The DNS tree is divided into "zones", which are collections of domains that are treated as a unit for certain management purposes. Zones are delimited by "zone cuts". Each zone cut separates a "child" zone (below the cut) from a "parent" zone (above the cut).
DNS の木構造は「ゾーン」に分割される。 ゾーンは或る種の管理を目的とした単位となるドメインの集まりである。 ゾーンの境界は「ゾーンカット」でしめされる。 各ゾーンカットは子ゾーン(カットより下)を親ゾーン(カットより上)から 分離する。
The domain name that appears at the top of a zone (just below the cut that separates the zone from its parent) is called the zone's "origin". The name of the zone is the same as the name of the domain at the zone's origin. Each zone comprises that subset of the DNS tree that is at or below the zone's origin, and that is above the cuts that separate the zone from its children (if any). The existence of a zone cut is indicated in the parent zone by the existence of NS records specifying the origin of the child zone. A child zone does not contain any explicit reference to its parent.
ゾーンの一番上位(親ゾーンからゾーンを分ける分割点のすぐ下)に 位置するドメイン名はゾーンの 起点 "origin" と呼ばれる。 ゾーンの origin のドメイン名がゾーンの名前となる。 Each zone comprises that subset of the DNS tree that is at or below the zone's origin, and that is above the cuts that separate the zone from its children (if any). 親ゾーン中ではゾーンカットの存在は子ゾーンの起点を示す NS レコードの存在により示される。 子ゾーン中では親を明示的に示すことはない。The authoritative servers for a zone are enumerated in the NS records for the origin of the zone, which, along with a Start of Authority (SOA) record are the mandatory records in every zone. Such a server is authoritative for all resource records in a zone that are not in another zone. The NS records that indicate a zone cut are the property of the child zone created, as are any other records for the origin of that child zone, or any sub-domains of it. A server for a zone should not return authoritative answers for queries related to names in another zone, which includes the NS, and perhaps A, records at a zone cut, unless it also happens to be a server for the other zone.
あるゾーンに対して権威をもつサーバは そのゾーンの起点に対する NS レコードとして列挙される。 各ゾーンには SOA レコード (Start of Authority) とともに ゾーンの NS レコードがなければならない。 かようなサーバはそのゾーン内のすべてのレコードに対する権威がある。 ただし、他のゾーンに属するレコードは除く。Other than the DNSSEC cases mentioned immediately below, servers should ignore data other than NS records, and necessary A records to locate the servers listed in the NS records, that may happen to be configured in a zone at a zone cut.
The DNS security mechanisms [RFC2065] complicate this somewhat, as some of the new resource record types added are very unusual when compared with other DNS RRs. In particular the NXT ("next") RR type contains information about which names exist in a zone, and hence which do not, and thus must necessarily relate to the zone in which it exists. The same domain name may have different NXT records in the parent zone and the child zone, and both are valid, and are not an RRSet. See also section 5.3.2.
Since NXT records are intended to be automatically generated, rather than configured by DNS operators, servers may, but are not required to, retain all differing NXT records they receive regardless of the rules in section 5.4.
For a secure parent zone to securely indicate that a subzone is insecure, DNSSEC requires that a KEY RR indicating that the subzone is insecure, and the parent zone's authenticating SIG RR(s) be present in the parent zone, as they by definition cannot be in the subzone. Where a subzone is secure, the KEY and SIG records will be present, and authoritative, in that zone, but should also always be present in the parent zone (if secure).
Note that in none of these cases should a server for the parent zone, not also being a server for the subzone, set the AA bit in any response for a label at a zone cut.