DNS Delegation and Adding a Record – What happens when all admins have gone?

Today we had a bit of a stop and think moment with a delegated domain; it was a good thought experiment to walk though.

So let’s say you have a sub-domain thing.example.com of the domain example.com. The thing.example.com has been delegated by the administrators of example.com to a 3rd party who will manage the namespace for the sub-domain thing.example.com themselves on their own Name Servers.

To facilitate the above the administrators of example.com have added a couple of Name Server records (NS) records into example.com domain as below to delegate that domain to AWS Route53 (for example):

NS       thing       ns-169.awsdns-21.com

NS       thing       ns-245.awsdns-21.com

No problem so far.

However we then got a request. The administrators of the subdomain thing.example.com are no longer available, so we need you (the administrators of example.com) to add a record into the sub-domain, can you do that?

After a bit of thought the answer is of course…..NO

The sub-domain (thing.example.com) has been delegated to someone else, i.e. the authority for that part of the DNS “tree” has been delegated to someone else to manage.

Therefore us (as the administrators of the parent domain example.com), the only thing we can do is remove the delegation, but if we did that we’d need to know what records were in that sub-domain so we could add them to our Name Servers, or stuff would stop working.

Conclusion

When you delegate a sub-domain to a 3rd party, you as the parent domain administrators have no control over the records within the delegated sub-domain (zone), that “authority” is owned by to whomever you have delegated the domain too.

Ergo, if someone wants say an A Record adding to the sub-domain, you as a the parent domain administrator can’t do this only the sub-domain administrator can!

Leave a comment