Module 2 Zone Files

Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource Record (RRs) used to create zone files Understand IPv4 Reverse Mapping Understand which zone files are required

DNS – Zone Files Domain = Zone Textual descriptions of various Resource Records (RRs) that describe the domain, such as Name Servers, Mail Servers, Services and hosts and Directives Forward mapping translates a name into an IP address or a secondary name Reverse Mapping translates an IP address into a name The Authoritative server for the Domain (Zone) loads the zone files

DNS Zone File ; IPv4 zone file for example.com $TTL 2d ; default TTL for zone $ORIGIN example.com. ; base domain-name ; Start of Authority record defining the key characteristics of the zone IN SOA ns1.example.com. hostmaster.example.com. ( ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ) ; name servers Resource Records for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain). IN NS ns2.example.net. ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined previously ; plus any others required ns1 IN A mail IN A joe IN A www IN A ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net.

DNS - Forward Mapping SOA RR defines the Apex of the zone and general properties NS RRs define the Name Servers (DNS) which are authoritative MX RRs define the mail servers CNAME RRs define aliases A (IPv4) and AAAA (IPv6) define IP addresses TXT RRs are general records (SPF) example.com

RRs – Generic Format name or label identifies the record externally, for instance, www ttl (Time-to-Live) defines how long the RR may be cached in seconds class = IN = Internet type of RR, for example, MX One or more type-specific parameters TTL and Class can be omitted name ttl class type parameters

Zone Directives All start with $ $TTL time-in-seconds default Time-to-Live for the zone in seconds $ORIGIN FQDN. Base domain (zone) name $INCLUDE file-name Include another file here Comments start with ;

$TTL Zone Directive The default Time-to-Live in seconds if no TTL value on the RR = 2 days Takes short forms in BIND m, h, d, w = 2d or 48h $TTL 1d2h3m = Must appear before any RR (first)

DNS - TTL Only used by caching name servers (resolvers) Slave uses SOA parameters Determines the time the RR can held in a cache before being refreshed Value in seconds (think in hours) 0 = never cache (dangerous) Determines DNS change propagation time

$ORIGIN Directive Defines a label (name) that will be used to substitute all non-FQDN names Parameter must be an FQDN terminates with a dot $ORIGIN example.com. Optional - defaults to zone name Usage illustrated later

DNS Zone File ; IPv4 zone file for example.com $TTL 2d ; default TTL for zone $ORIGIN example.com. ; base domain-name ; Start of Authority record defining the key characteristics of the zone IN SOA ns1.example.com. hostmaster.example.com. ( ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ) ; name servers Resource Records for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain). IN NS ns2.example.net. ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined previously ; plus any others required ns1 IN A mail IN A joe IN A www IN A ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net.

File layout rules Comments begin with ; Parameters continued in parenthesis () ; IPv4 zone file for IN SOA ns1.example.com. hostmaster.example.com. ( ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ) = $ORIGIN Blank or TAB = last label or $ORIGIN

DNS – Substitution Rule If any name (label) in a zone file is not an FQDN the last value of $ORIGIN will be appended to the end of the name (label).

DNS - SOA RR SOA defines the start of the zone and must be first non-directive entry pmns = Primary Master Name Server One of the authoritative name servers OR if DDNS is used it defines the NS which will be updated Spec. name is MNAME SOA pmns mail sn refresh retry expiry min

DNS - SOA RR mail = mailbox of DNS administrator or tech contact Format is all dot separated is used) hostmaster.example.com (recommended) = Can be very important Spec name is RNAME SOA pmns mail sn refresh retry expiry min

DNS - SOA RR sn = serial number of zone contents Arbitrary 10 digit number ( ) Usage typically YYYYMMDDSS YYYY = year, MM = month DD = day, SS = sequence number MUST increment every time zone contents change Slave reads SOA and compares serial number SOA pmns mail sn refresh retry expiry min

DNS - SOA RR refresh = time after which Slave will start to refresh zone from Master (AXFR, IXFR) retry = time between failed attempts to fresh zone expiry = time after which Slave will not respond to zone requests if Master not accessed min = time NXDOMAIN (no name) may be cached (max 3 hours) SOA pmns mail sn refresh retry expiry min

DNS – SOA IN SOA ns1.example.com. hostmaster.example.com. ( ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = nxdomain ttl )

DNS – SOA Example $ORIGIN IN SOA ns1 hostmaster ( ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = nxdomain ttl )

DNS - NS RR NS RRs list all name servers for the domain At zone apex for this zone Minimum of two In-zone servers will need A or AAAA RRs name = name of an internal or external name server that is authoritative for this domain NS RRs appear in the zone (authoritative) and the parent (point of delegation – not authoritative) NS name

DNS – NS RRs ; name servers Resource Records for the domain IN NS ns1.example.com. ; could have been ; IN NS ns1 ; the second name server is ; external to this zone (domain). IN NS ns2.example.net.

DNS – NS RRs $ORIGIN example.com. ; name servers Resource Records for the domain IN NS ns1.example.com. ; missing dot IN NS ns1.example.com ; looks for ns1.example.com.example.com.

DNS - MX RR MX RRs list all incoming mail servers for the domain Defined at zone apex for this zone One or more priority = relative priority of defined server (low is most important). Value = 0 – name = name of an internal or external mail server for this domain In-zone servers will have A or AAAA RRs MX priority name

DNS – MX RRs ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) - backup IN MX 20 mail.example.net. 3w = TTL Priority 10 simply means you can add a more important mail server with only one change

DNS - A RR A RRs list all visible hosts for the zone (domain). Must include the in-zone NS and MX RRs plus others IPv4-address = standard dotted quad address (address not a name) A IPv4-address

DNS - AAAA RR AAAA RRs list all visible IPv6 hosts for the zone (domain). Mixed with A RRs Both A and AAAA if dual stacked IPv6-address = standard colon separated address (address not a name) AAAA IPv6-address

DNS – A RRs ; domain hosts includes NS and MX records defined ;previously plus any others required ns1 IN A mail IN A joe IN A www IN A

DNS - CNAME RR CNAME RRs maps an alias name to a canonical (real) name (A or AAAA RRs) May point to a host name in-zone or out-of-zone canonical-name = real name of host CNAME costs extra access Alternate is to use multiple A or AAAA RRs CNAME canonical-name

DNS – CNAME RRs ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net. ; very common use of CNAME mail IN A www IN CNAME mail ; alternate – functionally identical mail IN A www IN A

DNS - TXT RRs TXT RRs may be used to contain any text Externally visible Used to define Sender Profile (SPF) RRs (now also SPF RR) Used to define DKIM RRs text = enclosed in quotes TXT text

DNS – TXT RRs ; uses of TXT ftp IN CNAME ftp.example.net. IN TXT “Supports FTP and SFTP” mail IN A mail IN TXT “ v=spf1 ip4: /27 –all ” ; DKIM TXT RR mail._domainkey IN TXT "v=DKIM1;t=s;p=blah....blah;" ; ADSP TXT RR _adsp._domainkey IN TXT "dkim=discardable;"

DNS – Reverse Mapping Maps an IP address to a name Domain name hierarchy is right to left – IP address hierarchy is left to right Solution Remove last digit ( ) Invert number ( ) Append in-addr.arpa ( in-addr.arpa) Define.1 (and others) in zone file with PTR RR

DNS – Reverse Mapping

DNS – Reverse Zone File ; simple reverse mapping zone file for example.com $TTL 2d ; default TTL for zone $ORIGIN IN-ADDR.ARPA. ; Start of Authority record defining the key characteristics of the zone IN SOA ns1.example.com. hostmaster.example.com. ( ; sn = serial number 12h ; refresh 15m ; retry 3w ; expiry 2h ; min = minimum ) ; name servers Resource Records for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain). IN NS ns2.anotherdomain.com. ; PTR RR maps an IPv4 address to a host name 2 IN PTR ns1.example.com IN PTR mail.example.com IN PTR joe.example.com. 17 IN PTR

DNS - PTR RRs PTR RRs maps a name to a name Both left and right hand expressions are names – needs $ORIGIN Right hand name must be FQDN PTR is used for both IPv4 and IPv6 Separate zone files for IPv4 and IPv6 because of domain name Reverse map domain for IPv6 is ip6.arpa Generally only a single IP mapped to a name name PTR name

DNS – PTR RR $ORIGIN IN-ADDR.ARPA.... ; PTR RR maps an IPv4 address to a host name 2 IN PTR ns1.example.com IN PTR mail.example.com IN PTR joe.example.com. 1 IN PTR ; could be written as IN-ADDR.ARPA. IN PTR ; missing dot 1 IN PTR bill.example.com ; maps to bill.example.com IN-ADDR.ARPA.....

DNS – Reverse Mapping IPv4 Optional Used especially by mail systems to do reverse lookup (essential) IPv6 Optional (originally Mandatory) Local IP address reverse map

Zone File – Best Practice Comment file – changes made Always include $ORIGIN $ORIGIN is optional defaulted to name of zone bad practice – non-self documenting Use consistent style FQDN on right names, or left names or both

Required Zone Files Depends on name server function Forward and reverse map for localhost zone Forward domain = localhost Reverse map in-addr.arpa Hints file if caching server – points to root-servers Reverse map private IPs ( x, 10.x.x, x)

Hints (Root) Zone file ; ; last update: Jan 29, 2004 ; related version of root zone: ; ; formerly NS.INTERNIC.NET ; IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET A …

Local Host Forward Map $TTL ; 24 hours could have been written as 24h or 1d $ORIGIN 1D IN hostmaster ( ; serial 12h; refresh 15m ; retry 1w ; expiry 3h ; minimum 1D IN ; localhost is the name server 1D IN A ; always returns the loop-back address

Alternate Format $TTL 1d ; $ORIGIN localhost. localhost. IN SOA localhost. hostmaster.localhost. ( ; serial 3H ; refresh 15M ; retry 1w ; expire 3h ; minimum ) localhost. IN NS localhost. ; localhost is the name server localhost. IN A ; the loop-back address

Localhost Reverse Map $TTL ; 24 hours ; could use $ORIGIN IN SOA localhost. hostmaster.localhost. ( ; Serial 3h ; Refresh 15 ; Retry 1w ; Expire 3h ) ; Minimum IN NS localhost. 1 IN PTR localhost.

Quick Quiz What RR defines a mail server? What is the first record in a zone file? What does the $ORIGIN directive do? How does the slave know to transfer zone? What is a PTR RR used for? What value defines how long an RR can be cached?