What makes a DNS server authoritative.

Strider22 · 11-16-2005, 02:21 PM

I've read the following trying to understand what makes a DNS server authoritative for a zone.

I leel like I'm reading Knuth on cyclic redundancy. The server is authoritative because it is authoritative.

Do any of the following matter to determine authoritative?

1) The server has all the answers. It is authoritative for the zone.
[see above]

2) The DNS servier with the answers is the one pointed to in the whois record. (Yes we all know that whois itself doesn't matter for DNS but the registration is an indicator of what is in the domain database.)

3) The DNS server is located in the zone it is providing answers for.

4) The DNS has a PTR record. (That works)

The most "authoritative" answer I found is from ARIN (American Registry for Internet Numbers) BUT it may only be valid for the in-addr.arpa domain.

ARIN has developed a script to test for
lame DNS delegations within the in-addr.arpa domain. A delegation in
DNS is the assignment of a zone to a name server. The script queries
name servers for the zones they are supposed to have according to
registration information in the ARIN database.
A name server is tested by asking
for data that has to be present in a zone, the script requests the
SOA resource record. If the name server responds with a positive
answer and claims to be authoritative, the name server is okay for
that zone.
Any other answer indicates that the name server is lame for the
tested zone.
If there is no answer, the test is repeated over a span of
time and if there is persistently no answer, the name server is
considered lame.

There are three fields in a response that can indicate that a name server is lame for a zone.

First is that a response might have a status that is not NOERROR.
Second is that a response might not set the flag indicating an
authoritative answer (aa).
Third is that there may be no answer records in the response
(ANSWER=0).
If an answer does not have all three fields set correctly, the answer indicates lameness.

</end ARIN quote>

How does one get the aa bit set? Is it a bind/djbdns setting? Is it automatic when the server makes no referrals?
What data is it that is required to be present in the zone in order for it to be authoritative.

I have set up dynamic web sites using different DNS services and some are authoritative and others are not. As of yet I can't determine why.

Darin · 11-17-2005, 01:06 PM

AFAIK you tell the DNS server to either be, or not be, authoritative for each zone in the configuration. There is, of course, a distinction between whether the DNS server thinks it's authoritative and whether ICANN lists it as the authoritative server for a given domain. This means I can take my DNS server and configure it as the authoritative DNS server for the domain foo.bar, but the rest of The Internet will not belive this until I buy that domain and register my DNS server. What you got from ARIN is basically a laundry list of the settings that can't be misconfigured on a DNS server that is listed as authoritative.

If you have a domain with a DNS service, then they should be the authoritative DNS for your domain, and you just tell them what IP to point the name to. If you bought a domain under the condition that you would provide your own DNS then you need to have an authoritative DNS server set up. Setting type master on a zone in BIND makes it authoritative (I belive that's what makes it send the aa flag) and the rest of it is pointing to a valid host and setting any required extra info, such as SOA in the zonefile.

FYI PTR records are for reverse DNS, for (forward) DNS you need A records and possibly CNAMEs

Code:

@ SOA @ hostmaster.foo.bar. { 1234 8h 2h 4w 1d }
  NS  ns.foo.bar.
  A   192.168.0.2
  TXT "bogus domain"

www   CNAME  foo.bar.
ns    CNAME foo.bar.
mail  A 192.168.0.3