← Back to Library
DNS Fundamentals Introductory 8 min read

DNS Zones and Delegation

How the DNS namespace is divided into zones, how authority is delegated, and why zone boundaries shape control, caching, and failure behavior.

Updated January 20, 2026

Why Zones and Delegation Matter

DNS appears to be a single, continuous hierarchy, but it is not operated as one system.

Instead, responsibility is divided into zones, and authority is handed off using delegation.

Understanding zones and delegation explains why DNS scales globally, why outages are often localized, and why control in DNS is always absolute at specific boundaries.

What a DNS Zone Is

A DNS zone is a portion of the DNS namespace for which a specific set of authoritative name servers is responsible.

A zone always corresponds to a node in the DNS label tree, but it does not automatically include everything beneath that node. A zone ends where delegation occurs.

For example, the zone example.com might include:

  • example.com
  • www.example.com
  • mail.example.com

But it does not include shop.example.com if that name has been delegated elsewhere.

The important distinction is this:

A label defines a position in the namespace. A zone defines who has authority to answer questions.

Zones exist so DNS responsibility can be distributed across organizations, teams, and infrastructure providers without requiring centralized control.

DNS zone delegation showing parent zone handing off authority to child zone
Figure 1: Zone delegation creates boundaries where authority is handed off from parent to child.
RFC reference
DNS zones and delegation are defined in RFC 1034, Sections 4.1 and 4.2.

Delegation: How Authority Is Handed Off

Delegation is the mechanism that splits the DNS tree into separate zones.

Delegation is implemented using NS records published in the parent zone. These records tell resolvers which name servers are authoritative for the child zone.

When the child zone’s name servers are below the delegated name, the parent zone also provides glue records so resolvers can reach them without circular lookups.

A simplified example:

example.com.        IN NS    ns1.example.com.
example.com.        IN NS    ns2.example.com.

ns1.example.com.    IN A     192.0.2.10
ns2.example.com.    IN A     192.0.2.11

Once delegation exists, the parent zone stops answering authoritatively for anything below that point. It only points to the child’s authoritative servers.

Resolvers treat this boundary as final.

Zone Cuts Are Absolute

Delegation creates what is commonly called a zone cut.

That cut is absolute. Once it exists:

  • The parent zone cannot publish records beneath the delegated label
  • The parent cannot override or “partially manage” names below it
  • All subdomains under the delegated name belong to the child zone

There is no mechanism in DNS to share authority for a name or split a subtree further without additional delegation.

Case example
An organization hosts example.com on its own authoritative servers. During a migration, a team adds NS records for shop.example.com pointing to a SaaS provider, intending only to move the storefront.

Shortly after, DNS changes made in the example.com zone stop affecting any names under shop.example.com. The issue is not propagation or caching. Once the delegation exists, the parent zone no longer has authority below that label, even though both teams believe they are managing the same domain.

Why Delegation Works This Way

DNS delegation is intentionally coarse.

Resolvers are designed to make simple, cacheable decisions:

  • Identify the closest enclosing zone cut
  • Query the authoritative servers for that zone
  • Trust the answers until their TTL expires

Allowing overlapping or partial authority would complicate caching, increase query volume, and make failure behavior unpredictable. The rigidity of delegation is what allows DNS to scale and perform reliably at global scale.

The tradeoff is inflexibility, but that inflexibility is a design choice, not a limitation that can be configured away.

Zones, Caching, and Failure Scope

Zones also define failure boundaries.

If the authoritative servers for a zone become unreachable:

  • All names in that zone are affected
  • Names in sibling zones are not

Caching may temporarily mask failures, but once cached data expires, resolvers must reach the delegated servers to refresh it.

This is why DNS outages often appear selective. A single domain or subdomain fails while others under the same parent continue to resolve normally.

Operationally, this makes zone design a critical reliability decision.

Zones Are Administrative Boundaries, Not Network Boundaries

Zones are often mistaken for application or network boundaries. They are neither.

A single zone can point to infrastructure across many networks and regions. Multiple zones can point to the same IP addresses. DNS does not care.

Zone boundaries exist solely to define who answers DNS questions, not where services run or how traffic flows afterward.

This separation is deliberate and is one reason DNS has remained stable despite massive changes in how applications and networks are built.

Summary

DNS zones and delegation explain how a single global namespace is shared safely across millions of independent operators.

Key points to remember:

  • A zone is a unit of authority, not just a naming level
  • Delegation creates strict, non-overlapping boundaries
  • Zone cuts apply to everything beneath a label
  • These constraints enable caching, scalability, and predictable failure behavior

Once zones are understood, many DNS behaviors that seem arbitrary begin to feel inevitable rather than accidental.

Tags: Dns Zones Delegation Authoritative Dns
Previous Article Domain Names, Labels, and the DNS Namespace DNS Fundamentals Next Article DNS Caching and TTL: How DNS Remembers (and Forgets) DNS Fundamentals

More in DNS Fundamentals

DNS 101: Introduction to the Domain Name System

An introduction to DNS explaining what problem it solves, why it is designed as a distributed system, and how its core roles fit together.

8 min read January 20, 2026
View all DNS Fundamentals articles →