SOA and forwarders - Help for an exam please.

Herb Martin news at LearnQuick.com
Wed Oct 1 16:24:03 UTC 2003


> I'm studying for a Networking exam and in one of my text books it makes
the
> following statement :
>
> The root name server of a domain is the domain name server that acts as
the
> Start of Authority for that zone. Moreover it is a server that forms the
> top-level server in your domain. As such, it contains the "." domain and
> thus can't be a forwarder.

The above is a very misleading (probably wrong) explanation and confuses
at least two or three issues that can best be explained separately.

1)  Every zone file has a "SOA" record -- on ever "authoritative" server for
that zone.

2) Primary (or AD Integrated) and Secondaries servers ARE AUTHORITATIVE
for their zone.

3) The "root" or "." (dot) zone is just another zone that is special only in
that it is
at the top of the hierarchy -- the starting place for true recursion down
through the
entire namespace.  It of course has a zone file, SOA record, and DNS servers
pretty much like any other zone.

The classical way to resolve names is for each DNS server to actually
"recurse"
from the top of the namespace (this root) downwards.

> To resolve queries outside of your domain, you
> should set up a forwarder, which will eventually have a cache full of
> information. When a DNS server cannot resolve a query, it moves,
(escalates)
> it up to a root server that is authoritive for a zone. The start of
> authority (SOA) record is the first record in the database.

Again, confusing multiple issues -- if this is a representative example of
your book,
throw it away.

1) Forwarding is an option to (or in addition to) actual recursion -- needed
typically
when internal DNS servers either cannot or should not visit the Internet; we
set them
to forward, usually to the ISP DNS, and let that DNS server perform the
actual
recursion.

> I don't understand why a top level server in my domain "contososo.com"
can't
> be a forwarder even though it is the only DNS server in my domain. It's
> probably a simple answer, but I just don't quite get it......

It can but the forwarder is the server that performs the actual recursion
(usually
your ISP DNS or perhaps your firewall/gateway DNS) -- the forwarding server
is typically your internal "contoso.com" DNS server.

BUT NOTE that setting up forwarding has NOTHING to do with the zones on
that server with ONE exception, if the server holds the "." (root zone) then
MS
DNS disables the possibility of setting a forwarder.

It helps to understand DNS by realizing that "recursion and forwarding" are
about
"Helping your users resolve names throughout the namespace" (the world) and
that
"zones" are about telling the world (maybe just your users) about your OWN
RESOURCES.

Some DNS servers do both but it helps to mentally separate the functions
(and
many DNS experts recommend separating them physically):

    1) Helping to resolve names for your users
    2) Providing resolution for your own resources (servers, etc.)

Troubleshooting them is nearly distinct -- and thinking about two things at
once
leads to complication and confusion.

-- 
Herb Martin



More information about the bind-users mailing list