Name Server Operations Guide for BIND Release 4.9.5 : Types of Zones
Previous: Denial of Service: TTL Inconsistency Attacks
Next: Types of Servers

4. Types of Zones

A ``zone'' is a point of delegation in the DNS tree. It contains all names from a certain point ``downward'' except those which are delegated to other zones. A ``delegation point'' has one or more NS records in the ``parent zone'', which should be matched by equivalent NS records at the root of the ``delegated zone'' (i.e., the ``@'' name in the zone file).

Understanding the difference between a ``zone'' and a ``domain'' is crucial to the proper operation of a name server. As an example, consider the DEC.COM domain, which includes names such as POBOX1.PA.DEC.COM and QUABBIN.CRL.DEC.COM even though the DEC.COM zone includes only delegations for the PA.DEC.COM and CRL.DEC.COM zones. A zone can map exactly to a single domain, but could also include only part of a domain (the rest of which could be delegated to other name servers). Technically speaking, every name in the DNS tree is a ``domain'', even if it is ``terminal'', that is, has no ``subdomains''. Technically speaking, every subdomain is a domain and every domain except the root is also a subdomain. The terminology is not intuitive and you would do well to read RFC's 1033, 1034, and 1035 to gain a complete understanding of this difficult and subtle topic.

Though BIND is a Domain Name Server, it deals primarily in terms of zones. The primary and secondary declarations in the named.boot file specify zones, not domains. When you ask someone if they are willing to be a secondary server for your ``domain'', you are actually asking for secondary service for some collection of zones.

Each zone will have one ``primary'' server, which loads the zone contents from some local file which is edited by humans or perhaps generated mechanically from some other local file which is edited by humans. Then there will be some number of ``secondary'' servers, which load the zone contents using the IP/DNS protocol (that is, the secondary servers will contact the primary and fetch the zone using IP/TCP). This set of servers (the primary and all of the secondaries) should be listed in the NS records in the parent zone, which will constitute a ``delegation''. This set of servers must also be listed in the zone file itself, usually under the ``@'' name which is a magic cookie that means the ``top level'' or ``root'' of current zone. You can list servers in the zone's top-level ``@'' NS records that are not in the parent's NS delegation, but you cannot list servers in the parent's delegation that are not present in the zone's ``@''. Any servers listed in the NS records must be configured as authoritative (either primary or secondary) for the zone. If a server listed in a NS record is not authoritative, it will respond with a ``lame delegation'' when queried.


Name Server Operations Guide for BIND Release 4.9.5 : Types of Zones
Previous: Denial of Service: TTL Inconsistency Attacks
Next: Types of Servers