A zone file holds the DNS resource records for all of the domain names associated with the zone. Zone files store all of the data served by a DNS server. This recipe describes the basic zone file format without any resource records suitable for any type of zone file.
The zone file needs to be created within the DNS server’s working directory. There is no requirement for filenames with zone file, but a reasonable standard is db.domain.name, the name of the domain preceded by db.
The basic format of the zone file is a time to live (TTL) field followed by the start of authority (SOA) records. The TTL instructs non-authoritative DNS servers how long to cache records retrieved from the zone file. The longer this period, the longer it will take to propagate changes to the zone files. The shorter the TTL, the harder your DNS servers will work beacuse non-authoritative servers will have to ask it the same question more frequently. Values from a few hours to a day are reasonable.
An integer TTL value is interpreted as seconds, although for those of us who are not walking calculators, adding m at the end means minutes, h hours, d days, and w weeks. A day would be represented by any of the following lines:
$TTL 86400
$TTL 1440m
$TTL 24h
$TTL 1d
The SOA section is an intimidating chunk of code for the uninitiated, but each field in the SOA has a meaningful purpose. Taken a piece at a time, it is simple. The SOA starts with the zone’s primary domain name (We’ll use tech-recipes.com in this recipe.), the class of the zone (IN), SOA, and the following seven fields in order:
MNAME The master dns server for the zone (for example ns1.tech-recipes.com.).
RNAME An email address for someone responsible for the domain (with the @ replaced with a .) such as nospam.tech-recipes.com.
Serial number This value is perhaps the greatest source of DNS-related head scratching. To make things fast and efficient, BIND processes zone files into another format. When BIND loads a zone file at startup, it checks the serial number and only processes the zone file if the serial number is bigger than its previously processed version. So, if you change the zone file but not the serial number, BIND will ignore the changes.
A common format for the serial number contains the date and a unique serial number (YYYYMMDDNN) such as 2004010402 for the second revision (02) of the file on January 4, 2004. This allows for 100 changes to the file in a day. If more changes are required, I recommend going home for a good night’s sleep.
Refresh Secondary or slave servers can be configured to poll the master server with this period to check if the serial number has changed and, therefore, if it needs to update the zone file.
Retry If the master DNS server for the zone fails to answer a slave server’s request for an update, the slave server will ask this often. Typically an hour or less.
Expire In the event of a failure of the master DNS server, a slave server will continue to use its existing data for this period of time. After the expired time has passed, the data are considered stale and will not be used at which time the domain will no longer resolve. This value should be long enough to allow master server outages to be corrected, on the order of weeks.
Negative caching TTL Negative answers (such as when a requested record does not exist) can be cached on non-authoritative servers as well. This field acts like the overall TTL but specifically for negative answers. Small values are appropriate (15m to 2h).
The fields can be placed within parentheses if they extend over more than one line. Putting this all together, the following is the zone file (minus any resource records) for the domain tech-recipes.com:
$TTL 1d
tech-recipes.com. IN SOA ns1.tech-recipes.com (
nospam.tech-recipes.com
2004010402
1h
15m
4w
1h )
The biggest gotcha with DNS zone files is the proper use of fully qualified domain name syntax. This means that a full domain name will end with a period (tech-recipes.com.) — Without this period, BIND will assume that you are using shorthand and will add the zone’s default domain name to the end of the name (so tech-recipes.com would really mean tech-recipes.com.tech-recipes.com.).