digd.js/HOW_DELEGATION_WORKS.md

169 lines
4.3 KiB
Markdown
Raw Normal View History

2017-10-03 22:21:51 +00:00
DNS Delegation
==============
Tracing NS records trying to understand DNS delegation better.
Root Servers
------------
The root servers will return the TLD records for any domain
```bash
dig A @m.root-servers.net www.example.daplie.me
```
```
; <<>> DiG 9.8.3-P1 <<>> A @m.root-servers.net www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34843
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.aj.daplie.me. IN A
;; AUTHORITY SECTION:
me. 172800 IN NS c0.nic.me.
me. 172800 IN NS b0.nic.me.
me. 172800 IN NS a0.nic.me.
me. 172800 IN NS b2.nic.me.
me. 172800 IN NS a2.nic.me.
;; ADDITIONAL SECTION:
a0.nic.me. 172800 IN A 199.253.59.1
a2.nic.me. 172800 IN A 199.249.119.1
b0.nic.me. 172800 IN A 199.253.60.1
b2.nic.me. 172800 IN A 199.249.127.1
c0.nic.me. 172800 IN A 199.253.61.1
a0.nic.me. 172800 IN AAAA 2001:500:53::1
a2.nic.me. 172800 IN AAAA 2001:500:47::1
b0.nic.me. 172800 IN AAAA 2001:500:54::1
b2.nic.me. 172800 IN AAAA 2001:500:4f::1
c0.nic.me. 172800 IN AAAA 2001:500:55::1
;; Query time: 141 msec
;; SERVER: 202.12.27.33#53(202.12.27.33)
;; WHEN: Tue Oct 3 15:47:25 2017
;; MSG SIZE rcvd: 343
```
GTLD Servers
------------
The GTLD Servers will return the glue records for the nameserver which hosts the SLD in question
```bash
dig A @b0.nic.me www.aj.daplie.me
```
```
; <<>> DiG 9.8.3-P1 <<>> A @b0.nic.me www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52062
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.aj.daplie.me. IN A
;; AUTHORITY SECTION:
daplie.me. 86400 IN NS ns2.redirect-www.org.
daplie.me. 86400 IN NS ns1.redirect-www.org.
;; Query time: 29 msec
;; SERVER: 199.253.60.1#53(199.253.60.1)
;; WHEN: Tue Oct 3 15:48:41 2017
;; MSG SIZE rcvd: 86
```
If the nameserver were "in bailiwick" then it's A/AAAA records would be returned in an additional section.
SLD Nameservers
---------------
There are three main conditions:
* Exists
* Doesn't exist (but lives here)
* Delegated
There's also the condition of *"doesn't exist (and doesn't live here)"*, but we'll save that for another day
(or try `dig @ns1.google.com A yahoo.com`).
### Exists
```bash
dig A @ns2.redirect-www.org www.aj.daplie.me
```
```
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52373
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.aj.daplie.me. IN A
;; ANSWER SECTION:
www.aj.daplie.me. 300 IN A 45.56.59.142
;; Query time: 83 msec
;; SERVER: 66.172.33.29#53(66.172.33.29)
;; WHEN: Tue Oct 3 15:57:14 2017
;; MSG SIZE rcvd: 50
```
### Doesn't Exist (but would)
```bash
dig A @ns2.redirect-www.org doesntexist.aj.daplie.me
```
```
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org doesntexist.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19993
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;doesntexist.aj.daplie.me. IN A
;; AUTHORITY SECTION:
daplie.me. 1 IN SOA ns1.redirect-www.org. hostmaster.daplie.me. 2017020100 10800 3600 1209600 1800
;; Query time: 68 msec
;; SERVER: 66.172.33.29#53(66.172.33.29)
;; WHEN: Tue Oct 3 15:59:25 2017
;; MSG SIZE rcvd: 109
```
### Delegated Subdomain
Should look something like this, I'm pretty sure:
```
;; QUESTION SECTION:
;john.daplie.me. IN A
;; AUTHORITY SECTION:
john.daplie.me. 86400 IN NS ns2.dns-host.org.
john.daplie.me. 86400 IN NS ns1.dns-host.org.
```
I think that in practice anything matching `*.john.daplie.me` would be delegated,
but I but you could do something weird like host `whatever.john.daplie.me` on the original
nameserver by A) answering to it directly on the main nameserver and B) delegating
from `whatever.john.daplie.me` back to the original nameserver in case the resolving
client makes intelligent assumptions and caching.