[dns-operations] DNS zone without an SOA or NS records

Paul Wouters paul at xelerance.com
Wed Jul 20 19:29:41 UTC 2011

On Wed, 20 Jul 2011, Chuck Anderson wrote:

> Is it valid to have a DNS zone that serves only A records, but does
> not contain any SOA or NS recods?
> Isilon (a network storage appliance) apparently does this and wants a
> DNS delegation to it to handle the built-in load-balancing/failover
> that it does.
> e.g. if you have a zone example.com, and you want to serve files from
> the Isilon device with a name of files.example.com, then Isilon wants
> you to put this in example.com:
> $ORIGIN example.com.
> files     IN NS files-sip.example.com.
> files-sip IN A
> But when you try to query, no answers are returned for
> SOA or NS--only A queries are responded to.

It's invalid. And it breaks any resolver that tries to verify glue/hints.
Some Cisco load balancers do the same thing. And they also don't respond
to NS records. It broke a large bank DNS setup when using unbound with any
kind of hardening enabled. This hardening for example is defined in


> Is that compliant with DNS standards (I think not)?  If not, can
> someone please point me to the relevant standard where is says there
> must be an SOA and NS record?

> More importantly, what are the ramifications of not having any SOA or
> NS records in the zone?

It breaks, and some clients wont be able to reach your service.


More information about the dns-operations mailing list