DNS zone delegation - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Product name
BlueCat Integrity

Administrators of a parent zone can delegate authority of a child zone to another set of name servers.

Because it isn't possible for a single DNS server to hold the DNS information for every zone in the namespace, DNS allows for delegation. Delegation allows the administrators of a parent zone to delegate authority of a child zone to another set of name servers.

A common example of delegation is the relationship between the Top Level Domains (TLDs), such as .com, and second level domains on the Internet. The .com DNS servers delegate authority for their child zones to the servers hosting the child zones. Another example is the delegation of subzones within an organization so that zones can be maintained by different business units or divisions.

How you configure delegation depends on whether the child zone is located on servers under Address Manager control or is located on an Other DNS Server. In both cases, you create the parent and child zone in Address Manager:
  • If the servers hosting the parent and child zones are both under Address Manager control, you simply create the zones in Address Manager and assign them DNS deployment roles.
  • If your zones are signed with a DNSSEC signing policy, Address Manager automatically adds all of the records needed to properly configure DNSSEC for the zones.
  • If the child zone is hosted on a server not under Address Manager control, you must first create an Other DNS Server to represent the zone’s DNS server. For more information on adding Other DNS Servers, refer to Adding Other DNS Servers. You then create the child zone and assign it a deployment role associated with the other DNS server.
    Note: A deployment role assigned at the view or parent zone level is inherited by the child zone.
  • If the zones are DNSSEC-enabled, you need to add a DS record containing the child zone’s key to the parent zone. For more information, refer to Creating a chain of trust for delegated third-party zones.

When you deploy the configuration, Address Manager automatically creates the necessary delegation records (NS resource record and glue records) for the child zone in the parent zone.