I l@ve RuBoard Previous Section Next Section

6.6 Checking Delegation

6.6.1 Problem

You need to check the delegation of a zone.

6.6.2 Solution

There are several ways to check a zone's delegation. One of the easiest is to use the +trace option supported by the BIND 9 version of dig. When you specify +trace, dig begins by looking up NS records for the root zone, using the local name server, and then sends a nonrecursive query to one of the root name servers. It continues by following referrals to other name servers until it finds the answer to the question specified on the command line. Here's an example:

$ dig +trace cnn.com

; <<>> DiG 9.2.1 <<>> +trace cnn.com
;; global options:  printcmd
.                       516931  IN      NS      A.ROOT-SERVERS.NET.
.                       516931  IN      NS      B.ROOT-SERVERS.NET.
.                       516931  IN      NS      C.ROOT-SERVERS.NET.
.                       516931  IN      NS      D.ROOT-SERVERS.NET.
.                       516931  IN      NS      E.ROOT-SERVERS.NET.
.                       516931  IN      NS      F.ROOT-SERVERS.NET.
.                       516931  IN      NS      G.ROOT-SERVERS.NET.
.                       516931  IN      NS      H.ROOT-SERVERS.NET.
.                       516931  IN      NS      I.ROOT-SERVERS.NET.
.                       516931  IN      NS      J.ROOT-SERVERS.NET.
.                       516931  IN      NS      K.ROOT-SERVERS.NET.
.                       516931  IN      NS      L.ROOT-SERVERS.NET.
.                       516931  IN      NS      M.ROOT-SERVERS.NET.
;; Received 292 bytes from in 13 ms

com.                    172800  IN      NS      A.GTLD-SERVERS.NET.
com.                    172800  IN      NS      G.GTLD-SERVERS.NET.
com.                    172800  IN      NS      H.GTLD-SERVERS.NET.
com.                    172800  IN      NS      C.GTLD-SERVERS.NET.
com.                    172800  IN      NS      I.GTLD-SERVERS.NET.
com.                    172800  IN      NS      B.GTLD-SERVERS.NET.
com.                    172800  IN      NS      D.GTLD-SERVERS.NET.
com.                    172800  IN      NS      L.GTLD-SERVERS.NET.
com.                    172800  IN      NS      F.GTLD-SERVERS.NET.
com.                    172800  IN      NS      J.GTLD-SERVERS.NET.
com.                    172800  IN      NS      K.GTLD-SERVERS.NET.
com.                    172800  IN      NS      E.GTLD-SERVERS.NET.
com.                    172800  IN      NS      M.GTLD-SERVERS.NET.
;; Received 457 bytes from in 80 ms

cnn.com.                172800  IN      NS      TWDNS-01.NS.AOL.com.
cnn.com.                172800  IN      NS      TWDNS-02.NS.AOL.com.
cnn.com.                172800  IN      NS      TWDNS-03.NS.AOL.com.
cnn.com.                172800  IN      NS      TWDNS-04.NS.AOL.com.
;; Received 188 bytes from in 78 ms

cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                300     IN      A
cnn.com.                600     IN      NS      twdns-01.ns.aol.com.
cnn.com.                600     IN      NS      twdns-02.ns.aol.com.
cnn.com.                600     IN      NS      twdns-03.ns.aol.com.
cnn.com.                600     IN      NS      twdns-04.ns.aol.com.
;; Received 316 bytes from in 123 ms

After discovering the root name servers list, the instance of dig queried a.root-servers.net for A records for cnn.com, then followed a referral to one of the com name servers, a.gtld-servers.net, and then followed another referral to one of the cnn.com name servers, twdns-01.ns.aol.com. This traces the iterative name resolution process an external name server would use to resolve cnn.com domain names. The fact that it succeeded shows that the delegation from the com zone's name servers (one of them, anyway) to cnn.com works.

6.6.3 Discussion

The tools dnswalk and doc also check delegation. dnswalk checks delegation to subdomains of the zone you designate on the command line if you use the -l option -- but it needs to transfer the zone to check it, so don't bother running a command like:

$ dnswalk com.

However, it's very useful if you want to check the delegations below your zone.

doc, which is included in the BIND 8 tar file of contributed utilities (available in the same directory as the BIND 8 source code -- see Section 1.12 for details), also checks delegation to a zone's name servers, as well as synchronization between those name servers and their parent name servers.

6.6.4 See Also

Section 1.12 for instructions on how to get the BIND 8 source code (as well as the contributed utilities), and Section 5.16 for how to get dnswalk.

    I l@ve RuBoard Previous Section Next Section