zone before delegation?

Kevin Darcy kcd at
Fri Oct 28 19:50:21 UTC 2011

On 10/28/2011 12:48 PM, Laws, Peter C. wrote:
> It seems like there are two ways I could delegate a zone.
> I could, in the zone file for the parent, simply list the name of the zone
> and a number of NS records to which the zone has been delegated.
> Or, I could create a zone statement within named.conf that points to a file
> that contains an SOA and a number of NS records to which the zone has been
> delegated.
In and of itself, that's not "delegation".
> Which is better and which should I prefer?
> Ideally, I'd like to make the zone first with the NSes pointed to the same
> server plus various and sundry other As and CNAMEs, but need help on this
> point before I do anything.
> BTW, this is on RHEL's BIND9 and no, the master has yet to have the RHEL
> bind97 RPMs installed, and yes, I am a bad admin for not doing that.
No, there aren't 2 ways of "delegating" a zone. You should think of this 
as 2 separate functions: "hosting" a zone, versus "delegating" the zone.

You can host a zone that's not delegated, but then it's not connected to 
the overall namespace tree, so resolvers won't be able to find it 
through the normal algorithm for following delegation chains. In order 
for anyone to resolve anything from the zone, they'd have to have 
specific knowledge of where the zone is hosted (or talk to something 
that has that explicit knowledge, or with even more levels of 
indirection, e.g. zones of type "forward" or "stub", but ultimately some 
zone-specific explicit configuration is necessary).

On the other hand, you can delegate a zone and **not* *host it. This is 
done all the time (think gTLD or ccTLD servers delegating zones to 
domain registrants rather than hosting it themselves).

It's kind of like the difference between having a phone line installed 
and publishing the number in the phone book. Some people have unlisted 
phone numbers (analogous to undelegated zones), and then only their 
friends, relatives, etc. will use it (maybe the occasional robo-caller). 
Or, you can publish your phone number in the phone book, so anyone 
generally can call you if they need to.

Undelegated zones tend to be rather rare, since really the whole point 
of having a hierarchical namespace is so that the relevant information 
can be found using a relatively-simple search-within-hierarchy 
algorithm. Also, as others have pointed out, DNSSEC assumes normal 
delegation chains, so undelegated zones miss out there too.

                                     - Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list