What does authoritative DNS server mean?

An authoritative name server is a name server that gives answers in response to questions asked about names in a zones. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured by the administrator. Name servers can also be configured to give authoritative answers to queries in some zones, while acting as a caching name server for all other zones.

...

When a domain is registered with a domain name registrar, the zone administrator provides a list of name servers (typically at least two, for redundancy[4]) that are authoritative for the zone that contains the domain. The registrar provides the names of these servers to the domain registry for the top level domain containing the zone. The domain registry in turn configures the authoritative name servers for that top level domain with delegations for each server for the zone. If the fully qualified domain name of any name server for a zone appears within that zone, the zone administrator provides IP addresses for that name server, which are installed in the parent zone as glue records; otherwise, the delegation consists of the list of NS records for that zone.

source http://en.wikipedia.org/wiki/Authoritative_name_server#Authoritative_name_server

Reading their explanation, it seems to be fairly straight forward.


Do you understand HTTP and the WWW? Yes? Good. DNS is just like that. A set of content servers publish content taken from their back-end databases, and a set of proxy servers, that do the grunt work, sit in between those content servers and the DNS client library code that is linked into applications programs that want to use the DNS. An application performs a front-end transaction with a proxy, and the proxy does a whole load of back-end transactions with various content servers.

Authority is slightly confusing:

  • Some poorly designed DNS servers try to vainly wear both hats at once, performing both proxy DNS service and content DNS service. Thus there are all sorts of concerns that the poor system administrators operating such softwares have to bear in mind, dealing with "what the server is and isn't authoritative for". Ironically, it has been considered good practice for a decade or so now to separate content DNS service from proxy DNS service.
  • A DNS response datagram has an AA ("authoritative answer") bit that is a useless bit of frippery the DNS protocol that should be ignored. Some vain multiple-hat-wearing softwares do things with it that surprise people that think that they've finally got the hang of what "authoritative" means, or who haven't read beyond the RFCs. ☺
  • A SOA resource record set denotes, to some (not all) content DNS servers, the apex of a "zone" — essentially a subset of the back-end database. It's where they think the root of that portion of their database is. But in the DNS authority is delegated, not claimed.

It's a term that is best avoided. Concentrate instead upon the ideas of the DNS servers that publish the content and the DNS servers that do the all of the transactions necessary for query resolution work on behalf of the client libraries in applications.

Further reading

  • Jonathan de Boyne Pollard (2000,2007). "content" and "proxy" DNS servers. Frequently Given Answers.
  • Jonathan de Boyne Pollard (2004). "SOA" is a resource record type. Content DNS servers may be "masters".. Frequently Given Answers.
  • Jonathan de Boyne Pollard (2003). Providing content DNS service with an all-the-hats-at-once DNS server software.. Frequently Given Answers.
  • Jonathan de Boyne Pollard (2001,2003). The "bailiwick" of content DNS servers.. Frequently Given Answers.
  • Jonathan de Boyne Pollard (2001). "primary" and "secondary" DNS servers.. Frequently Given Answers.