HomeGlossary › DNS Zone

DNS Zone

A DNS zone is the unit of administrative delegation in DNS. Roughly: it's a named portion of the DNS tree that one set of nameservers is responsible for.

Zones vs domains

Casually, "zone" and "domain" are often used interchangeably, but they're not exactly the same. A domain is the namespace ("everything under example.com"); a zone is what one set of nameservers actually serves. A domain can be split across multiple zones: example.com could be one zone, with uk.example.com delegated to a different team's nameservers as its own child zone.

Zone apex

The "apex" of a zone is the top of it: for example.com, the apex is example.com itself. The apex always has an SOA record and at least two NS records. The DNS spec also forbids CNAME records at the apex — which is why providers invented "ALIAS," "ANAME," and "flattened CNAME" workarounds.

Delegation

A parent zone delegates a child zone by publishing NS records pointing to the child's nameservers. So the com zone has NS records for example.com, example.com has NS records for uk.example.com, and so on down the tree.

Worked example: delegating a subdomain to another team

Your company's primary zone example.com is on Cloudflare. The UK team wants to manage uk.example.com on Route 53 without bothering the central team for every change. To delegate:

  1. UK team creates the zone uk.example.com in Route 53, notes the four AWS nameservers.
  2. You add four NS records for uk.example.com in the Cloudflare zone, pointing at those four AWS nameservers.
  3. You also remove any A/CNAME records for uk or under uk in the Cloudflare zone — they'd shadow the delegation and never get queried.

From this moment, any resolver asking for foo.uk.example.com follows: root → .com → Cloudflare (for example.com) → AWS (for uk.example.com). The UK team controls their subtree.

Lame delegation

If the parent's NS records don't match what the child publishes (or the child's nameservers don't actually answer authoritatively), you have a "lame delegation": resolvers will sometimes succeed and sometimes fail, depending on which nameserver they pick. It's an annoying intermittent problem and notoriously hard to debug because it works most of the time.

Verify on WhereIsDNS

Run an NS lookup on the delegated subdomain. If consensus across 14 resolvers shows the new nameservers, delegation is live. If a few resolvers return the parent's nameservers, those caches are still serving the pre-delegation answer and will expire on their own.

Related: SOA record · NS record · resolver.