digd.js/HOW_DELEGATION_WORKS.md

5.7 KiB

DNS Delegation

Tracing NS records trying to understand DNS delegation better.

Root Servers

The root servers will return the TLD records for any domain

dig A @m.root-servers.net www.example.daplie.me
; <<>> DiG 9.8.3-P1 <<>> A @m.root-servers.net www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34843
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 10
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.aj.daplie.me.		IN	A

;; AUTHORITY SECTION:
me.			172800	IN	NS	c0.nic.me.
me.			172800	IN	NS	b0.nic.me.
me.			172800	IN	NS	a0.nic.me.
me.			172800	IN	NS	b2.nic.me.
me.			172800	IN	NS	a2.nic.me.

;; ADDITIONAL SECTION:
a0.nic.me.		172800	IN	A	199.253.59.1
a2.nic.me.		172800	IN	A	199.249.119.1
b0.nic.me.		172800	IN	A	199.253.60.1
b2.nic.me.		172800	IN	A	199.249.127.1
c0.nic.me.		172800	IN	A	199.253.61.1
a0.nic.me.		172800	IN	AAAA	2001:500:53::1
a2.nic.me.		172800	IN	AAAA	2001:500:47::1
b0.nic.me.		172800	IN	AAAA	2001:500:54::1
b2.nic.me.		172800	IN	AAAA	2001:500:4f::1
c0.nic.me.		172800	IN	AAAA	2001:500:55::1

;; Query time: 141 msec
;; SERVER: 202.12.27.33#53(202.12.27.33)
;; WHEN: Tue Oct  3 15:47:25 2017
;; MSG SIZE  rcvd: 343

GTLD Servers

The GTLD Servers will return the glue records for the nameserver which hosts the SLD in question

dig A @b0.nic.me www.aj.daplie.me
; <<>> DiG 9.8.3-P1 <<>> A @b0.nic.me www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52062
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.aj.daplie.me.		IN	A

;; AUTHORITY SECTION:
daplie.me.		86400	IN	NS	ns2.redirect-www.org.
daplie.me.		86400	IN	NS	ns1.redirect-www.org.

;; Query time: 29 msec
;; SERVER: 199.253.60.1#53(199.253.60.1)
;; WHEN: Tue Oct  3 15:48:41 2017
;; MSG SIZE  rcvd: 86

If the nameserver were "in bailiwick" then it's A/AAAA records would be returned in an additional section.

SLD Nameservers

There are three main conditions:

  • Exists
  • Doesn't exist (but lives here)
  • Delegated

There's also the condition of "doesn't exist (and doesn't live here)", but we'll save that for another day (or try dig @ns1.google.com A yahoo.com).

Exists

dig A @ns2.redirect-www.org www.aj.daplie.me
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org www.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52373
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.aj.daplie.me.		IN	A

;; ANSWER SECTION:
www.aj.daplie.me.	300	IN	A	45.56.59.142

;; Query time: 83 msec
;; SERVER: 66.172.33.29#53(66.172.33.29)
;; WHEN: Tue Oct  3 15:57:14 2017
;; MSG SIZE  rcvd: 50

Doesn't Exist (but would)

dig A @ns2.redirect-www.org doesntexist.aj.daplie.me
; <<>> DiG 9.8.3-P1 <<>> A @ns2.redirect-www.org doesntexist.aj.daplie.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19993
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;doesntexist.aj.daplie.me.	IN	A

;; AUTHORITY SECTION:
daplie.me.		1	IN	SOA	ns1.redirect-www.org. hostmaster.daplie.me. 2017020100 10800 3600 1209600 1800

;; Query time: 68 msec
;; SERVER: 66.172.33.29#53(66.172.33.29)
;; WHEN: Tue Oct  3 15:59:25 2017
;; MSG SIZE  rcvd: 109

Delegated Subdomain

Should look something like this, I'm pretty sure:

;; QUESTION SECTION:
;john.daplie.me.		IN	A

;; AUTHORITY SECTION:
john.daplie.me.		86400	IN	NS	ns2.dns-host.org.
john.daplie.me.		86400	IN	NS	ns1.dns-host.org.

I think that in practice anything matching *.john.daplie.me would be delegated, but I but you could do something weird like host whatever.john.daplie.me on the original nameserver by A) answering to it directly on the main nameserver and B) delegating from whatever.john.daplie.me back to the original nameserver in case the resolving client makes intelligent assumptions and caching.

When a domain doesn't exist

NXDOMAIN

This nameserver can respond for that domain, but no record exists

dig @ns1.google.com doesntexist.google.com
; <<>> DiG 9.8.3-P1 <<>> @ns1.google.com doesntexist.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45549
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;doesntexist.google.com.		IN	A

;; AUTHORITY SECTION:
google.com.		60	IN	SOA	ns2.google.com. dns-admin.google.com. 170961396 900 900 1800 60

;; Query time: 50 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Wed Oct  4 01:14:09 2017
;; MSG SIZE  rcvd: 90

REFUSED

This nameserver does not store records for that domain (and would appreciated it if you didn't ask)

dig @ns1.google.com daplie.com
; <<>> DiG 9.8.3-P1 <<>> @ns1.google.com daplie.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47317
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;daplie.com.			IN	A

;; Query time: 52 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Wed Oct  4 01:14:20 2017
;; MSG SIZE  rcvd: 28