MNET Services>Telecom Data Networking>Domain Name Services (DNS)>DNS Authority

13 Domain Authority

This section provides background material to help you understand the concept of “domain authority.”

13.1 What is DNS Authority?
Any DNS server that contains a complete copy of the domain's zone file is considered to be authoritative for that domain. A complete copy of a zone file must have:

  • A valid Start of Authority (SOA) record,
  • Valid Name Server (NS) records for the domain and
  • The listed NS records should match the servers listed in the SOA record.

    Servers listed in the zone file but not in the SOA record are called lame servers and such a configuration should be avoided. It is considered standard practice to have a primary authoritative DNS server and one or more secondary authoritative DNS servers. When registering your domain with an accredited domain name registrar, the primary authoritative DNS server is the server you list first: all other DNS servers you list will be secondary. The secondary server and the primary server should be on different IP subnets and the hardware should be located in different physical locations. By putting the DNS servers on different subnets and placing them apart geographically, you greatly reduce the risk that a single outage will take down the entire system of DNS servers for your domain. Having more than one secondary DNS server for your domain is also good practice, but you can only designate one primary DNS server with your registrar because the DNS can only point to a single primary DNS server for your domain.

    13.2 What is an Authoritative DNS Server?

    DNS Servers can be configured to host more than one domain. A server can be primary for one domain and secondary for another. The term authoritative refers to any DNS server that has a complete copy of the domain's information, whether it was entered by an administrator or transferred from a primary server. Thus, a secondary server can and should be authoritative for any domain for which it performs secondary resolution.

    Note that if a secondary server loses contact with the primary server for a domain, it will stop being an authoritative server after a timeout period (usually a few days).

    13.3 What is an Authoritative DNS Response?

    Any response to a DNS query that originates from a DNS server with a complete copy of the zone file is said to be an authoritative response. What complicates matters is that DNS servers cache the answers they receive. If a DNS server has an SOA record, it fills in a field in the response that signals that the server queried is authoritative for the domain and that the answer is authoritative. Any DNS server external to that domain that retrieved the authoritative response will cache that answer. The next time the server is queried, it will say that the answer it is giving is authoritative, even though the server itself is not authoritative for that domain

    In other words, it is possible for a DNS server that is not an authoritative server for a domain to give an authoritative response to a DNS query.

    13.4 What is a Non-Authoritative DNS Server?

    Non-authoritative servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups they have performed in the past for which they have gotten an authoritative response and for which the response has not “timed-out.”

    Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS) Page 14 of 14 When a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querent as an authoritative answer. Thus, non-authoritative servers can answer authoritatively for a given DNS request. However, if another request comes for a different name in the same domain, they can’t answer without asking an authoritative server for that domain.

    Most often, a non-authoritative server answers with a previous lookup from its lookup cache. Any answer retrieved from the cache of any server is deemed non-authoritative because it did not come from an authoritative server.

    13.5 What is a Non-Authoritative DNS Response?

    Non-authoritative responses come from DNS servers that have cached an answer for a given host, but received that information from a server that is not authoritative for the domain.