zonefile-bind.md 5.6 KB


title: Bind9 zone file configuration x-toc-enable: false ...

Here is a real world example zone file, the one used on 26 December 2022 for libreboot.org - this example is shown, because its quite fleshed out, and includes e-mail configuration:

;
; BIND data file for local loopback interface
;
$TTL	604800
@	IN	SOA	ns1.shlinux.org. leah.libreboot.org. (
		       20221230		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
libreboot.org.	IN	NS	ns1.shlinux.org.
libreboot.org.  IN      NS      ns2.shlinux.org.
libreboot.org.	IN	CAA	0 issue "letsencrypt.org"
libreboot.org.	IN	CAA	0 iodef "mailto:leah@libreboot.org"
libreboot.org.	IN	A	81.187.172.132
libreboot.org.  IN      AAAA    2001:8b0:b95:1bb5::4
libreland	IN	A	81.187.172.132
libreland	IN	AAAA	2001:8b0:b95:1bb5::4
mail		IN	A	81.187.172.132
mail		IN	AAAA	2001:8b0:b95:1bb5::4
rsync		IN	A	178.79.166.69
rsync		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
av		IN	A	178.79.166.69
av		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
www		IN	A	81.187.172.132
www		IN	AAAA	2001:8b0:b95:1bb5::4
foo		IN	A	81.187.172.132
foo		IN	AAAA	2001:8b0:b95:1bb5::4
git		IN	A	81.187.172.132
git		IN	AAAA	2001:8b0:b95:1bb5::4
browse		IN	A	81.187.172.132
browse		IN	AAAA	2001:8b0:b95:1bb5::4
201707._domainkey IN	TXT	 ( "v=DKIM1; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDJmTvK63zUlEBiUkWKBzq+55cxGSX8I"
"BCA5IpxfkRGgOYFIrYtVcvLKzFwfgQeHicrIIIhi9uYk9rH0e8OMk6Q3KPw78RKn8mD7LJk0NtZ0t0"
"l/tF+Q4RXR7NlAGVQ7BDPg3QJeSBJZoZAGu4GQmhwX727DyiGVRf1xVtxwSY0j2VDd6wlw22CrT/t1"
"282lYjcaDZhCcPCDdp6klLqBk4D6ljGCDWWzsbcY6Jk1y1j9DVKDXik54qMHyQi1SHs/MBEqaQYvIE"
"LPnNvh2wmJMQ+ZQooo48q2wMyy3zkJrKJSL5iYa16alZbqn8Wsm1ZUezcSQ/"
"70dwTQKfO6qv96+QIDAQAB")
_dmarc		IN	TXT	"v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf; rua=mailto:dmarc@libreboot.org; ruf=mailto:dmarc@libreboot.org; pct=100"
libreboot.org.	IN	TXT	"v=spf1 a mx ip4:81.187.172.132 ip6:2001:8b0:b95:1bb5::4 -all"
libreboot.org. 	IN	MX	10 mail

Always update the serial string!

From the above, this line is of extreme importance:

		       20221230		; Serial

When you make changes to the zone file, do not save them until the following conditions are met:

  • You are fully satisfied with the new specification
  • You have updated the Serial line. You must change the serial every time. I typically just put today's date, being the day I edited the file. (if I make several edits in a single day, I add a digit)

Other entries in the above example

DKIM public key

The crypto key above is a public key generated by OpenDKIM, which I use for my mail server. This public key goes in your DNS records, so that mail servers can verify emails received really came from your server, because the private key (which you should never share) is used to sign emails. This is not a replacement for GPG, but it is used by mail servers for authentication purposes.

Email

The TXT record showing SPF record is also important. I specifically enter the exact IP addresses used by my mail server, and I ensure that only those IPs are set on that host. Alternatively, I block the mail server from sending out on undesirable IP addresses, where multiple IPs are set.

The MX record is also email-related. Email guides will be available on the Fedfree site before long, if not already available by the time you read this.

A/AAAA records

The A/AAAA records are domain pointers, resolving to specific IPs. For example, the libreboot.org. entry is for when someone only wants to resolve the top level domain; the www entry is for www.libreboot.org, and the av entry is for av.libreboot.org. You get the idea.

I generally avoid using CNAME records in my zone files, but it's up to you how you use DNS for your purposes.

This is a pretty much full config, the type that you would see on a typical webhosting solution. I run a lot of stuff, on libreboot.org. Some of the entries in this zone file are even ancient, and should probably be cleaned up.

SOA section

The Refresh line with the corresponding number is TTL, meaning how long it should be before a caching resolver flushes its entry for the given zone.

Dual stack IPv4/IPv6

You will note that IPv4 and IPv6 addresses are present in this zone file. This is because I always run dual stack IPv4 and IPv6 on my infrastructure. Even my personal workstation always has IPv6 on it. I consider IPv4 to be legacy internet, and IPv6 is the real internet, or at least the current version of it. Everyone should abandon IPv4 as soon as possible. I consider the presence of A records in my zone files to be for backwards compatibility purposes.

That's what IPv4 support is. Backwards compatibility. This is the attitude that every ISP should have.

Feel free to adapt this config for your domain setup.

Email address (SOA section)

NOTE: the entry at the top that says leah.libreboot.org is actually an email address, leah@libreboot.org, but in zone files you use the dot instead of the at sign.

CAA

If you're making TLS setups (https://), you should enable CAA. It can be used to allow only your preferred CA to issue certs.

CAA records exist, in the above example. More info on these pages:

https://letsencrypt.org/docs/caa/

https://sslmate.com/caa/support

Handy dandy CAA record generator (use for BIND):

https://sslmate.com/caa/

References

ISC's BIND documentation is available here:

https://gitlab.isc.org/isc-projects/bind9/-/tree/main/doc

You might find useful information, pertaining to zone files.