7/27/2019 The Long and Short of Stub Zones

1/6

Understanding stub zones54 out of 74 rated this helpful -Rate this topic

Updated: January 21, 2005Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows

Server 2003 with SP2

Understanding stub zonesA stub zone is a copy of a zone that contains only those resource records necessary to identify the

authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names

between separate DNS namespaces. This type of resolution may be necessary when a corporate merger

requires that the DNS servers for two separate DNS namespaces resolve names for clients in both

namespaces.

A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A

resource records for the delegated zone.

The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually

the DNS server hosting the primary zone for the delegated domain name.

For more information, seeUsing stub zones.

Stub zone resolutionWhen a DNS client performs a recursive query operation on a DNS server hosting a stub zone, the DNS

server uses the resource records in the stub zone to resolve the query. The DNS server sends an iterative

query to the authoritative DNS servers specified in the NS resource records of the stub zone as if it were

using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers in its

stub zone, the DNS server hosting the stub zone attempts standard recursion using its root hints.

The DNS server will store the resource records it receives from the authoritative DNS servers listed in a

stub zone in its cache, but it will not store these resource records in the stub zone itself; only the SOA, NS,

and glue A resource records returned in response to the query are stored in the stub zone. The resource

records stored in the cache are cached according to the Time-to-Live (TTL) value in each resource record.

The SOA, NS, and glue A resource records, which are not written to cache, expire according to the expire

interval specified in the stub zone's SOA record, which is created during the creation of the stub zone and

updated during transfers to the stub zone from the original, primary zone.

If the query was an iterative query, the DNS server returns a referral containing the servers specified in the

stub zone.

Communication between DNS servers hosting parent and

child zonesA DNS server that has delegated a domain to a child zone on a different DNS server is made aware of new

authoritative DNS servers for the child zone only when the resource records for these new DNS servers are

added to the parent zone hosted on the DNS server. This is a manual process and requires that the

administrators for the different DNS servers communicate often. With stub zones, a DNS server hosting a

http://technet.microsoft.com/en-us/library/cc779197%28WS.10%29.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc779197%28WS.10%29.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc779197%28WS.10%29.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc775397(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc775397(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc775397(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc775397(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc779197%28WS.10%29.aspx#feedback

7/27/2019 The Long and Short of Stub Zones

2/6

stub zone for one of its delegated domains can obtain updates of the authoritative DNS servers for the

child zone when the stub zone is updated. The update is performed from the DNS server hosting the stub

zone and the administrator for the DNS server hosting the child zone does not need to be contacted. This

functionality is explained in the following example.

The Long and Short of Stub ZonesStub zones can beef up your DNS infrastructure. Heres a practical guide towhen and how to use them.

By Bill Boswell 01/01/2004

In a previous DNS column, I briefly covered a new feature in Windows 2003 called stubzones. A stub zone contains Name Server (NS) records from another DNS domain and canbe used to augment classic zone delegation. Since that column appeared, Ive receivedquite a few requests for more information about how stub zones work. The questions rangefrom What is the deal with stub zones, anyway? to What kind of permissions do I need tocreate a stub zone?; and What if the server where I pull the stub zone goes down? andShould I Active Directory-integrate a stub zone? and If stub zones are so cool, why dontthey show up on the computer screens in Matrix Reloaded?I dont have an answer to the last question, but lets see if I can clarify a few of the other

points.

Whats the Deal with Stub Zones, Anyway?

Heres a fairly common situation. Youre the administrator of the root domain in a forest.

This puts you in charge of the DNS servers that host the resource records for the root zone

of the forest. Lets call it root.tld. (TLD stands for Top-Level Domain. Examples of TLDs

include .com, .edu, .biz, .aero and so on.) You use Windows Server 2003 DNS servers to

host the zone.

Another administrator wants to create an AD domain in the same DNS namespace. He

proposes the domain name child.root.tld. The administrator wants to integrate the DNS

zone for child.root.tld into AD in her domain.

This creates a challenge for DNS clients in root.tld because they need a way to look up

records in child.root.tld. You could pull a secondary of the child.root.tld zone to each of your

root.tld DNS servers, but zone transfers use bandwidth and the servers might reside on the

wrong side of an expensive WAN link.

http://redmondmag.com/forms/emailtoauthor.aspx?AuthorItem=%7bE44E8E9B-A4AF-4D8E-91BB-536EBFA8B132%7d&ArticleItem=%7b4909CAE4-B0E4-47E9-A051-F21537A0C756%7dhttp://redmondmag.com/forms/emailtoauthor.aspx?AuthorItem=%7bE44E8E9B-A4AF-4D8E-91BB-536EBFA8B132%7d&ArticleItem=%7b4909CAE4-B0E4-47E9-A051-F21537A0C756%7d

7/27/2019 The Long and Short of Stub Zones

3/6

So, when a DNS client in root.tld requests a resource record from child.root.tld, you need a

way to redirect the query to a DNS server that hosts a copy of the child.root.tld zone file.

Classic DNS uses delegation to accomplish this task. Delegation creates NS records in the

parent domain that identify DNS servers in the child domain. Windows DNS uses a

Delegation Wizard for creating these delegation entries.

Delegation has a disadvantage, though. The NS records created by the Delegation Wizard

point at specific name servers by IP address. If an administrator in the child domain

changes those IP addresses, or renames the DNS servers, or decommissions a server, this

creates a lame delegation.

Stub zones help you to avoid lame delegations by creating a zone that contains all the NS

records for a specified zone, not just the ones specified for delegation. The stub zone host

refreshes the NS list periodically to stay up to date with the current list of name servers for

the specified zone. Hence, no lame delegations.

How Stub Zones Get Populated

Lets say that the child.root.tld zone is hosted by three DNS servers. They could be

Windows DNS servers with a single primary master and two secondaries. They could be

domain controllers with an AD-integrated zone. Or they could be BIND servers.

You, as the administrator of root.tld, create a stub zone on your Windows 2003 DNS server.

During the zone configuration, you specify all three DNS servers in child.root.tld as sources

for the zone. See the figure for an example.

Stub zone configuration showing three source DNS servers.

(Click image to view larger version.)

http://mcpmag.com/images/0104mcp_insider.gif

7/27/2019 The Long and Short of Stub Zones

4/6

7/27/2019 The Long and Short of Stub Zones

5/6

handling is a standard feature of DNS and doesnt require special configuration of the stub

zone.

No Stub Zone Permissions Required

Creating a stub zone requires no admin permissions whatsoever in the source DNS

domain. This is because a stub zone contains only SOA, NS, and A records, which are

freely available from any DNS server. You can test this yourself by creating a stub zone for

a public DNS domain. To do this, youll need the IP address of at least one DNS server

hosting a copy of the public zone. Obtain this record using the nslookup utility as follows:

Contrasting stub zones and

conditional forwarders10 out of 13 rated this helpful -Rate this topic

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows

Server 2003 with SP2

Contrasting stub zones and conditional forwardersThere can be some confusion about when to use conditional forwarders instead of stub zones because

both DNS features allow a DNS server to respond to a query with a referral for, or by forwarding to, a

different DNS server; however, these settings are used for very different purposes. These features have thefollowing objectives:

A conditional forwarder setting configures the DNS server to forward a query it receives to a DNS

server depending on the DNS name contained in the query.

A stub zone keeps the DNS server hosting a parent zone aware of all the DNS servers

authoritative for a child zone.

Conditional forwardersIn situations where you want DNS clients in separate networks to resolve each others' names without

having to query DNS servers on the Internet, such as in the case of a company merger, you shouldconfigure the DNS servers in each network to forward queries for names in the other network. DNS

servers in one network will forward names for clients in the other network to a specific DNS server that

will build up a large cache of information about the other network. When forwarding in this way, you

create a direct point of contact between two networks' DNS servers, reducing the need for recursion.

Stub zones do not provide the same server-to-server benefit because a DNS server hosting a stub zone in

one network will reply to queries for names in the other network with a list ofallauthoritative DNS servers

for the zone with that name, instead of the specific DNS servers you have designated to handle this traffic.

http://technet.microsoft.com/en-us/library/cc780434(WS.10).aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc780434(WS.10).aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc780434(WS.10).aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc780434(WS.10).aspx#feedback

7/27/2019 The Long and Short of Stub Zones

6/6

This configuration complicates any type of security settings that you want to establish between specific

DNS servers running in each of the networks. For more information, seeUnderstanding forwarders.

Stub zonesStub zones are used when you want a DNS server hosting a parent zone to remain aware of the

authoritative DNS servers for one of its child zones. If the stub zone for a child zone is hosted on the same

DNS server as the parent zone, the DNS server hosting the stub zone will receive a list of all new

authoritative DNS servers for the child zone when it requests an update from the stub zone's master

server . This method of updating the DNS server hosting the parent zone maintains a current list of the

authoritative DNS servers for the child zone as they are added and removed.

A conditional forwarder is not an efficient method of keeping a DNS server hosting a parent zone aware

of the authoritative DNS servers for a child zone. If you used this method, whenever the authoritative DNS

servers for the child zone changed, the conditional forwarder setting on the DNS server hosting the

parent zone would have to be manually configured with the IP address for each new authoritative DNS

server for the child zone. For more information, seeUnderstanding stub zones.

http://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc779197(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspx