|
· Overview, Support, Keys |
Since I started this site on 23 APR 2000, I've had a lot of private mail asking how to run a public DNS. What is asked of me is basically, "OK, my BIND8/NT DNS seems to be working for me, but I'd like to have all of Internet also use it, to find the domains that my DNS will be authoritative for. How do I announce my DNS to Internet? etc. etc."
It's obviously not an evident process to discover easily by yourself. But, like the rest of this site, if you follow carefully the steps I will describe below, you will have your own public DNS, or two, running in minimum time, with no false moves, no deadends, and without mistakes.
Background, Concepts, Why, What
For a DNS to be a public DNS, it must be running on a registered "HOST". So how do we register a HOST?
A HOST is created as part of a domain, so HOSTnames looks like this:
ns1.mydomain.com ie., "nameserver1" ns2.mydomain.com ie., "nameserver2"where ns1 and ns2 are HOSTs in mydomain.com. We say the HOSTs are in mydomain's zone.
To register a HOST under a domain, you must have "authority over a domain", ie., be the regsitrant/owner of the domain in the records of a domain registar. Let's assume that you are registrant for mydomain.com.
You want to register HOSTs for the mydomain.com, such as: ns1 and ns2. They don't have to be physical machines: they could be virtual hosts sharing an ip address with other tcp/ip services one one machine. Although the requirements vary from registar to registrar and from country to country, your nameservers do not usually have to be on-line, reachable, and functioning at the time you submit the HOST registrations.
Why two nameservers? Because to register new domains, two nameservers are required to be authoritative namservers for the new domain. So if you have your own two nameservers, you will be fully autonomous in your DNS operations, able to register new domains listing only your two namservers and not have to depend on any other organization for external, secondary nameservers.
You can operate with with only one nameserver, but you have to list somebody else's nameserver on the new domains you register in order to have the minimum of two on a domain registration. And that other nameserver will have to be updated with the zone data for the domain, and kept current. And you don't have authority to change the other nameserver, so you have to request intervention by the authority for the other nameserver. It's just better, simpler, and flexible if you have your own two nameservers.
A key aspect of being a registrant of a domain is that the domain registrant "lives" administratively at a domain registrar. It is the domain registrar who, exclusively, can administer the changes to a domain requested by the registrant to register HOSTs. The registrar will also transfer those changes to the root-servers where the HOSTs can become accessible by Internet.
So if your mydomain.com is registered with OpenSRS, you cannot go to Network Solutions to register HOST's for mydomain.com. Your authority as registrant of mydomain.com is not recognized administratively by Network Solutions. You must register your HOSTs at OpenSRS where your mydomain.com lives.
HOSTs operating as namesevers are an official, integral part of the distributed database system called Internet Domain Name Service, over which the root-servers.net have supreme, "root" authority.
For registered HOST, there can be only one ip.ad.re.ss.
For any ip.ad.re.ss, there can only be one registered HOST.
When you register a HOST and the above conditions are not met, your HOST registration will be rejected. ie, if either the HOST name or the ip address are already registed in the root-servers.net, you cannot use that HOST name or ip address for your HOST.
The above rules do not mean that the ip address cannot be used for other services. eg.: your Web server or mail server at an ip.ad.re.ss could also be function as a namserver. You just cannot have two namservers at the same ip address.
In terms of the zone's records with mutliple services at one ip address, look at this example:
@ORIGIN mydomain.com. www A ip.ad.re.ss ftp A ip.ad.re.ss ns1 A ip.ad.re.ss < = your ns ns2 A ip.ad.re.ss < = No! 2nd ns @ one ip address. mail A ip.ad.re.ss
You would have to do this, give ns2 a different ip address:
ns2 A ip.ad.re.s2 ok now, a different ip address.
Furthemore, this cannot be:
ns1 A ip.ad.re.ss ns1 A ip.ad.re.s2 No! HOST with two ip addresses.
Select your HOST name and its ip address with no intention of later changing the ip address except for the most serious, unavoidable reasons. You can change, at any time and without involvement of any other paries, any other ip addresses for other machines in mydomain.com, but changing the ip's of your registered HOSTs requires that you change the HOST records with the domain registrar and therefore at the root-servers. This a serious act since your nameservers are the means by whcih all of Internet contacts all the domains that list your nameservers as authoritative.
But wait a minute! When you initially registered mydomain.com, you were required to define at least two nameservers to be authoritative for mydomain.com. Like this:
@ORIGIN mydomain.com. ; @ NS ns1.ISPdomain.com. @ NS ns2.ISPdomain.com.The nameservers for mydomain.com could not be in the mydomain.com because mydomain.com didn't exist at that point.
When your register your ns1.mydomain.com and ns2.mydomain.com, they won't be authoritative for mydomain.com. They will just be registered HOSTs. The ISP's nameservers will still be authoritaive for mydomain.com.
Sounds weird, but you've got to "bootstrap" your nameservers into root-servers on the back of the existing mydomain.com.
Once your ns1 and ns2 are registered HOSTs, you can submit a "domain registration change" for mydomain.com so that your own namservers become authoritative for mydomain.com:
@ORIGIN mydomain.com. ; @ NS ns1.mydomain.com. @ NS ns2.mydomain.com.Once the above modification is effective, you arrive at the end of the process: you are completely master of mydomain.com, and completely detached from and independent of the nameservers of the ISP. Internet (ie, the root-servers.net) will no longer refer to the ISP's nameservers, even if the ISP's nameservers still list your domains's RR's.
As a courtesy to the ISP (who is not authoritative for mydomain.com and therefore is not involved in the domain modification of mydomain.com), you should tell the ISP that he can remove all mydomain.com's RR's from his nameservers. Internet will no longer consult his nameservers for RR's for mydomain.com.
In summary, to put a public DNS on-line:
1. Have the authority to modify mydomain.com.
- Be the registrant/owner of mydomain.com.
4. Check the root-servers.net for the presence of your new HOSTs.
5. When YOU see that ns1 and ns2 HOSTs are present in the root-servers, you can then submit a domain modification for mydomain.com where you change the authorized nameservers to your ns1 and ns2.