What are domain zone files and zone records?
Zone files organize the zone records for domain names and subdomains in a DNS server. Every domain name and subdomain has a zone file, and each zone file contains zone records. These files, editable in any plain text editor, hold the DNS information linking domain names and subdomains to IP addresses. Zone files usually contain several different zone records.
NOTE: Although domain names might have subdomains, the zone files for subdomains are not considered sub-zone. All zone files are separate entities and do not have a hierarchical structure.
The most common records contained in a zone file are start of authority (SOA), nameserver, mail exchanger, host, and CNAME. These are described below.
- Start of Authority (SOA) — Required for every zone file, the SOA record contains caching information, the zone administrator’s email address, and the master name server for the zone. The SOA also contains a number incremented with each update. As this number updates, it triggers the DNS to reload the zone data.
- Name Server (NS) — The NS record contains the name server information for the zone.
- Mail Exchanger (MX) — The MX record provides the mail server information for that zone to deliver email to the correct location.
- Host (A) — Uses the A record to map an IP address to a host name. This is the most common type of record on the Internet.
- Canonical Name (CNAME) — A CNAME is an alias for a host. Using CNAMEs, you can have more than one DNS name for a host. CNAME records point back to the A record. When you change the IP address in your A record, all CNAME records for that domain name automatically follow the new IP address.
- Text (TXT) — This is an informational record. Use it for additional information about a host or for technical information to servers.
- Service Records (SRV) — SRV records are resource records used to identify computers hosting specific services.
- AAAA — AAAA records store a 128-bit Internet Protocol version 6 (IPv6) address that does not fit the standard A record format. For example, 2007:0db6:85a3:0000:0000:6a2e:0371:7234 is a valid 128-bit/IPv6 address.
What is a DS record?
A Delegation of Signing (DS) record provides information about a signed zone file. Enabling DNSSEC (Domain Name System Security Extensions) for your domain name requires this information to complete the setup of your signed domain name.
The information included on a DS record varies by domain name extension.
What is a key rollover and how often should it occur?
A key rollover is a regeneration of the domain name’s digital signature. A Key Signing Key (KSK) is the digital signing key pair and it should be regenerated or rolled over periodically to ensure its integrity.
The National Institute of Standards and Technology (NIST) recommends rolling the zone signature key every 30 to 90 days.