Before reading this tutorial, you should already be familliar with the following concepts:
| Basic Concepts | Networking Concepts | DNS Concepts |
|---|---|---|
|
|
|
Authoritative Servers
DNS Servers can be configured to host more than one domain. A server can be primary for one domain, and secondary for another. The term authoritative refers to any DNS servers that has a complete copy of the domain's information, whether it was entered by an administrator or transferred from a primary server. Thus, a secondary server can and should be authoritative for any domain for which it performs secondary authoritative resolution.
What is Authority?
Any DNS server that contains a complete copy of the domain's zone file is considered to be authoritative for that domain only. A complete copy of a zone file must have:
- A valid Start of Authority (SOA) record
- Valid Name Server (NS) records for the domain
- The listed NS records should match the servers listed in the SOA record. Servers listed in the zone file, but not in the SOA record are called lame servers.
It is considered standard practice to have a primary authoritative DNS server AND a secondary authoritative DNS server. When registering your domain with an accredited domain name registrar, the primary authoritative DNS server is the server you list first, all other DNS servers you list will be secondary. The secondary server and the primary server should be on different IP subnets and the hardware should be located in different physical locations. By putting the two DNS servers on different subnets and placing them geographically apart, you greatly reduce the risk that a single catastrophe will take down the entire system of DNS servers for your domain. Having more than one secondary DNS server for your domain is also good practice, but you can only designate ONE primary DNS server with your registrar because DNS can only point to a single primary DNS server for your domain.
Authoritative Responses
Any response to a DNS query that originates from a DNS server with a complete copy of the zone file is said to be an 'authoritative response'. What complicates matters is that DNS servers cache the answers they receive. If a DNS server has an SOA record, it fills in a field in the response that signals that the server queried is authoritative for the domain and that the answer is authoritative. Any DNS server external to that domain that retrieved the authoritative response will cache that answer. The next time the server is queried, it will say that the answer it is giving is authoritative, even though it is not authoritative for that domain.
In other words, it IS possible for a DNS server that is NOT an authoritative server for a domain to give an 'authoritative response' to a DNS query for a domain it does not serve.
Non-authoritative responses come from DNS servers that have cached an answer for a given host, but received that information from a server that is not authoritative for the domain.