DNS Delegation – What is DNS Delegation?

In physical terms, delegation is very similar to how a manager will delegate responsibility of tasks to his staff. The results are the same, however more than one person was involved in the process. The manager receives the request for work, passes on the responsibility to another member of staff and either the staff member or the manager returns with the work results. This is all on the proviso that the work the staff member does is actually correct and is what the original requester asked for (or that the requester actually asked for something that was valid in the first place!).

With DNS delegation, it is pretty similar. When the com name servers are asked for the place to find authority of the zone example.com, they often delegate this work off to separate name servers (in fact in the vast majority of cases, they do in fact delegate the response to other name servers). When you first register a domain, say our example.com domain, this is often done through a third party called a registrar. It is common practice by registrars to put in their name servers for the delegation and to serve a default zone from those name servers. This default zone includes the basic requirements to serve that zone on the internet (the SOA, NS and A records associated to those NS records).

Obviously if you yourself want to take control of the authority of the domain, you have to ask the registrar to delegate the domain to your nameserver instead. Different registrars refer to this in process in different ways, 'change nameservers', 'use third party DNS', 'Add Glue records' and so on. The mechanism underneath remains the same. You provide, generally, 2 or more "name server names" (for example ns0.example.com and ns1.example.com) and the IP addresses at which ns0 and ns1 are. They then process the request and the delegation is pointed away from your registrar to the nameservers you provided.

In technical terms, it's at this point you have to ensure your nameservers are up and running, serving the domain example.com, with a minimum of an SOA (start of authority record), 1 or more NS records and the A records (the IPs) that these NS records are resolved from:

example.com.   IN SOA ns0.example.com. hostmaster.example.com. ( 10 3600 900 604800 7200 )
           IN NS  ns0.example.com.
           IN NS  ns1.example.com.
ns0        IN A   192.0.2.8
ns1        IN A   192.0.2.44

(I've picked somewhat arbitrary values for the SOA values, the names for the NS records and the IPs those nameservers resolve to). These will all have to reflect the zone for which you are serving.

This DNS service has to be visible from anywhere on the internet, and not be firewalled (that is port 53 udp and tcp inbound have to be allowed). Also your service provider must not block that port either (which some providers do block inbound traffic destined to those ports).

Given my original comparison, the com nameservers are the DNS managers, who are delegating the zone example.com to the nameservers (the staff members) to do the work of providing the basic zone information (SOA, NS, A). You can also serve any additional records such as mail server records MX or may be an A record for your www.example.com address.

If that name server doesn't do the work, returns the wrong results, or has a 3rd party (firewall/ISP) blocking the work, you will not have working DNS and the delegation breaks.

It also may be worth noting that the domain does NOT have to be delegated to nameservers in the same domain, so ns0.example.net and ns0.example.org could both be valid nameserver who could have example.com delegated to them. Provided both those name servers served the example.com domain.

The reason that multiple name servers are required is to provide redundancy to the DNS clients, which is important for an internet which doesn't break.