Can domain have no IP adress (A record) assigned and can subdomains exist?

Question

I have a dedicated server running on subdomain. I want to configure subdomains as DNS. Basically, I use example.com as my main company domain. I will, probably have more than one dedicated server and want them to be s1, s2 etc.

I redirected server.example.com to another DNS provider via NS entries
server.example.com NS ns1.hostingcompany.example.com
server.example.com NS ns2.hostingcompany.example.com

And there I setup following entries:

servers.example.com     NS  ns1.hostingcompany.example.com.
servers.example.com     NS  ns2.hostingcompany.example.com.

s1.servers.example.com  NS  ns1s1.servers.example.com.
s1.servers.example.com  NS  ns2s1.servers.example.com.
ns1s1.servers.example.com   A   192.0.2.1
ns2s1.servers.example.com   A   192.0.2.2
s1.servers.example.com  A   192.0.2.1

But, servers.example.com does not have A record. I skipped it, as I wanted only to use it as grouping DNS entry.

Everything seems to work, except my local bind server in company. It does not recognize s1.servers.example.com and any of subdomains. When I switch to google DNS it seems to work fine.

Question is, if this setup is proper and will work?

Note: Maybe I don't understand how NS entries work, as far as I understand is when NS server exists in domain entry, pointing to other DNS server it's considered "Don't ask me, ask another server" and A records are not needed in this chain.

score 1 · Answer 1 · edited Feb 12 '20 at 22:51

1

Unless I am seriously mistaken, I see two problems here.

The first one is trivial. I am writing this answer a few hours after you have posted the question. This means that the new DNS configuration might not yet have propagated through the whole DNS system. Depending on the various TTL entries in the domain's configuration, this may take a day. A typical stage in this process is that some DNS servers already serve new information, while others serve old information.

The second one is your configuration. I cannot see why you have the following entries:

s1.servers.example.com  NS  ns1s1.servers.example.com.
s1.servers.example.com  NS  ns2s1.servers.example.com.
ns1s1.servers.example.com   A   192.0.2.1
ns2s1.servers.example.com   A   192.0.2.2

As far as I have understood your question, s1.servers.example.com is not a subdomain, but just a host. But you are treating it like a subdomain in that you explicitly delegate it to a name server. This is very unusual, and you should probably leave away that four lines. The basic structure should be like this:

Tell the world which name servers are responsible / authoritative for resolving all names which are in the servers.example.com namespace. You have done this by the first two lines you have posted in your code box.
Then just add entries (A records) for all your hosts to those name servers' configuration. Unless those name servers replicate each other, you should add the respective entries to both of them. You have done this for s1 by the last line you have posted in your second code box.

There should be nothing more to do. Personally, I would add an additional entry for servers.example.com itself, perhaps just pointing it to s1.servers.example.com, because experience shows that people will try that host name and will be worried if it can't be resolved.

edited Feb 12 '20 at 22:51

Patrick Mevzek

9,921
7
32
43

answered Feb 12 '20 at 17:17

Binarus

558
5
16

I have 2 hosting providers. Different ones, each with different name servers. First hosting is my main hosting, which autoconfigures all hosts, when I add domain to server etc. I can't connect autoconfiguration from 2nd server to 1st (nor vice versa). So I wanted to delegate one of subdomains (servers.example.com) to serve as TLD for second hosting provider. I had some problems with local DNS server, but seems it refreshed after time. (cache fushes didn't help) So I was wondering if I'm doing something wrong in this setup. After this question I did some reading, and it seems it's ok. – Gacek Feb 12 '20 at 20:33
I am still not sure if I understand your problem. In your question, you wrote: *I redirected server.example.com to another DNS provider via NS entries*. So server.example.com now is under your complete control, and you could easily add all A records for your hosts s1, s2 etc. using the system of that other DNS provider. What am I missing? – Binarus Feb 13 '20 at 07:04
My question was if this is proper and will not break things. trace paste to make things more clear: https://pastebin.com/XUEbXgL5 `servers.example.com` does not have any records except NS. (there is no A nor AAA record there) - is it proper to just use subdomain to redirect nameservers? – Gacek Feb 13 '20 at 09:33
O.K., now I see. According to your pastebin, s1 and s2 are not just servers (hosts) (as your question implies), but are own subdomains. Then your configuration makes sense, but please consider the other answers for corrections. Regarding your other question: It is possible to leave servers.example.com without an IP address, and it won't break things. However, I would not recommend it because people will be worried if s1.servers.example.com resolves to something, but servers.example.com doesn't. – Binarus Feb 13 '20 at 13:25
It's only technical adress for web panel. May aswell poing servers.example.com to something. Thank you for your help! – Gacek Feb 13 '20 at 16:49

score 1 · Accepted Answer · answered Feb 12 '20 at 20:48

A record is not mandatory in general but it is good to have it there at least to keep hint how to reach it in case of subdomain (you need to know where is ns1.sub.example.com which is handling example.com - you know what was first chicken or egg ? / you can't ask for ns1.sub.example.com in case you don't know about example.com yet :-) ).

There have to be SOA (Start Of zone Authority) records and it is quite common to have at least NS (Name Server) record. Technically NS is needed for delegation related to other subdoamain as "important" NS record for the zone is located in upper zone (in case you ask for NS you are at the end asking directly on the zone, but to reach it you are using NS from upper zone).

For imagination let assume this structure (example.com, example.net and 192.0.2.0/24 is for documentation purpose and the rest is real in DNS system - of course reduced to one of the many records...):

. (e.g. a.root-servers.net. - 198.41.0.4 ):
  . IN SOA ...
  . IN NS a.root-servers.net.
  a.root-servers.net. IN A 198.41.0.4 ( <= this is HINT - how to reach it)
  ...
  com. IN NS a.gtld-servers.net.
  a.gtld-servers.net. IN A 192.5.6.30  ( <= this is HINT - how to reach it)
  a.gtld-servers.net. IN AAAA 2001:503:a83e::2:30 ( <= this is HINT - how to reach it)
  ...

com. (e.g. a.gtld-servers.net. - 192.5.6.30 ) :
  com. IN SOA ...
  com. IN NS a.gtld-servers.net.
  ...
  example.com. IN NS ns1.example.com.
  ns1.example.com. IN A 192.0.2.10  ( <= this is HINT)
  ...

example.com ( ns1.example.com. - 192.0.2.10 ) :
 example.com. IN SOA ...
 example.com. IN NS ns1.example.com.
 ns1.example.com. IN A 192.0.2.10
 ...
 www.example.com. IN A 192.0.2.20
 sub.example.com. IN NS ns1.sub.example.com.
 ns1.sub.example.com. IN A 192.0.2.30 ( <= HINT to where to find NS server)
 ...
 sub2.example.com. IN NS ns1.example.net. ( no HINT needed as it point out to other zone)
 ...

In this example there is consistent information for NS delegation for example.com in the zone directly and in the upper zone.

 example.com. IN NS ns1.example.com.
 ns1.example.com. IN A 192.0.2.10

In case it would differ it is not an issue but for looking for the authoritative server the one from upper zone (com.) will be used but in case of regular recursion the record from zone directly will be returned... So something else than what is technically used can be shown. This may be an issue in case you migrating the zone to other DNS server - until former DNS server is up all is OK and looks good but once it is powered off the zone is not reachable...

The "upper" zone is maintained through the registrar (usually some web form) but the zone directly (your zone) is maintained anywhere you point the NS record (registrar server, third side server or your own DNS server).

To see the record in upper zone you can use this command (in case of example.com so com.'s DNS server):

dig +norec NS example.com @a.gtld-servers.net.

To get the content of the zone example.com you can use (asking e.g. public google DNS server):

dig NS example.com @8.8.8.8

In case the delegation is working in general but not on premises I guess you have locally defined DNS zone for example.com (e.g. to get internal IP instead of public one) so even you have made NS delegation for subdomain your local instance of DNS zone example.com have no idea about that - you need to add it also there.

Next to it you don't need extra NS delegation for each subdomain. In case you don't need extra subdomain DNS server even "main" DNS server can hanle it.

This is valid content of the zone for example.com

example.com IN SOA ...
example.com. IN NS ns1.example.com.
ns1.example.com. IN A 192.0.2.10
...
www.example.com. IN A 192.0.2.20
s1.servers.example.com. IN A 192.0.2.30
s2.servers.example.com. IN A 192.0.2.40
s3.servers.example.com. IN A 192.0.2.50
...

In case you need delegation just servers "level" may be enough:

example.com :
 example.com IN SOA ...
 example.com. IN NS ns1.example.com.
 ns1.example.com. IN A 192.0.2.10
 ...
 www.example.com. IN A 192.0.2.20
 servers.example.com. IN NS ns1.servers.example.com.
 ns1.servers.example.com. IN A 192.0.2.15
 ...

servers.example.com ( ns1.servers.example.com. - 192.0.2.15 ) :
 servers.example.com. IN SOA ...
 servers.example.com. IN NS ns1.servers.example.com.
 ns1.servers.example.com. IN A 192.0.2.15
 ...
 s1.servers.example.com. IN A 192.0.2.30
 s2.servers.example.com. IN A 192.0.2.40
 s3.servers.example.com. IN A 192.0.2.50
 ...

So in case you don't need extra DNS server for some special purpose directly on s1.servers.example.com this record from the question is not really needed:

s1.servers.example.com  NS  ns1s1.servers.example.com.

Wow, that's alot of information. Bonus question to last parahraph. Does last server/domain in chain need to have NS entries? From what I see there is always one set with same NS as one up of in a chain. So it basically means "Stay here" (want to thank everyone for answers, but this one seems most comprehensive one) — Gacek, Feb 13 '20 at 16:56
The system suppose to have it there even without NS records in "last" zone it would be still working... In the upper zone it is about delegation (where to go for next needed information) but in the zone directly it is about what to return as answer and it is not used as "stay here" - last un-/known value is cached and until it expire it may affect next query but it is not used directly during "the same round" of recursion when it has been received.The value would be consistent but until both system will be responding it can differ - not be the same on different level (upper vs. zone directly). — Kamil J, Feb 14 '20 at 00:54
So, basically NS is "Ignore my records, go to other name server" and if it happens to be the same, as next one, clients stay on this DNS server. Getting it right? — Gacek, Feb 14 '20 at 13:02
It is going from top to down ( . => com. => example.com. etc.)."Upper" level record says where to go as next step. In case it is not pointing your server it will never reach your server. Once it targeting your server then your server is asked. In case it is not the same your server return "own" version which is cached on client side. Until it expire on client side it is used for next query. After expiration in cache it is re-query going from top down... The best option is if it is the same. But difference doesn't mean it would not work. Important is to have all chain up to be able to reach it. — Kamil J, Feb 14 '20 at 16:47

score 1 · Answer 3 · edited Feb 12 '20 at 22:50

You configuration is correct, except the:

s1.servers.example.com  A   192.0.2.1

Since you delegated the domain s1.servers.example.com to other name servers, its their job to define this entry. An exception constitute the glue records, which must be in the parent zone. You can use them to give a more rational name to the delegated nameservers:

s1.servers.example.com  NS  ns1.s1.servers.example.com.
s1.servers.example.com  NS  ns2.s1.servers.example.com.
ns1.s1.servers.example.com   A   192.0.2.1
ns2.s1.servers.example.com   A   192.0.2.2

Can domain have no IP adress (A record) assigned and can subdomains exist?

3 Answers3