office. The domain will be called emperor.penguin.bv and reside on a DNS server at the Emperor office. The Emperor office has been assigned the net at 192.168.56.0 through 192.168.56.127 and the subnet mask is 255.255.255.128. This is called a classless net because it's divided not on an octet boundary as is customary, but within an octet. You can read more about the reasons for assigning classless nets in RFCs 1367 and 1467, as well as RFC 2050. RFC 2050 also provides a glimpse into how the Internet is governed and describes the Registry hierarchy from IANA down to the ISPs. The predecessors of RFC 2050 RFCs 1366 and 1466 discuss the motivations for this policy in more detail.

To make the domain delegation work, the hostmaster at Penguin AS simply adds two records in the penguin.bv zone:

 emperor         NS      ns.emperor                 NS      ns.herring.bv. ns.emperor      A       192.168.56.3 

These two NS records, along with the matching A records, only implement the delegation. This adds an edge in the DNS tree so the new zone can be found (see Figure 2.2). As I've said before, the chain of NS/A pairs must be unbroken from the rootservers all the way to your servers so outside computers or users can find your domain. If anyone outside your domain can't find it, you should start debugging the delegation chain.

Other than the ability to add edges and delegate domains, the most important thing is the use of a glue record. While DNS can look up the address of ns.herring.bv without any problem, the only normal way to find the address of ns.emperor.penguin.bv is by asking the emperor. penguin.bv server about its address. Unfortunately, you don't know the address of the emperor.penguin.bv nameserver yet, so you can't. The A record for ns.emperor.penguin.bv is added to take care of this step, which is the glue record. In old DNS zones, glue records existed for practically all subdomain nameservers, whether they were in the subdomain or somewhere else entirely. This is not a recommended practice anymore, though, and in fact, BIND 8 rejects glue records that are not for a subdomain of the zone in which they occur. However, the use of redundant glue records can cause a phenomenon known as DNS poisoning, in which several glue A records, if not well maintained, fall out of date over time. This usually isn't noticed though, because the other nameserver(s) still works. Unfortunately, the incorrect A records are cached and taken at face value, causing the wrong address to be used. If a DNS server has previous knowledge of all the nameservers of a domain and they're all incorrect, the domain will become impossible to look up.

After, or before, having the domain delegated, the administrator at emperor.penguin.bv sets up her own zones and has the people at Herring bring up a secondary server. This subdomain zone is just like every other zone.