Checking Delegation
6.6.1 Problem
You need to check the delegation of a zone.
6.6.2 Solution
There are several ways to check a zone's delegation. One of the easiest is to use the +trace option supported by the BIND 9 version of dig. When you specify +trace, dig begins by looking up NS records for the root zone, using the local name server, and then sends a nonrecursive query to one of the root name servers. It continues by following referrals to other name servers until it finds the answer to the question specified on the command line. Here's an example:
$ dig +trace cnn.com ; <<>> DiG 9.2.1 <<>> +trace cnn.com ;; global options: printcmd . 516931 IN NS A.ROOT-SERVERS.NET. . 516931 IN NS B.ROOT-SERVERS.NET. . 516931 IN NS C.ROOT-SERVERS.NET. . 516931 IN NS D.ROOT-SERVERS.NET. . 516931 IN NS E.ROOT-SERVERS.NET. . 516931 IN NS F.ROOT-SERVERS.NET. . 516931 IN NS G.ROOT-SERVERS.NET. . 516931 IN NS H.ROOT-SERVERS.NET. . 516931 IN NS I.ROOT-SERVERS.NET. . 516931 IN NS J.ROOT-SERVERS.NET. . 516931 IN NS K.ROOT-SERVERS.NET. . 516931 IN NS L.ROOT-SERVERS.NET. . 516931 IN NS M.ROOT-SERVERS.NET. ;; Received 292 bytes from 192.168.0.1#53(192.168.0.1) in 13 ms com. 172800 IN NS A.GTLD-SERVERS.NET. com. 172800 IN NS G.GTLD-SERVERS.NET. com. 172800 IN NS H.GTLD-SERVERS.NET. com. 172800 IN NS C.GTLD-SERVERS.NET. com. 172800 IN NS I.GTLD-SERVERS.NET. com. 172800 IN NS B.GTLD-SERVERS.NET. com. 172800 IN NS D.GTLD-SERVERS.NET. com. 172800 IN NS L.GTLD-SERVERS.NET. com. 172800 IN NS F.GTLD-SERVERS.NET. com. 172800 IN NS J.GTLD-SERVERS.NET. com. 172800 IN NS K.GTLD-SERVERS.NET. com. 172800 IN NS E.GTLD-SERVERS.NET. com. 172800 IN NS M.GTLD-SERVERS.NET. ;; Received 457 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 80 ms cnn.com. 172800 IN NS TWDNS-01.NS.AOL.com. cnn.com. 172800 IN NS TWDNS-02.NS.AOL.com. cnn.com. 172800 IN NS TWDNS-03.NS.AOL.com. cnn.com. 172800 IN NS TWDNS-04.NS.AOL.com. ;; Received 188 bytes from 192.5.6.30#53(A.GTLD-SERVERS.NET) in 78 ms cnn.com. 300 IN A 64.236.24.4 cnn.com. 300 IN A 64.236.24.12 cnn.com. 300 IN A 64.236.16.20 cnn.com. 300 IN A 64.236.16.52 cnn.com. 300 IN A 64.236.24.20 cnn.com. 300 IN A 64.236.24.28 cnn.com. 300 IN A 64.236.16.84 cnn.com. 300 IN A 64.236.16.116 cnn.com. 600 IN NS twdns-01.ns.aol.com. cnn.com. 600 IN NS twdns-02.ns.aol.com. cnn.com. 600 IN NS twdns-03.ns.aol.com. cnn.com. 600 IN NS twdns-04.ns.aol.com. ;; Received 316 bytes from 149.174.213.151#53(TWDNS-01.NS.AOL.com) in 123 ms
After discovering the root name servers list, the instance of dig queried a.root-servers.net for A records for cnn.com, then followed a referral to one of the com name servers, a.gtld-servers.net, and then followed another referral to one of the cnn.com name servers, twdns-01.ns.aol.com. This traces the iterative name resolution process an external name server would use to resolve cnn.com domain names. The fact that it succeeded shows that the delegation from the com zone's name servers (one of them, anyway) to cnn.com works.
6.6.3 Discussion
The tools dnswalk and doc also check delegation. dnswalk checks delegation to subdomains of the zone you designate on the command line if you use the -l option -- but it needs to transfer the zone to check it, so don't bother running a command like:
$ dnswalk com.
However, it's very useful if you want to check the delegations below your zone.
doc, which is included in the BIND 8 tar file of contributed utilities (available in the same directory as the BIND 8 source code -- see Section 1.12 for details), also checks delegation to a zone's name servers, as well as synchronization between those name servers and their parent name servers.
6.6.4 See Also
Section 1.12 for instructions on how to get the BIND 8 source code (as well as the contributed utilities), and Section 5.16 for how to get dnswalk.