After adding some nameservers to my domain for subdelegation i see that if I run a trace and/or query the name servers directly I get the correct name servers back, however if I query the nameserver records just via a dig I do not get a response,
Shouldnt the recursive look up at the DNS stop at the point it retrieves the NS records (nsX.macmonster.co.uk) from dns2.stabletransit.com and pass this back to the client ?
The newly added nameserver records are :
subdomain.codecrab.org. 300 IN NS ns1.macmonster.co.uk.
subdomain.codecrab.org. 300 IN NS ns2.macmonster.co.uk.
TRACE
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> +trace subdomain.codecrab.org ns
;; global options: printcmd
. 94441 IN NS f.root-servers.net.
. 94441 IN NS g.root-servers.net.
. 94441 IN NS h.root-servers.net.
. 94441 IN NS i.root-servers.net.
. 94441 IN NS j.root-servers.net.
. 94441 IN NS k.root-servers.net.
. 94441 IN NS l.root-servers.net.
. 94441 IN NS m.root-servers.net.
. 94441 IN NS a.root-servers.net.
. 94441 IN NS b.root-servers.net.
. 94441 IN NS c.root-servers.net.
. 94441 IN NS d.root-servers.net.
. 94441 IN NS e.root-servers.net.
;; Received 228 bytes from 83.138.151.80#53(83.138.151.80) in 0 ms
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
;; Received 442 bytes from 192.5.5.241#53(f.root-servers.net) in 96 ms
codecrab.org. 86400 IN NS dns2.stabletransit.com.
codecrab.org. 86400 IN NS dns1.stabletransit.com.
;; Received 95 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 108 ms
subdomain.codecrab.org. 300 IN NS ns1.macmonster.co.uk.
subdomain.codecrab.org. 300 IN NS ns2.macmonster.co.uk.
;; Received 92 bytes from 65.61.188.4#53(dns2.stabletransit.com) in 0 ms
;; connection timed out; no servers could be reached
STANDARD QUERY
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> subdomain.codecrab.org NS
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50516
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;subdomain.codecrab.org. IN NS
;; Query time: 1 msec
;; SERVER: 83.138.151.80#53(83.138.151.80)
;; WHEN: Thu Sep 26 16:32:34 2013
;; MSG SIZE rcvd: 40
Additional
[root@monty webtools]# dig ns1.macmonster.co.uk +short
1.1.1.1
Any ideas ?
Best Answer
A recursive DNS resolver requires that the information it recursively acquires is authoritative to return it as a response to a query; it does not make inferences.
Authority is established in DNS using SOA and NS records. The former is used to establish authority among authoritative servers, and is served from within the zone. For instance, the SOA record indicates which copy of the zone data is newer when authoritative DNS servers for some zone are doing a zone transfer. The latter is used to establish authority when querying.
When an NS record for a subdomain is in a domain, and the server that has it is not an authoritative server for the name being queried, this NS record is a delegation record. So, the recursive resolver will query for delegation records starting with the root
.
. In your case, it goes up the chain toward this response fromdns2.stabletransit.com.
:This is a delegation record, because this data does not exist:
What actually existed was this:
So, the server at
dns2.stabletransit.com.
can give authoritative replies forcodecrab.org.
, because the prior resolver delegated that zone to it. But it is not authoritative forsubdomain.codecrab.org.
, so it cannot answer the query; it can only delegate.DNS resolvers can of course be configured to be authoritative for any name the administrator wants. However, if they are configured to be authoritative for zones they are trying to delegate, they will instead give replies (without having the data), so this obviously is not done.
The way recursion works is simple, if not initially intuitive. The recursive resolver sends the full query to the nameservers for
.
(which it has in its hint file for the root zone). The.
nameserver sends a reply, but a reply has two components we care about for this purpose: the authority section, and the answer section (there are also the additional section and the question section). The reply will contain records like:This tells the recursive resolver to repeat its query over there, because the zone is delegated. It also includes "glue" in the additional section giving the IP addresses of the nameservers in the authority section, beacuse it knows you won't be able to find the nameserver to query it otherwise. This is an administrative decision in managing DNS; if glue records are not present the recursive resolver will query the
AAAA
orA
records for one of the authoritative servers before proceeding.So, you may notice that when you send your query
IN NS subdomain.codecrab.org.
to the last delegation,dns2.stabletransit.com.
, the reply looks like this:Notice how you get neither an additional section nor an answer section (but also
NOERROR
for the return status). This is because the record is a delegation tons2.macmonster.co.uk.
forsubdomain.codecrab.org.
, for whichdns2.stabletransit.com.
knows it is not authoritative. There is no additional section because the namesevers are over inco.uk.
and administratively it wasn't necessary to include glue because they are resolvable over there (though certainly, glue could have been included). So, to answer your query, because the answer has to come from an answer section (meaning it is identified by the replying server as an answer, coming from authority), your recursive resolver will try to findns1.macmonster.co.uk.
, and finding it at1.1.1.1
, will send its query over there.Of course (as this address is in a debogon prefix) there is no nameserver there (yet). As for
ns2.macmonster.co.uk.
at2.2.2.2
, if someone at Wanadoo France were to decide that there were to be a nameserver carrying authoritative records forsubdomain.codecrab.org.
and in particular:half the time (as often as that nameserver is chosen), the query will return
now.go.away.or.i.will.taunt.you.a.second.time.
as the nameserver for your zone even though common sense would suggest that it should bens2.macmonster.co.uk.
(and even though it was that latter nameserver which authoritatively gave that answer).