Tuesday, January 18, 2011

SOA and Primary NS record (DNS)

The brunt of the question is this -- What is the relationship between the primary nameserver specified in the SOA record and the nameservers specified in the NS records. How are these things linked?

When I query most websites, I get this:

dhamma@sansa:~$ host -t SOA arth.com arth.com has SOA record ns1.comcastbusiness.net. domreg-tech.comcastbusiness.net. 2009072715 3600 7200 604800 7200

And I expect to see ns1.comcastbusiness.net as the primary nameserver, because when I query the NS record for the domain I get this:

dhamma@sansa:~$ host -t NS arth.com arth.com name server ns1.comcastbusiness.net. arth.com name server ns2.comcastbusiness.net. arth.com name server ns3.comcastbusiness.net.

This always led to me thinking that the SOA records somehow auto-populated the primary NS record? Is that even remotely true?

Because here's where I'm most confused.

dhamma@sansa:~$ host -t SOA paulwarnk.com paulwarnk.com has SOA record a.dns.hostway.net. hostmaster.siteprotect.com. 2009012319 86400 7200 86400 99999

But I'm told, and do, use these nameservers:

dhamma@sansa:~$ host -t NS paulwarnk.com paulwarnk.com name server adns.cs.siteprotect.com. paulwarnk.com name server bdns.cs.siteprotect.com.

Why is this nameserver adns.cs.siteprotect.com not listed as the primary nameserver in the SOA record?

  • Nameserver records are specified in your zone file. The SOA record indicates the primary nameserver for the zone. There is no automatic relationship between the two. Here is a good read regarding SOA records. The short answer is that the SOA record is the whole record contianing the name, ttl, etc... Additionally, I'd strongly suggest picking up the O'Reilly DNS & Bind book. It's really quite useful.

    Your records beyond the root servers for paulwarnk.com:

    paulwarnk.com.   172800 IN NS adns.cs.siteprotect.com.
    paulwarnk.com.   172800 IN NS bdns.cs.siteprotect.com.
    ;; Received 116 bytes from 192.55.83.30#53(M.GTLD-SERVERS.NET) in 152 ms
    
    paulwarnk.com.   99999 IN A 69.143.69.166
    paulwarnk.com.   99999 IN NS adns.cs.siteprotect.com.
    paulwarnk.com.   99999 IN NS bdns.cs.siteprotect.com.
    ;; Received 100 bytes from 64.26.28.8#53(adns.cs.siteprotect.com) in 12 ms
    

    Now, what this means is that, at the root servers, adns & bdns.cs.siteprotect.com are listed as the authorities for paulwarnk.com. Then, on those servers (adns & bdns) there is an A record for the root record pointing to 69.143.69.166.

    I think what you're asking is why the NS records appear to be different. The answer is that the NS records were specified, likely by your registrar, to point to their servers that are authoritative for the zone. However, this output would seem to indicate a problem, as the SOA nameserver does not appear to respond to a request for your records:

    ; <<>> DiG 9.2.4 <<>> @a.dns.hostway.net paulwarnk.com
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37849
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;paulwarnk.com.   IN A
    
    ;; Query time: 10 msec
    ;; SERVER: 66.113.129.243#53(66.113.129.243)
    ;; WHEN: Mon Nov 16 23:03:04 2009
    ;; MSG SIZE  rcvd: 31
    

    edit: The AUTHORITY: 0 means that the server a.dns.hostway.net did not answer authoritatively. It seems kinda obvious when the ANSWER: 0 section is there, but it's actually important to differentiate between an authoritative answer, and a non-authoritative one. Authority, in DNS, speaks to whether or not the server you've gotten your answer from can actually be trusted to know what it's talking about.

    As to why there's a server listed in the SOA, I don't know that I've ever read the reason they put it there, but that server should be the master server for the zone, hence Start of Authority, or SOA. It's not always the case, as the SOA for all 1400+ of my domains lists a primary query server in the SOA, but the actual start of authority is on a hidden master that no one can access.

    scraft3613 : Thanks so much, that clears a lot up. So what is the purpose then, of specifying a primary nameserver in the SOA? Is there a reason why it says AUTHORITY 0 in your query? Oh, so many questions. I will pick up the O'Reilly book.
    Alnitak : Your edit is wrong. The `AA` flag is used to indicate an authoritative answer. `AUTHORITY: 0` simply means that there are no answers in the "authority section" of the response.
    Greeblesnort : Technically correct, but I don't think that makes my edit wrong in context. Without an aa flag, you're not getting an authoritative response. Thanks though, made me reread the documentation =)
  • RFC 1035 says:

    MNAME The of the name server that was the original or primary source of data for this zone.

    although in practise this MNAME field in the SOA is mostly unused these days.

    However if you're using DNS dynamic updates then it must refer to the name of the DNS server which is to receive the dynamic update messages.

    See also this (expired) Internet Draft which talks about the MNAME field in detail, and how the DNS UPDATE message is the only current use for it.

    womble : This is the reason. +1 for a short, readable answer.
    Greeblesnort : that's an excellent point...especially these days with Active Directory Integrated zones (which are evil, imho). While it doesn't matter if you rely solely on MS DNS servers or not (we don't), the SOA must point to the AD controller, which with an ADI zone, should be the closest AD box to your request.
    Alnitak : Yes, AD integrated DNS is evil. :)
    From Alnitak

0 comments:

Post a Comment