Subdelegations and child zones

Typically, when configuring DNS zones in the IBM® NS1 Connect® platform, a single zone (representing an entire domain) will contain one or more A, AAAA, and/or CNAME records for each subdomain. In some cases, however, you may want to delegate responsibility for a segment of the DNS namespace to someone else — for example, if a segment of a domain (foo.example.com) will be managed by a different DNS provider than the rest of the domain (example.com). In this case, you can create a subdelegation (that is, a separate zone file for the subdomain), and then update the nameserver (NS) records within the parent zone to point to the subdomain’s nameserver(s). The process varies depending on which zone file (as in, the parent zone or the subdelegation) is hosted by NS1.

Similarly, you might have a scenario where you want to create a parent and child zone — both of which are hosted on the NS1 platform. In this scenario, NS1 will use the child zone for that namespace and just ignore the same namespace in the parent zone. This could be helpful, for example, for organizations with complex operations in which different teams manage different subdomains.

Consider the following scenarios:

  • Scenario A: The parent zone is hosted by NS1, and the child zone is hosted elsewhere.
  • Scenario B: The child zone is hosted by NS1, and the parent zone is hosted elsewhere.
  • Scenario C: Both the parent and child zones are hosted by NS1.

Optionally, once configured, you can refer to Enabling DNSSEC on a subdelegation to enable DNSSEC online signing for the child zone.

Scenario A: The parent zone is hosted by NS1

If the parent zone is hosted on the NS1 platform, update the zone configuration to point to the nameserver(s) responsible for the subdelegation (that is, child zone).

Note: Do not remove existing NS records in the parent zone. The records referenced in these instructions are additional NS records that are specific to the subdomain.
  1. Click the Zones tab.
  2. If you haven't already, create a new zone corresponding to the parent domain. Otherwise, click the name of the parent zone from the list to view the parent zone details.
  3. In the Records tab, of the zone, scroll to the bottom of the screen and click Add record.
  4. Under Record type, select NS from the drop-down list.
    Note: NS1 recommends configuring NS1 records in the parent zone to match the nameservers for the third-party (or self-hosted) service hosting the child zone.
  5. Enter the prefix for the subdomain (that is, the subdelegation).
  6. Under Answers, enter one or more answers corresponding to each of the nameservers on which the subdomain is published. These answers should match the nameservers listed in the NS record within the subdelegated zone.
  7. Click Save record. The new NS record appears in the list.

Scenario B: The child zone is hosted by NS1

Follow the instructions below to create a child zone within the NS1 platform.

  1. Click the Zones tab.
  2. If you haven't already, create a new zone representing the subdelegation, ensuring the Normal setup option is selected.
  3. From the list of zones, navigate to the subdelegation (child zone) you just created to view zone details, including a list of associated DNS records.
  4. Click the name of the NS record to drill down into record details, or you can click the Nameservers tab within the zone details to view a list of nameservers.

    Each answer within the NS record corresponds to an NS1 nameserver assigned to this zone.

  5. Add one or more NS records to the parent zone, wherever it is hosted, pointing to the NS1 nameservers for the subdomain.

Scenario C: Both the parent and child zones are hosted by NS1

If both the parent and child zones are published to one or more NS1 networks, then follow both sets of steps above to create the parent and child zones, adding NS records to the parent zone that point to the nameservers assigned to the child zone.

It’s important to note that, in this scenario, NS1 refers to the child zone for that namespace and ignores the same namespace in the parent zone. This is why manually creating the NS records in the parents is recommended because it makes it clear to any admin that they should not create records in that namespace.

Next steps

Optionally, after creating the parent and child zones, you can enable DNSSEC for the sub-delegation.