[OT] Domain Name Registrars

Mon May 22 12:56:19 UTC 2006

On Sun, May 21, 2006 at 09:27:43PM -0300, Duane Whitty wrote:
> So then what the registrars are doing (or supposed to be doing) is 
> providing A and NS records
> for the name servers in my parent zone which point to my primary name 
> servers and
> secondary name servers?

They put NS records pointing at the names of your authoritative nameservers.

They only need to put A records (mapping the names of your authoritative
nameservers to their IP addresses) if those names are within the domain
which is being delegated. For example, if you a registering "example.com"
and your nameserver is "ns1.example.com"

> This then is the "glue" which makes recursive 
> queries possible.

"glue" is the extra A records mentioned above. They are only required if the
nameserver's name is within the name being delegated.

Otherwise, normal recursive lookups are used to map the name in the NS
record to its IP address.

> So, and pardon my verbosity, when a resolver needs to resolve dwlabs.ca, 
> assuming it doesn't
> have the data cached, it queries one of ca0[1,2,4,5,6].cira.ca or 
> ns-ext.isc.org, which then
> responds with the names and ip addresses of the authoritative name 
> servers for dwlabs.ca.
> Am I correct?

Firstly, it queries a root server of its choice.

$ dig @a.root-servers.net. www.dwlabs.ca. a

This refers it to the .CA nameservers you mention. So, next it queries one
of those: e.g.

$ dig @ca05.cira.ca. www.dwlabs.ca. a

; <<>> DiG 9.3.1 <<>> @ca05.cira.ca. www.dwlabs.ca. a
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35868
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;www.dwlabs.ca.                 IN      A

;; AUTHORITY SECTION:
dwlabs.ca.              86400   IN      NS      helsinki.cgc.gc.ca.
dwlabs.ca.              86400   IN      NS      dwpc.dwlabs.ca.

;; ADDITIONAL SECTION:
dwpc.dwlabs.ca.         86400   IN      A       24.224.199.230

Notice that it comes back with the *names* of the two nameservers. The only
IP address it comes back with is for dwpc.dwlabs.ca, since that's inside the
domain dwlabs.ca. (That's glue).

In order to send the query to one of these two nameservers, the cache then
uses its normal name-to-IP recursive resolution techniques to find an A
record for either 'helsinki.cgc.gc.ca' or 'dwpc.dwlabs.ca'

If it tries to resolve dwpc.dwlabs.ca and doesn't already have the address
in its caches then there's a chicken-and-egg situation; in order to resolve
dwpc.dwlabs.ca it needs to find the IP address of a nameserver for
dwlabs.ca, but dwpc.dwlabs.ca *is* one of the nameservers for dwlabs.ca.

In this situation, it falls back on using the glue A record in the
'ADDITIONAL' section of the referral.

> >That's actually exactly the opposite of the truth. If the name servers for
> >your COM name are in CA, then the IP addresses can be resolved the normal
> >way (recursively).
> >  
> So no glue, but an NS record as in
> example.com.  IN NS   ns1.dwlabs.ca.  ?

Yes.

> In this case the response to the resolver query from the .com 
> authoritative name server
> will be that the unauthoritative answer is ns1.dwlabs.ca.

No. You will get a referral to ns1.dwlabs.ca, saying "this is the
authoritative nameserver which holds the information you're asking for"

> Authoritative 
> answers can be
> found at ca0[1,2,4,5,6].cira.ca or ns-ext.isc.org.  ?

No. Authoritative answers for example.com can be found at ns1.dwlabs.ca.

> So the privilege and responsibility of being a registrar includes , in 
> addition to selling globally
> unique domain names, is in getting and validating information from your 
> clients regarding their
> name servers and then passing on the information to parent zone name 
> servers so that the
> appropriate A records and NS records can be created and or updated (in a 
> timely fashion).

Yes. Since most clients don't know a nameserver from a double-decker bus,
this is why most domain resellers just point the domain at their own
nameservers. It can be quite hard to get them to repoint them at your own
nameservers, since people like you probably represent about 1 in 10,000 of
their customer base.

Regards,

Brian.