DNS Delegation: Concepts and Best Practices

  • 16,000
  • Tác giả: admin
  • Ngày đăng:
  • Lượt xem: 16
  • Tình trạng: Còn hàng

DNS delegation is a crucial aspect of managing large and complex DNS infrastructures. It allows organizations vĩ đại divide their DNS zones into smaller, more manageable parts and delegate authority vĩ đại different groups or individuals. Delegation is actually one of the foundations of the entire DNS system since it allows responsibility for different portions of domains vĩ đại be divided, providing flexibility and other benefits. 

In this article, we will explore the best practices for DNS delegation, including how vĩ đại avoid common difficulties and ensure optimal performance and security. Whether you’re an IT professional responsible for managing a large DNS infrastructure or just curious about how DNS works, this article will provide you with valuable insights into DNS delegation and its benefits. Let’s get started!

Summary of key DNS delegation concepts

Here is a brief summary of what will be covered in this article.

DNS Delegation Benefits DNS delegation can improve network performance, simplify DNS management, and enable integration with third-party services.
DNS Delegation Applications DNS delegation can be helpful when you have multiple departments or subsidiaries that require distributed responsibility, vĩ đại create subdomains, vĩ đại improve DNS server performance, or vĩ đại use a subdomain with an external DNS provider.
DNS Zone A DNS zone is a portion of a domain name for which a DNS server is responsible for answering requests and storing DNS records.
DNS Subzone A DNS subzone is part of a larger DNS zone that has its own phối of DNS records and can be delegated vĩ đại different nameservers for management.
How DNS Delegation Works DNS delegation works by assigning responsibility for a portion of a DNS namespace vĩ đại a different phối of DNS servers.
Glue Records Glue records are DNS records that provide the IP addresses of authoritative name servers for a delegated zone.
Subzone and Delegation Comparison A subzone is part of a larger DNS zone that is managed by the same DNS servers, while delegation involves assigning control of a subzone vĩ đại a separate phối of DNS servers.
Lame Delegation Lame delegation occurs when a nameserver responsible for a delegated zone cannot provide authoritative responses vĩ đại DNS queries.
Best Practices in DNS Delegation Use at least two authoritative name servers, regularly monitor DNS health and configuration, and ensure that the delegated zone’s NS records are up vĩ đại date and accurate.

Definition of DNS delegation

As you likely know, vĩ đại “delegate” something means vĩ đại transfer some responsibility for one or more tasks vĩ đại another person or entity. The same term is used in the DNS world, where the process is called DNS zone delegation (or sometimes simply DNS delegation). 

DNS delegation is the process by which a parent DNS zone indicates vĩ đại DNS resolvers that it has delegated the authority for a DNS subzone (or child zone) vĩ đại a different phối of DNS servers. This allows the DNS resolvers vĩ đại locate and query the delegated DNS servers for the subzone’s DNS records.

{{banner-23="/design/banners"}}

DNS delegation benefits

Using DNS delegation can provide a number of advantages vĩ đại a DNS administrator and the organization as a whole:

  • Improved performance: By delegating a portion of your DNS namespace vĩ đại a different phối of DNS servers, you can improve performance by reducing the load on your primary DNS servers.
  • Simplified DNS management: DNS delegation can simplify DNS management by allowing different teams or locations vĩ đại manage their own DNS configurations.
  • Integration with third-party services: DNS delegation allows you vĩ đại integrate with third-party services, such as nội dung delivery networks (CDNs), cloud-based tin nhắn services, or tracking services, that require you vĩ đại delegate DNS management for a portion of your DNS namespace vĩ đại their own DNS servers.

DNS delegation applications

The various benefits of DNS delegation described above apply vĩ đại many uses of DNS. However, they dictate a number of situations where DNS delegation can be especially useful. 

Common DNS delegation applications include situations where the following are needed:

  • Distribution of responsibility: You have multiple departments or subsidiaries and need vĩ đại delegate responsibility for DNS management vĩ đại different teams or locations.
  • Subdomain specialization: You want vĩ đại create a subdomain for a trang web or trang web application that requires separate DNS management or would benefit from it.
  • Performance enhancement: You want vĩ đại take advantage of load distribution and geographic distribution vĩ đại optimize DNS query responses. By delegating subzones vĩ đại different DNS servers, organizations can efficiently distribute query load. In addition, strategically delegating vĩ đại DNS servers in different geographic locations ensures that users receive faster DNS responses by connecting vĩ đại the servers closest vĩ đại their location. By incorporating these techniques, organizations can enhance performance, optimize resource utilization, and provide a faster and more efficient DNS resolution experience for their users. 
  • Subdomain outsourcing: You may need vĩ đại use a subdomain for a specific purpose that involves external management. For example, many organizations create a separate subdomain specifically for tin nhắn marketing purposes and delegate it vĩ đại a specialized tin nhắn service company that handles the technical aspects of tin nhắn authentication and sender reputation.

{{banner-24="/design/banners"}}

Understanding zones and subzones

DNS organizes authoritative information into units called zones. A zone is essentially a portion of the DNS namespace for which a particular DNS server is authoritative. Each zone contains a phối of resource records that define the DNS information for that zone.

Zones are distributed vĩ đại both primary (main) and secondary (backup) name servers, which respond with authoritative answers for those zones. The purpose of distributing zones vĩ đại multiple servers is vĩ đại ensure redundancy and availability in case one or more servers become unavailable.

There are two types of zones: forward-mapping and reverse-mapping. Forward-mapping zones are used vĩ đại map hostnames vĩ đại IP addresses, while reverse-mapping zones are used vĩ đại map IP addresses vĩ đại hostnames. Both types of zones include the same basic phối of information:

  • Zone name
  • Start Of Authority (SOA) record
  • NameServer (NS) records
  • Other resource records (optional)

The image below shows an example of a BIND format forward mapping zone.

BIND forward mapping zone

A subzone, also referred vĩ đại as a child zone, is a division of a zone that shares the latter parts of the domain name name with the parent. For instance, if the parent domain name name is company.com, a subzone could be sales.company.com, as shown below. Like a zone, a subzone is a group of DNS records that are managed together for administrative convenience. Typically, subzones are created vĩ đại meet specific organizational requirements, such as separating different departments or regions within a company.

While the terms “subzone” and “delegated zone” may cause some confusion, it’s important vĩ đại note that a delegated zone is essentially a subzone, but with the difference that the delegated zone is managed on separate DNS servers from the parent zone, unlike a subzone. We will have a whole section comparing these two concepts later in this article.

A zone and a subzone

How DNS delegation works

DNS was designed over three decades ago. It has scaled well even as the size of the Internet has dramatically increased and DNS management requirements have increased with it specifically because delegation essentially decentralizes management. Let’s take a look at how delegation works in detail using the example outlined above.

In the previous subzone example, the DNS administrator of company.com is still responsible for the subzone. However, let’s say that the sales department has specific needs and no longer wants vĩ đại follow the rules of the DNS administrator of company.com; it wants vĩ đại phối up its own DNS servers and manage sales.company.com with its own parameters. The sales department then needs vĩ đại work with the DNS administrator of company.com vĩ đại phối up delegation, ví the authority for sales.company.com is delegated vĩ đại a new phối of DNS servers managed by the sales department.

Effective delegation involves close collaboration between the parent and child zones. Specifically, the parent zone must include NS records for the child’s new authoritative servers (primary and secondary) vĩ đại refer vĩ đại other recursive resolvers, as shown in the following figure. These are called glue records and are explained further below.

Delegation example showing glue records connecting the parent zone vĩ đại the delegated zone

Actually, DNS delegation is happening all the time because it all begins from the very base: the root domain name. Delegation in DNS happens hierarchically, from the root domain name down vĩ đại the domain name name in question. Here is an overview of how delegation happens when you query a domain name name, let’s say www.example.com.

When the DNS resolver (typically at your ISP) receives the DNS query from the client, it checks in its cache. If it does not have the IP address it needs in the cache and does not have any forwarding configuration, by mặc định, it sends an iterative query vĩ đại the root name servers. The root name server’s IP addresses (both IPv4 and IPv6) are stored in a tệp tin known as “root hints,” which is part of any recursive resolver.

The root server answers with a referral, since it is authoritative for part of the requested fully qualified domain name name (FQDN) — only the very last part of the name, which in this case is .com. It includes the NS records for the delegated domain name. For instance, if the requested domain name is www.example.com, the root server would provide a list of .com name servers, since that’s the highest level, as shown below.

Name servers for the .com top-level domain

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.

After receiving a referral message from a root server with a list of .com name servers, the recursive resolver caches the information. Then it chooses a name server from the list and sends it an iterative query.

The delegated domain’s name server responds with a referral since it is authoritative for part of the requested domain name. In the referral message, it sends the NS records for the delegated domain name. If the requested FQDN is www.example.com, the .com server would respond with a list of example.com name servers.

Name servers for the example.com domain

example.com.		172800	IN	NS	a.iana-servers.net.
example.com.		172800	IN	NS	b.iana-servers.net.

After caching the answers from the previous step, the recursive resolver continues the process, sending an iterative query for the FQDN vĩ đại a chosen name server (e.g., a.iana-servers.net). Once the example.com name servers are reached, the authoritative name server sends an Authoritative Answer (AA) field-set answer back vĩ đại the resolver, including valid responses such as NXDOMAIN, or in the case of this example, the A record.

www.example.com.		86400 	IN	A	93.184.216.34

The image below illustrates the process described above, showing a DNS resolution trace from root DNS servers down vĩ đại the example.com domain name authority. You can find the tool used for this here.

DNS resolution trace from root zone down vĩ đại example.com

{{banner-25="/design/banners"}}

Glue records

Glue records are essential vĩ đại delegation as they provide (in the sườn of A and AAAA records) information vĩ đại connect the parent domain name vĩ đại the child domain name. They are used vĩ đại help resolve circular dependencies between domain name names and their corresponding name servers. 

Let’s look at the delegation example again. The parent zone company.com is delegating sales.company.com vĩ đại the ns1.sales.company.com and ns2.sales.company.com name servers. Now, since we are using name servers that are a child of the zone it’s being applied vĩ đại (e.g. ns1.sales.company.com is a child of sales.company.com), we need vĩ đại use glue records vĩ đại know where these name servers are (by their corresponding IP addresses). Otherwise, it will get stuck in a resolution loop. So, the parent zone (company.com) includes not just the delegation (NS records) but also includes the A (AAAA if needed) records that map (or glue) the nameserver’s names vĩ đại their IP addresses.

Example use of glue records
sales.company.com. IN NS ns1.sales.company.com.
sales.company.com. IN NS ns2.sales.company.com.
ns1.sales.company.com. IN A 2.2.2.2
ns2.sales.company.com. IN A 3.3.3.3

Subzone and delegation comparison

As the administrator of a parent zone, it’s important vĩ đại consider the appropriate use of subzones and delegation. To maintain control over a child zone and store its data on the same servers as the parent zone, subzones are the way vĩ đại go. However, if you want the child zone vĩ đại have its own administrative control and store its data on separate servers, delegation is the better option.

In internal-only domain name configurations, delegation is rarely necessary, while subzones are much more commonly used.

DNS Subzone DNS Delegation
Parent maintains control over the child Child maintains its own administrative control
Child data is hosted on the same servers as parent zone data Child data is hosted on a separate phối of servers
Simple and easy vĩ đại implement because it’s under the same administration Requires good coordination between parent and child administrators
Used more for internal-only domains Used for larger networks or external domains
Easy vĩ đại phối up and manage More complex and requires technical expertise

Lame delegation

Lame delegation refers vĩ đại a problematic situation where the parent domain name attempts vĩ đại delegate a child domain name vĩ đại a specific phối of name servers that are either not authoritative for the zone or not operational with DNS services. Let’s take a look at these common scenarios of lame delegation. You can also find technical definitions in RFC 8499 and RFC 1912.

The image below illustrates a scenario where the parent zone (company.com) responds with a referral that includes incorrect glue records pointing the recursive resolver vĩ đại an incorrect or unreachable IP address. When the recursive DNS follows this referral, it turns out that it cannot resolve the domain name name since the IP addresses are unreachable (servers down) or are available but are not running any DNS service (timeout). The client would likely experience some delay and eventually receive a “SERVFAIL” response code from the recursive DNS resolver.

Lame delegation scenario 1

Imagine now (as shown in the image below) that the recursive resolver receives a referral from the parent zone where just one of the name servers is correct. Server 2.6.6.6 is not authoritative for sales.company.com, and every time the resolver queries the name server 2.6.6.6 for an authoritative answer, it won’t get any response and will start over again from the root servers. In this example, the recursive resolver has a 50% probability (assuming that it uses a round-robin mechanism) of selecting the correct name server with IP address 2.2.2.2, as there are two NS records provided by the parent zone. To end-users, the issue may appear as slow name resolution, as the recursive resolver continues vĩ đại loop around repeatedly until it reaches the final authoritative name server at 2.2.2.2, or until a timeout occurs.

Lame delegation scenario 2

In conclusion, lame delegations can cause DNS resolution errors and slow down the process of resolving domain name names, as queries for the delegated subdomain are repeatedly referred vĩ đại the lame DNS server. They can be identified by analyzing DNS query logs. Lame delegation can be resolved by correcting the configuration of the DNS server and keeping it updated or by delegating the subdomain vĩ đại a different DNS server that is able vĩ đại provide valid responses. 

{{banner-26="/design/banners"}}

Best practices in DNS delegation 

Effective delegation of DNS zones is crucial for maintaining a reliable and highly available DNS infrastructure. When delegation is done properly, it allows for efficient resolution of DNS queries and minimizes the risk of issues. In this section, we will discuss some best practices vĩ đại follow when delegating DNS zones vĩ đại ensure optimal performance and security of your DNS infrastructure.

  • Maintain accuracy: Ensure that the delegated zone’s NS records are up vĩ đại date and accurately reflect the current phối of authoritative name servers. By doing this, you can avoid lame delegation issues. This can be achieved by regularly monitoring the status of the delegated name servers, ensuring that they are properly configured and functioning correctly.
  • Use at least two authoritative name servers: Delegating a domain name vĩ đại only one name server can lead vĩ đại single points of failure, which can cause downtime for the domain name. To ensure that your domain name remains available, it is recommended vĩ đại use at least two name servers that are located in different geographic regions.
  • Prioritize communication and documentation: Clear communication among all the parties involved is essential for effective DNS delegation. Ensure that everyone understands their roles and responsibilities, and create thorough documentation that provides a record of what has been delegated and who is responsible for each part of the process.
  • Regularly monitor DNS health and configuration: Monitor your DNS servers and zone files frequently vĩ đại ensure that they are performing optimally and are miễn phí from errors. Use DNS monitoring tools (like Catchpoint) and alerting services vĩ đại detect issues before they become critical and impact your online services.

Summary of key concepts

DNS delegation is a fundamental part of the Internet that allows it vĩ đại be efficiently maintained despite its huge size and complexity. When organizations delegate DNS responsibilities vĩ đại different teams or locations, they can simplify DNS management, enhance performance, and incorporate third-party services. However, vĩ đại ensure the safety and reliability of DNS infrastructure, it’s important vĩ đại use best practices such as those outlined in this article. By implementing DNS delegation correctly, organizations can ensure efficient DNS management and minimize potential DNS infrastructure problems.