NS Records are probably the biggest cause of misconfigurations for a domain, and yet they are extremely
simple when used in the most common configurations. NS records specify the nameservers that are
authoritive for a particular domain or sub domain. As with MX records NS records must specify
hostnames and not IP addresses. The requirement to specify hostnames and not IP addresses is the part
that causes the most issues and misconfigurations with nameservers though.
The chicken and egg problem (otherwise known as "glue" records):
Consider creating the zone for "example.com"... You create two nameservers in the example.com
domain called ns0.example.com and ns1.example.com. Following the rules you specify NS records for the domain
as follows:
@ IN NS ns0.example.com.
@ IN NS ns1.example.com.
So now you want to lookup "www.example.com" the problem begins when you ask for the nameservers that
are authoritive for example.com... The root nameservers will have the IP address of your nameserver and you
will be directed to look the domain up on that server. You then lookup www.example.com record at the nameserver
and the server returns the A record that you request... All simple so far?
Ok lets make it complicated we'll add a sub domain ("friend.example.com") to example.com and give that to
a friend. The friend then creates his own nameservers called ns0.friend.example.com and ns1.friend.example.com
and I create the following entries in my example.com zone file:
friend IN NS ns0.friend.example.com.
friend IN NS ns1.friend.example.com.
We reload our zones and then test the configuration, and find nothing gets to any address in the sub domain
friend.example.com. The reason for the failure is the lack of "glue". The explanation is that
the lookup for www.friend.example.com will go to the example.com nameserver and ask for the NS record
for friend.example.com to which the server will reply "ns0.friend.example.com" and "ns1.friend.example.com".
Your nameserver will then attempt to resolve ns0.friend.example.com to make the final query on www.friend.example.com...
so it will lookup example.com and ask the example.com nameservers for the location of the friend.example.com nameservers
to which it will return the NS records "ns0.friend.example.com" and "ns1.friend.example.com"...
The process then repeats, and repeats and repeats... To solve this issue you need to add "Glue" records
these records are simple A records in the parent domain that match the hostname of the nameservers. In our example this
would make mean adding the following records:
friend IN NS ns0.friend.example.com.
friend IN NS ns1.friend.example.com.
ns0.friend IN A 127.0.0.2
ns1.friend IN A 127.0.0.3
Using in the real world you would use the $ORIGIN definition, the following example is the 'proper' way:
$ORIGIN example.com.
@ IN NS ns0.example.com.
IN NS ns1.example.com.
ns0 IN A 127.0.0.1
ns1 IN A 127.0.0.2
$ORIGIN friend.example.com.
@ IN NS ns0.friend.example.com.
IN NS ns1.friend.example.com.
ns0 IN A 127.0.0.3
ns1 IN A 127.0.0.4
|