DNS Literacy Series 8: domain name resolution authorization

DNS Literacy Series 8: Authorization for domain name resolution involves two concepts: domain name authorization: specifying who is the authoritative DNS of the domain name, that is, who is responsible for resolving the domain name (completed by the NS record operation ). Authoritative DNS: it refers to the DNS with authoritative publishing capability for a specific domain name, and the original source of the resolution result of the domain name (Domain Name Record) on the Internet. Www.2cto.com current domain name resolution authorization status: at present, domain name resolution authorization on the internet is generally granted to the domain name's authoritative DNS who sells the domain name, and the domain name's authoritative DNS is provided to complete domain name resolution, if the new network domain name purchased by default is by the new network authoritative DNS (nsx.xinnetdns.com, nsx.xinnet.cn) responsible for the sale of domain name resolution: [root @ test root] # dig @ a.gtld-servers.net xinnet.com ns; answer section: xinnet.com. 172800 in ns ns.xinnet.cn.xinnet.com. 172800 in ns ns.xinnetdns.com.xinnet.com. 172800 in ns ns2.xinnet.cn.xinnet.com. 172800 in ns ns2.xinnetdns.com. how to Implement domain name resolution authorization: domain name resolution authorization is a tree-like top-down hierarchical system, as shown in the figure below: www.2cto.com

First, "." DNS authorizes domain names such as COM/NET/CN/ORG/TV to different DNS servers based on different suffixes to facilitate separate management. For example, the COM/NET domain name is authorized to the following authoritative DNS. It is not hard to imagine that the modification of the authorized DNS of COM/NET must go to "." DNS to complete the operation. [Root @ test root] # dig com. ns; answer section: com. 96045 in ns d.gtld-servers.net.com. 96045 in ns g.gtld-servers.net.com. 96045 in ns B .gtld-servers.net.com. 96045 in ns k.gtld-servers.net.com. 96045 in ns f.gtld-servers.net.com. 96045 in ns l.gtld-servers.net.com. 96045 in ns j.gtld-servers.net.com. 96045 in ns a.gtld-servers.net.com. 96045 in ns I .gtld-servers.net.com. 96045 in ns m. gtld-servers .Net.com. 96045 in ns e.gtld-servers.net.com. 96045 in ns h.gtld-servers.net.com. 96045 in ns c.gtld-servers.net. Similarly, to specify or modify the authoritative DNS of ABC. COM to operate on top-level DNS. Generally, the domain name owner is not authorized to log on to top-level DNS for operations. You can only indirectly operate records on top-level DNS through a dedicated interface (on the domain name management platform of a domain name provider (such as xinnet and hichina. ABC. COM is used as an example to briefly describe how to specify your own authoritative DNS. If ABC. COM is purchased from xinnet, the authoritative DNS of the domain name is nsx.xinnetdns.com and nsx.xinnet.cn by default. Modify the default authoritative DNS. First, log on to the domain name management backend of xinnet and find the domain name DNS modification page to complete the operation (the detailed process is as follows: http://www.bkjia.com/net/201210/161851.html ). After the operation is completed, verify whether the modification is successful: www.2cto.com [root @ test root] # dig @ a.gtld-servers.net abc.com ns; answer section: abc.com. 172800 in ns ns1.ai-dns.com.abc.com. 172800 in ns ns2.ai-dns.com.abc.com. 172800 in ns ns3.ai-dns.com. here we put ABC. COM authorized to the nsx.ai-dns.com. Reauthorization of domain name authoritative DNS: with ABC. COM for example, re-authorization is to specify the domain name on the nsx.ai-dns.com of the authoritative DNS, the meaning of re-authorization has such a few: 1. expand the number of existing authoritative DNS, such as the existing ns1, NS2. ns3.ai-dns.com a total of three DNS, now to increase to 4, you can add the NS record ns4 to the ZONE file of abc.com on the original three DNS servers. Original ZONE content: $ TTL 2d $ ORIGIN abc.com. @ 3600 in soa ns1.ai-dns.com. root.ai-dns.com. (2288091841 1 h 600 1 w 900) @ 2d in ns ns1.ai-dns.com. @ 2d in ns ns2.ai-dns.com. @ 2d in ns ns3.ai-dns.com. the NS record "ns4" added to www.2cto.com is: $ TTL 2d $ ORIGIN abc.com. @ 3600 in soa ns1.ai-dns.com. root.ai-dns.com. (2288091841 1 h 600 1 w 900) @ 2d in ns ns1.ai-dns.com. @ 2d in ns ns2.ai-dns.com. @ 2d in ns ns3.ai-dns.com. @ 2d in ns ns4. Ai-dns.com. Of course, adding NS4 operations can also be done on top-level DNS, no more details. 2. reauthorize authoritative DNS to other DNS, such as re-authorizing the original authoritative DNS (nsx.ai-dns.com) to others (nsx.ddd.com ). The operation process is the same as above. Possible problems with re-authorization: Re-Authorization undoubtedly makes domain name resolution authorization more flexible, but there are the following potential risks. When the original authorized authoritative DNS (that is, the authoritative DNS defined in the top-level DNS) fails, the authorized DNS cannot work, the domain name cannot be resolved (this is determined by the top-down feature of the domain name resolution process ). It also increases security risks. Additional Part 1: Use WHOIS with caution to view authoritative DNS of the domain name. The Whois database of a domain name is controlled by the domain name seller, that is, each domain name seller has its own WHOIS server, which is used to store the Domain Name Information sold by itself, such as the domain name owner and contact method, expiration time. The current authoritative DNS information displayed in the WHOIS information may not be synchronized with the actual authoritative DNS information of the domain name in a timely manner, resulting in incorrect judgment. Additional section 2 of www.2cto.com: "." How is root DNS authorized? Because "." root DNS is at the top of the domain name resolution system, it cannot be authorized according to the conventional method. So far, the authorization method is to set all ". "The DNS list is stored in a text file (authorized to yourself) and is usually named root. the hint content is as follows (Part excerpt ):. 3600000 in ns A.ROOT-SERVERS.NET.A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4. 3600000 NS B .ROOT-SERVERS.NET. B .ROOT-SERVERS.NET. 3600000 A 192.228.79.201