Is a subdomain with both A records and NS records valid?

domain-name-system ns-record a-record

Let's say I own example.com.

I then create an A record on test.example.com to 1.1.1.1.

I then create a NS record on test.example.com to ns1.anotherdnshost.com.

At another DNS host, I add an A record for the root (test.example.com) to 2.2.2.2.

When the client queries test.example.com, which A record will be returned? Which would be the more "dominant" A record? Is a setup like this valid?


Solution 1:

This is not valid, no. It will probably return the 1.1.1.1 as it would get returned by the first server that resolves but the "correct" value should be whichever nameserver is registered as the primary by the SOA record. But, what gets returned may depend on which version of nameserver software is run. See below, it will just forward it on to the next nameserver, and 1.1.1.1 will never get shown.

Now it IS correct to list other NS records in your zone, but the other NS should be nameservers with identical zones. You can point your subdomains to alternate nameservers however.

So example.com by your registrar points to ns1.example.com and ns2.example.com with 1.2.3.4 and 2.3.4.5 IPs from the registrar nameserver (glue).

You would then have a zone with the SOA choosing ns1 or ns2 as the primary, and then you would have two NS records pointing to ns1.example.com and ns2.example.com with the A records for that domain (and mx, txt, cname, etc).

Both NS1 and NS2.example.com should have identical zones and they should replicate to each other automatically.

Now it IS valid, to take test.example.com and point that to ns1.somethingelse.com and ns2.somethingelse.com but NO A records for test.example.com on ns1 and ns2.example.com's nameservers, except ns1 and ns2.example.com should automatically send the IPs for ns1 and ns2.somethingelse.com if it has glue. (It won't if the TLD is different, ie .com and .org)

I hope that all made sense, I can clarify more if any of it is confusing.

Here's a test of what happens:

On shadowrpg.net's nameserver:

$ttl 38400
@   IN  SOA shell2.reganw.com. root.shell2.reganw.com. (
            1298345653
            10800
            3600
            604800
            38400 )
@   IN  NS  shell2.reganw.com.
test.shadowrpg.net.     IN  A   127.0.0.1
test.shadowrpg.net. IN  NS  saber.reganw.com.

On test.shadowrpg.net's nameserver (saber):

$ttl 38400
@   IN  SOA saber.reganw.com. root.shell2.reganw.com. (
            1298345653
            10800
            3600
            604800
            38400 )
@   IN  NS  saber.reganw.com.
test.shadowrpg.net.     IN  A   127.0.0.2
test.shadowrpg.net. IN  NS  saber.reganw.com.

The first result, is with saber not configured, to show the referral.

[regan@gamma ~]$ dig +trace test.shadowrpg.net

; <<>> DiG 9.7.3-P1-RedHat-9.7.3-2.P1.fc13 <<>> +trace test.shadowrpg.net
;; global options: +cmd
.           518400  IN  NS  G.ROOT-SERVERS.NET.
.           518400  IN  NS  C.ROOT-SERVERS.NET. (snip)
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms

net.            172800  IN  NS  a.gtld-servers.net.
net.            172800  IN  NS  m.gtld-servers.net. (snip)
;; Received 493 bytes from 199.7.83.42#53(199.7.83.42) in 55 ms

shadowrpg.net.      172800  IN  NS  ns1.reganw.com.
shadowrpg.net.      172800  IN  NS  ns2.reganw.com.
shadowrpg.net.      172800  IN  NS  ns3.reganw.com.
;; Received 232 bytes from 192.35.51.30#53(192.35.51.30) in 54 ms

test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; Received 110 bytes from 209.161.6.3#53(209.161.6.3) in 2123 ms

test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 110 bytes from 173.45.238.245#53(173.45.238.245) in 81 ms

test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 110 bytes from 173.45.238.245#53(173.45.238.245) in 82 ms

test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 110 bytes from 173.45.238.245#53(173.45.238.245) in 112 ms

And with saber configured:

^C[regan@gamma ~]$ dig +trace test.shadowrpg.net

; <<>> DiG 9.7.3-P1-RedHat-9.7.3-2.P1.fc13 <<>> +trace test.shadowrpg.net
;; global options: +cmd
.           518400  IN  NS  L.ROOT-SERVERS.NET.
.           518400  IN  NS  J.ROOT-SERVERS.NET. (snip)
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 2 ms

net.            172800  IN  NS  m.gtld-servers.net.
net.            172800  IN  NS  a.gtld-servers.net. (snip)
;; Received 493 bytes from 198.41.0.4#53(198.41.0.4) in 129 ms

shadowrpg.net.      172800  IN  NS  ns1.reganw.com.
shadowrpg.net.      172800  IN  NS  ns2.reganw.com.
shadowrpg.net.      172800  IN  NS  ns3.reganw.com.
;; Received 232 bytes from 192.12.94.30#53(192.12.94.30) in 165 ms

test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; Received 110 bytes from 209.161.6.3#53(209.161.6.3) in 38 ms

test.shadowrpg.net. 38400   IN  A   127.0.0.2
test.shadowrpg.net. 38400   IN  NS  saber.reganw.com.
;; Received 126 bytes from 173.45.238.245#53(173.45.238.245) in 80 ms

[regan@gamma ~]$

So once you add an NS record, it refers it on, and it ignores any query to itself. Now if you add an A record for the nameserver, it will pass with the NS record as a glue (so the resolver doesn't have to then look up the IP for the new nameserver).

Solution 2:

This issue is somewhat subtle, so let me explain one-by-one.

The correct configuration would be of course to have only one of the two - either NS or any other records.

When you add NS record for test.example.com, you delegate everything from test.example.com and below to another name server. The normal place for the A record for test.net-me.net would be on ns1.anotherdnshost.com.

Now your question may be rephrased - is it OK to have test.example.com A ...in the "parent" example.com zone ? The same question may be asked regardless of any records which may exist or not in thedelegated` zone on anotherhost.

My answer will be dialectic :) 1. Yes, it is OK to have such records in the "parent" zone. But 2. Since test.example.com delegated to ns1.anotherdnshost.com, records for test.example.com and below, which happen to exist (for any reason) on any servers other than ns1.anotherdnshost.com are not authoritative anymore.

Parent zone server, when it replies to test.example.com query, a) Must send the NS record pointing to ns1.anotherdnshost.com and b) May or may not send A record for test.example.com it happens to have, c) even if it does sends the record, it must not flag it as an "authoritative" answer, d) even if it lies and flags such answer as authoritative, resolver which receives such a reply, since it knows that test.example.com is delagated, should consider only answers from it's authoritative server - ns1.anotherdnshost.com).

I tested such configuration with bind9:

  • named, nor named-checkzone does not complains on such a zone - apparently this zone considered correct.
  • When I query parent server for test.example.com, it returns only NS records, like if the test.example.com A 1.1.1.1 would not exist at all.

Other DNS servers software may behave differently, but anyway must obey general rules above.

This related article by Verisign helped me understand this issue.

I am sorry for all the blah blah blah

Solution 3:

test.example.com A 2.2.2.2 should be returned as it is the authoritative ("dominant").

This setup does not violate RFCs.

Reasoning see in my longer answer here.

Related

What's the best method to monitor an OpenVPN server?
expand hostnames to fqdn before calling ssh?
Can a 7200RPM drive transfer speed at a full 6 Gbit/s?
Adding Single Line to File with SaltStack
Varnish 503 error after exactly 60 seconds... how to change this timeout value?
RAM is being under reported in Windows Task Manager?
tcpdump Server Hello Certificate Filter
Use nginx reverse proxy for redirection
Techniques to implement iptables rules
ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers
DHCPv6: passing delegated prefix to local RA
How can I mount the SSD drive on Amazon's m3.medium?