A child zone, or cut node, is created as a node on a parent zone.
Child zones allow users to attach certain services, like SPF records for email, to one part of your zone instead of the entire Parent Zone, or vice versa. It also allows users to take a section of their zone and transfer it to another server or DNS provider.
The following table shows an example of the relationship between the child zone clients.dyn.com and the parent zone dyn.com.
As the table shows, .com is the top level domain, dyn is the parent, and clients. is the child zone.
| clients. | dyn | .com |
| Child Zone (node) | Parent Zone | Top Level Domain |
Usually, child zones are created on parent zones owned and controlled by the same DNS account. There are valid technical limitations for this practice.
When a zone contains another zone (for example, the zone child.dyn.com is contained by the zone dyn.com), the containing zone (the ‘parent’) must direct queries to the servers for the other zone (the ‘child’). This is called ‘delegation’. In order to direct these queries, the parent zone should contain a node for the child zone that contains NS records. These NS records show the nameserver(s) responsible for serving the child zone. This node is called a ‘cut node’, referring to the idea of the tree of data in a zone being cut off into a separate zone. See RFC 1035, for additional information. Other than NS records, very few record types can be used at a cut node. Dyn’s Managed DNS system will return an error if you attempt to create record types at the cut node that cannot exist there.
Creating a Child Zone When the Parent is on a Different Account
Managed DNS has some policies around zones that are parents or children of other zones hosted at Dyn.
Follow the usual instructions for Creating a zone manually, transferring a zone from another server, or uploading zone data or a zone file; with these caveats:
| Policy | Example | More Information |
|---|---|---|
| 1. The parent zone should not belong to another Dyn customer. | If you are trying to create child.example.com, and the zone example.com is already being managed by Dyn for another customer, the zone create will fail with an error. | If you have a need to do this, please contact your Concierge, who will ensure that there is no risk of a zone being ‘hijacked’. |
| 2. The node in the parent zone should not exist, or should contain only NS records. | For example, if you are trying to create child.example.com, the node child in the zone example.com should contain nothing but NS (and perhaps DS) records. If they do, the zone create will fail with an error. | |
| If you create a zone that is a child of an existing zone, Managed DNS will confirm that the child node exists in the parent zone and is a valid cut node. If it reasonably can, it will create the node and put in the appropriate NS records (but it won’t change or add to any records that might already be there). These records are created when you first publish the new child zone. Their data and TTLs are copied from the root of the new child zone and the parent zone is published with these new records. If you’ve already created the cut node and NS records, they are not changed. | ||
| 3. No nodes beneath the node in the parent zone should exist. | For example, if you are trying to create child.example.com, the zone example.com should not contain nodes like www.child.example.com, with or without data. If they do, the zone create will fail with an error. | NOTE: The only sort of records Managed DNS accepts at a cut node are DS records, which contains signature information for a DNSSEC-enabled zone. Dyn does not attempt to fill in records of this sort automatically. |
| 4. If you have not already created and published NS records in the parent zone, Dyn’s Managed DNS will create and publish them for you. | For example, when you first publish child.example.com, Managed DNS will create the node child in the zone example.com, fill it with copies of the new zone’s NS records, and will publish example.com. | In a zone that is a parent of another zone, you cannot remove the cut node, nor delete all the NS records at the node. Managed DNS will return an error if you try to remove the cut node. Ideally, the NS records at the cut node should be the same as those that Managed DNS automatically creates for you for the child zone. |
To create a Child Zone in Dyn’s Managed DNS, follow these steps.
| 1. Log in to your account. | |
| 2. Click Create Zone. |  |
| 3. Add the name of the Child Zone (e.g. clients.example.com) in the Zone Name field and a valid email address in the Mailbox field. |  |
| 4. Click Create Zone. | |
| 5. You can begin adding records to this zone just as you would with any of your other zones. You can also transfers this zone at a later date by following these instructions. | |
If your Child Zone already resides on another server, you will need to create a node that contains a nameserver (NS) record in your Parent Zone on Dyn’s servers. To create a node and add an NS record to it, follow these steps.
| 1. Log in to your account. | |
| 2. Click the Manage button beside the Parent Zone you are adding a node to. |  |
| 3. Add a new node with same name as your Child Zone and click Add Node. |  |
| 4. Select (NS) – Name Server from the Add a New Record drop down menu. |  |
| 4. Enter the nameservers of Child Zone (these are usually listed with your other DNS provider), and click Add. NOTE: You may have to enter more than one nameserver depending your the demands of you DNS provider. |  |
| 5. Click Review Changes and Publish. The node and its records will be published to your Parent Zone. |  |