Determine if domain is zone apex or subdomain

Question

I'm trying to write a script where part of its functionality depends on if a user-provided domain is a zone apex (example.com) or not (www.example.com). What is a robust way to determine if I'm dealing with a zone apex or a subdomain? I'm hoping for a purely pattern-based approach but that seems tricky (example: xx.yy.co is not a root domain but xx.co.uk is).

Are there any tried and true approaches to determine if a zone is a root domain or not?

Answer 1

The Public Suffix List indicates lists of top level and second level domains under which one can register a domain name. If a name has exactly one more level beyond its matching entry on this list, then it's what you are looking for.

(Note that "subdomains" as you call them can be DNS zones in their own right and have independent nameservers from the parent zone. These can generally be detected by the presence of an SOA record for that fully qualified name, and nameservers for that name in the parent zone.)

Answer 2

Yes, I had to write a script that performed this recently.

1. Run a non-recursive query (ie dig +norecurse ) against the authoritative nameserver for the entity you're examining. Use a query type of SOA . Do not use a recursive server, the behavior becomes much less predictable. If it's a server that mixes auth and recursive answers, make sure you're checking for the AA (authoritative answer) flag on the reply.
2. If the response code is NOERROR , examine the leftmost component of the returned ANSWER section (if present). Otherwise, check the AUTHORITY section. One of the two will be present. The upshot of preferring the ANSWER is that this ensures your result is a SOA record instead of a NS record. It keeps the type of your result consistent, which can be useful if you're writing something against a resolver library.
3. If the response code is NXDOMAIN , examine the leftmost component of the returned AUTHORITY section. Obviously this won't be the apex, but this will tell you what the apex is.
4. Anything other than those response codes indicates that the server does not consider itself authoritative.
5. The result will be the apex. Your request is not the apex if your result is less specific, and it is the apex if they're identical.

Answer 3

www.example.com (assuming it isn't a subdomain, eg, there are no foo.www.example.com entries) will not have a DNS SOA RR. However, example.com may have other subdomains eg, xyz.example.com which contains foo.xyz.example.com and bar.xyz.example.com so I don't know if this helps you.

Answer 4

Walk the name backwards component by component checking for NS records.

Example: www.example.com

1. Does www.example.com. have a NS record? No.
2. Does example.com. have a NS record? Yes.
3. Does com. have a NS record? Yes.

Make your determination accordingly, based on whatever definition you use for "is a zone apex" (it's not 100% clear to me from your question.)