certifcate will fail browser validation as a reverse lookup is performed on the IP of the web site
No - AFAIK there is no PTR DNS lookup for standard cerificate validation, it just checks that the common name on the certificate matches the hostname in the URL (and of course the expiry date, CA signature etc).
So if the server is accessed via https://sub-domain.ourDomainName then as long as the common name on the certificate is sub-domain.ourDomainName then it will work as expected (you can get wild card certificates e.g. matching *.ourDomainName but they are very expensive).
C.
Yes, the number there is the number of seconds left until that record expires (providing we're not querying the authoritative nameserver). Obviously with a CNAME there's a level of redirection, so the TTL for the A record it points to in this case may be important as well.
If you wait a couple of seconds and run dig again on your local nameserver, you should see that TTL number decrease by the number of seconds you waited (approximately). When it hits 0, it'll refresh or if your nameserver refreshes the zone for some reason.
As mentioned above, there is a difference between dig being run against a nameserver with a cached entry and the nameserver that is authoritative for that entry.
(in the examples I use below I use the +noauthority
+noquestion
& +nostats
flags just to keep the output terse).
Note the difference between the following queries:
$ dig +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.
; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50066
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; ANSWER SECTION:
stackoverflow.com. 432000 IN A 69.59.196.211
So in the above query, we're querying a nameserver that is authoritative for stackoverflow.com. If you notice the flags
section, pay special attention to the aa flag which denotes this is an authoritative answer (i.e. not cached).
$ dig +noauthority +noquestion +noadditional +nostats stackoverflow.com
; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +noadditional +nostats stackoverflow.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; ANSWER SECTION:
stackoverflow.com. 246696 IN A 69.59.196.211
In the above query, we don't have an aa flag, and the TTL will keep decreasing as we query and query. This is essentially the counter I was talking about previously.
Best Answer
It depends on whether you want to delegate hosting the subdomain off to a different DNS server (or to the same server, but in a different zone file). You delegate a zone when you want some other entity to control it, such as a different IT department or organization.
If you do, then you need NS records. If not, A or CNAME records will suffice.
Let's say you have the domain example.com. You have an A record for www.example.com and you want to create the subdomain info.example.com with www.info.example.com as a host in it.
Delegation
In the this situation, let's further say you have two DNS servers that will be hosting that subdomain. (They could be the same servers that are currently hosting example.com.) In this case, you will create two NS entries in the example.com zone file:
On those two servers, you will create the info.example.com zone and populate it as you would any other domain.
No delegation
Here, just add an A record in the example.com zone file, using a dot to indicate that you want to create the
www.info
host in theexample.com
domain:Using CNAME
The decision of whether to use a CNAME is independent of the delegation choice. I generally like to use a CNAME for the "generic" names which point to specific machine names. For example, I might name my machines using an organizational naming convention such as cartoon characters (daffy, elmer, mickey, etc.) or something bureaucratic (sc01p6-serv) and point the generic names to them. If the IP address of the machine ever changes, I need look in only one place to modify it.