Understanding stub zones
Updated: January 21, 2005 http://technet.microsoft.com/en-us/library/cc779197.aspx
A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain
Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces.
This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS
namespaces resolve names for clients in both namespaces.
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource
records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server
hosting the primary zone for the delegated domain name.
Stub zone resolution
When a DNS client performs a recursive query operation on a DNS server hosting a stub zone, the DNS server uses the
resource records in the stub zone to resolve the query. The DNS server sends an iterative query to the authoritative DNS
servers specified in the NS resource records of the stub zone as if it were using NS resource records in its cache. If the
DNS server cannot find the authoritative DNS servers in its stub zone, the DNS server hosting the stub zone attempts
standard recursion using its root hints.
The DNS server will store the resource records it receives from the authoritative DNS servers listed in a stub zone in its
cache, but it will not store these resource records in the stub zone itself; only the SOA, NS, and glue A resource records
returned in response to the query are stored in the stub zone. The resource records stored in the cache are cached
according to the Time-to-Live (TTL) value in each resource record. The SOA, NS, and glue A resource records, which are
not written to cache, expire according to the expire interval specified in the stub zone's SOA record, which is created
during the creation of the stub zone and updated during transfers to the stub zone from the original, primary zone.
If the query was an iterative query, the DNS server returns a referral containing the servers specified in the stub zone.
Communication between DNS servers hosting parent and child zones
A DNS server that has delegated a domain to a child zone on a different DNS server is made aware of new authoritative
DNS servers for the child zone only when the resource records for these new DNS servers are added to the parent zone
hosted on the DNS server. This is a manual process and requires that the administrators for the different DNS servers
communicate often. With stub zones, a DNS server hosting a stub zone for one of its delegated domains can obtain
updates of the authoritative DNS servers for the child zone when the stub zone is updated. The update is performed from
the DNS server hosting the stub zone and the administrator for the DNS server hosting the child zone does not need to be
contacted. This functionality is explained in the following example.
A stub zone is a read-only copy of a zone, which obtains its resource records from other name servers. It contains copies
of only three types of resource records:
1. SOA record for the zone.
2. Name server (NS) records for all name servers authoritative for the zone.
3. Host (A) records for all name servers authoritative for the zone.
These resource records are necessary to identify the authoritative DNS server for the zone. A stub zone is used to
streamline name resolution, especially in a split namespace scenario.
A DNS server that is hosting a stub zone is configured with the IP address of the authoritative server from which it loads.
DNS servers can use stub zones for both iterative and recursive queries. When a DNS server hosting a stub zone
receives a recursive query for a computer name in the zone to which the stub zone refers, the DNS server uses the IP
address to query the authoritative server, or, if the query is iterative, returns a referral to the DNS servers listed in the stub
zone. A stub zone reduces the amount of DNS traffic on the network and makes DNS more efficient especially over slow
Using stub zones
Use stub zones to:
Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS
server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for
the child zone.
Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of
name servers without needing to query the Internet or internal root server for the DNS namespace.
Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list
of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the
same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.
There are two lists of DNS servers involved in the loading and maintenance of a stub zone:
The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a
primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for
The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS)
When a DNS server loads a stub zone, such as widgets.example.com, it queries the master servers, which can be in
different locations, for the necessary resource records of the authoritative servers for the zone widgets.example.com. The
list of master servers may contain a single server or multiple servers and can be changed anytime.
Stub zone updates
Stub zone updates involve the following conditions:
When a DNS server loads a stub zone, it queries the zone's master server for the SOA resource record, NS
resource records at the zone's root, and glue A resource records.
During updates to the stub zone, the master server is queried by the DNS server hosting the stub zone for the
same resource record types requested during the loading of the stub zone.
The Refresh interval of the SOA resource record determines when the DNS server hosting the stub zone will
attempt a zone transfer (update).
If an update fails, the Retry interval of the SOA resource record determines when the update is retried.
Once the Retry interval has expired without a successful update, the expiration time as specified in the Expires
field of the SOA resource record determines when the DNS server stops using the stub zone data.
Use the DNS console in Microsoft Management Console (MMC) to perform the following stub zone update operations:
Reload. Reload the stub zone from the local storage of the DNS server hosting the stub zone.
Transfer from master. Have the DNS server hosting the stub zone determine if the serial number in the stub
zone's SOA resource record has expired, and then perform a zone transfer from the stub zone's master server.
Reload from master. Perform a zone transfer from the stub zone's master server regardless of the serial number
in the stub zone's SOA resource record.