Understanding DNS: Authoritative Nameservers

In my previous post in this series we talked about recursive resolvers and how they talk to authoritative nameservers to obtain the DNS answers they need.

In this post I want to talk about authoritative nameservers specifically.

What are Authoritative Nameservers?

In the simplest terms, an authoritative nameserver is the source/originator of a domain name’s DNS records and they do not need to perform recursive/iterative queries to resolve the name they are authoritative for.

Another way to understand this: when your web host asks you to change your domain name’s nameservers to a certain value, they are asking you to change the authoritative nameservers for the domain.

Authoritative nameservers for a domain name are set at the domain registrar the domain is registered with. The domain registrar sends the changes to the TLD which then updates its zone with the new values.

Looking at dig output again

If you use the dig utility to query an authoritative nameserver directly for a name its authoritative for, you will get a response with the “Authoritative Answer” (AA) flag set.

Here is an example (look at the flags):

% dig nullrouted.space @pns33.cloudns.net

; <<>> DiG 9.10.6 <<>> nullrouted.space @pns33.cloudns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6045
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 4096
;nullrouted.space. IN A

nullrouted.space. 86400 IN A

nullrouted.space. 86400 IN NS pns33.cloudns.net.
nullrouted.space. 86400 IN NS pns31.cloudns.net.
nullrouted.space. 86400 IN NS pns32.cloudns.net.
nullrouted.space. 86400 IN NS pns34.cloudns.net.

;; Query time: 84 msec
;; SERVER: 2a06:fb00:1::3:66#53(2a06:fb00:1::3:66)
;; WHEN: Wed Nov 03 10:00:47 EDT 2021
;; MSG SIZE rcvd: 151


Another way to see what the authoritative nameservers for a domain are supposed to be is using the `whois` utility.

An important note about information in whois: for some TLDs, especially ccTLDs (country code TLDs) changes to nameservers are reflected immediately in whois data but not in the TLD’s authoritative nameservers as some TLDs do not make the changes provided by the registrar immediately as they come in but on some sort of batch update cycle (for example: every 30 minutes). This is not a technical limitation, just how these TLDs have their systems set up.

Example (authoritative nameserver values are “Name Server” values):

Registry Domain ID: 1596081328_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2021-04-05T17:32:03Z
Creation Date: 2010-05-06T20:20:38Z
Registry Expiry Date: 2022-05-06T20:20:38Z
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: PNS31.CLOUDNS.NET
Name Server: PNS32.CLOUDNS.NET
Name Server: PNS33.CLOUDNS.NET
Name Server: PNS34.CLOUDNS.NET
DNSSEC: signedDelegation
DNSSEC DS Data: 54364 13 2 BF4C3BD4822D16D2E70143F67E4C238DB9D525078270ADC9723CC19ED5DBE827
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2021-11-03T06:00:58Z <<<

Lame Delegations

A lame delegation is when a domain has a nameserver listed at the TLD that is not actually authoritative for the domain. In general, you want to avoid having lame delegations for domains as it will cause issues with domain resolution, especially if you mix lame delegations with working ones which will lead to sporadic failures in name resolution.

Some TLDs have requirements that a nameserver be authoritative for a domain before it is set at the registrar, .de is the most prominent example that comes to mind.

Extra Credit: Hosting Your Own Authoritative Nameservers

If you’ve read all this and are wondering, is it possible to host my domain’s authoritative nameservers with servers you control instead of hosting it at my web host or another DNS service provider? Yes, it is!

To get started, I would recommend a basic understanding of administrating Linux servers first. After that you can look into various authoritative nameserver software like – BIND, NSD, PowerDNS or Knot DNS. For beginners, I would recommend you start with BIND and its excellent reference manual.

Concluding Statements

To conclude this post: it is important to keep in mind that the authoritative nameservers are the source for your DNS information and if the information is not cached already, by the recursive resolver they will be queried for answers. Therefore it is important to make sure that your authoritative DNS service provider is reliable, especially for domains that are important to you.

The next post in this series will be about common record types and what they are for.