What happens when two DNS zones intersect on the same server?

domain-name-system dns-zone

When overlapping zones are defined on an authoritative nameserver, the most specific zone is used to provide the answer.

  • A query of example.com. IN A? hits the example.com zone.
  • A query of foo.example.com. IN A? hits the foo.example.com zone. If foo.example.com is defined in the example.com zone, it will be ignored.
  • A query of sub.foo.example.com. IN A? hits the foo.example.com zone, because it is more specific for the request than example.com.

In your specific example, the returned value for the query would be NXDOMAIN because the foo.example.com zone does not provide an A record definition for itself.

To use DNS terminology, there is effectively a zone cut at the boundary between the parent zone and the more specific zone. RFC2181 §6.1 describes the proper behavior for your scenario:

Such a server is authoritative for all resource records in a zone that are not in another zone. The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone.

Other than the DNSSEC cases mentioned immediately below, servers should ignore data other than NS records, and necessary A records to locate the servers listed in the NS records, that may happen to be configured in a zone at a zone cut.

As for which is a best practice, that's completely up to you. You can put all of your records in a single zone, or break out separate zone files for your subdomains if it would be more convenient. (say, due to them containing hundreds of records each) The one thing I would caution, which isn't very obvious, is that validation tools like named-checkzone typically have no awareness of subzones living on the same server and may generate incorrect warnings if the parent zone includes references to records inside the child zone. (say, CNAME aliases)

Related

How to run a Parse Live Query Server (Web Sockets) behind an AWS Load Balancer?
Cyrus on CentOS with sasl / pam / ldap
(rsyslog) Forwarding a specific log only
Apache port forwarding
Windows Folder Redirection Permissions
Change Tomcat port to 80 with Apache?
How to change lsync log level or completely disable it?
Only allow a connection from specific domains
how to redirect from www to non-www varnish
How I can parse email to get original recipient of an email? [closed]
Lost MySQL password [duplicate]
Am I allowed to add RDC to a WinPE boot Image? [duplicate]