Role of SOA record and `@` NS records - are these ever used in resolving a name?
Are there any cases where the info in the SOA record or the @ NS records for a domain or subdomain is used in a DNS name resolution?
Let's say that I do not publish any SOA or @ NS records on the josh.com name server, would this have any impact on anything?
Asked differently, is there ever a time that I would expect my private DNS server for the josh.com domain to get a query for @ NS records or for the SOA record?
Example:
Say I have my own private DNS server for the domain josh.com. The registrar has the IP address of this name server and publishes it to the TLD servers.
I want to resolve ...
I ask root NS servers for
com.and they answer with thecomNS records in the authority section with IP addresses for the.comGTLD servers in the additional section.Then I use the IP address for one of the GTLD servers that was returned from the previous step to ask for
josh.com.and it answers with thejosh.com.name servers in the authority section along with their IP addresses in the additional section.Finally, I ask one of the
josh.comservers that were returned from the previous step for and get an answer in the answer section.
Is seems that no SOA or @ NS records are ever touched here?
2 Answers
These records are stored inside thezone fileand are essential for the functioning of the DNS server and defining the DNS zone itself. They are not normally used when processing DNS queries, but only tell the DNS server where to get its information from.
An SOA record is used by slave or secondary domain servers and points to the primary zone server and contains all the required parameters for syncing with it, such as refresh timings. The process is calledDNS zone transfer.
An NS record, or name server record, maps a domain name to a list of DNS servers
authoritative for the named domains, which includes mainly delegations.
The zone origin may be denoted by a @.
These also take part in DNS zone transfers.
The only time that a DNS server gets queried for these records is when it is the primary DNS server for the zone, queried by a slave/secondary DNS server in the process of doing a DNS Zone transfer.
DNS is a vast subject and my knowledge of it is not total. If you wish to learn more, you may start with these resources:
2Let's say that I do not publish any SOA or @ NS records on the josh.com name server, would this have any impact on anything?
Yes, this will break DNSSEC and QNAME minimization, at least. (and ironically you use QNAME minimization in your example...)
Besides the fact that the last item of the SOA field is the negative TTL and let recursive nameservers know for how long to cache NXDOMAIN replies. So the SOA record is needed.
See for a detailed algorithm used by recursive nameservers to do QNAME minimization: you will see it needs NS records to progressively find zone cuts.
There is the same need for DNSSEC as the nameservers need to find the proper DNSKEY and DS records.
Also note in general that NS records exist on both sides of zone cut: in parent zone and in child zone. Recursive nameservers believe what is on the child side, as it is the authoritative side. The NS records in the parent zone are there only for the resolution, but the parent is not authoritative on them. Not having them on the child side (if you manage to have a nameserver loading a zone in that case, which is certainly not guaranteed) may prevent recursive nameservers for any kind of proper caching of data.
