Multiple levels of subdomain delegation


Revision as of 20:17, 25 September 2008 by Hutch (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search


In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is

  • We want to delegate to two name servers, and
  • We want to delegate to a different name server,
  • The name servers for know nothing about (this can be a problem with the glue record; see below).

Our zone will look something like (assuming an $ORIGIN of

  • Delegations
shiznit IN NS ns1.shiznit
shiznit IN NS ns2.shiznit
subdomain.shiznit IN NS ns1.subdomain.shiznit
  • Glue records
ns1.shiznit IN A
ns2.shiznit IN A
ns1.subdomain.shiznit IN A (not needed, see below)

There can be a problem with the above configuration. Although BIND 9 (9.3.4-P1 in this example) will correctly following the subdomain delegation of subdomain.shiznit, it will not use the ns1.subdomain.shiznit glue record in the zone.

In other words, BIND will attempt to resolve the A record for ns1.subdomain.shiznit by querying the delegated name servers for the shiznit subdomain, ns1.shiznit and ns2.shiznit.

To make this work, you can either:

  • Place the glue record in its parent. i.e., add the following DNS A record to the ns1.shiznit and ns2.shiznit name servers (assuming an $ORIGIN of
ns1.subdomain IN A
  • Configure subdomain.shiznit as a forward or stub zone.

It probably makes the most sense to have the name servers properly delegate the subdomain.

Personal tools