title: Bind9 zone file configuration x-toc-enable: false ...
Here is a real world example zone file, the one used on 26 December 2022 for libreboot.org - this example is shown, because its quite fleshed out, and includes e-mail configuration:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.shlinux.org. leah.libreboot.org. (
20221230 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
libreboot.org. IN NS ns1.shlinux.org.
libreboot.org. IN NS ns2.shlinux.org.
libreboot.org. IN CAA 0 issue "letsencrypt.org"
libreboot.org. IN CAA 0 iodef "mailto:leah@libreboot.org"
libreboot.org. IN A 81.187.172.132
libreboot.org. IN AAAA 2001:8b0:b95:1bb5::4
libreland IN A 81.187.172.132
libreland IN AAAA 2001:8b0:b95:1bb5::4
mail IN A 81.187.172.132
mail IN AAAA 2001:8b0:b95:1bb5::4
rsync IN A 178.79.166.69
rsync IN AAAA 2a01:7e00::f03c:91ff:fe1f:5810
av IN A 178.79.166.69
av IN AAAA 2a01:7e00::f03c:91ff:fe1f:5810
www IN A 81.187.172.132
www IN AAAA 2001:8b0:b95:1bb5::4
foo IN A 81.187.172.132
foo IN AAAA 2001:8b0:b95:1bb5::4
git IN A 81.187.172.132
git IN AAAA 2001:8b0:b95:1bb5::4
browse IN A 81.187.172.132
browse IN AAAA 2001:8b0:b95:1bb5::4
201707._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDJmTvK63zUlEBiUkWKBzq+55cxGSX8I"
"BCA5IpxfkRGgOYFIrYtVcvLKzFwfgQeHicrIIIhi9uYk9rH0e8OMk6Q3KPw78RKn8mD7LJk0NtZ0t0"
"l/tF+Q4RXR7NlAGVQ7BDPg3QJeSBJZoZAGu4GQmhwX727DyiGVRf1xVtxwSY0j2VDd6wlw22CrT/t1"
"282lYjcaDZhCcPCDdp6klLqBk4D6ljGCDWWzsbcY6Jk1y1j9DVKDXik54qMHyQi1SHs/MBEqaQYvIE"
"LPnNvh2wmJMQ+ZQooo48q2wMyy3zkJrKJSL5iYa16alZbqn8Wsm1ZUezcSQ/"
"70dwTQKfO6qv96+QIDAQAB")
_dmarc IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf; rua=mailto:dmarc@libreboot.org; ruf=mailto:dmarc@libreboot.org; pct=100"
libreboot.org. IN TXT "v=spf1 a mx ip4:81.187.172.132 ip6:2001:8b0:b95:1bb5::4 -all"
libreboot.org. IN MX 10 mail
From the above, this line is of extreme importance:
20221230 ; Serial
When you make changes to the zone file, do not save them until the following conditions are met:
The crypto key above is a public key generated by OpenDKIM, which I use for my mail server. This public key goes in your DNS records, so that mail servers can verify emails received really came from your server, because the private key (which you should never share) is used to sign emails. This is not a replacement for GPG, but it is used by mail servers for authentication purposes.
The TXT record showing SPF record is also important. I specifically enter the exact IP addresses used by my mail server, and I ensure that only those IPs are set on that host. Alternatively, I block the mail server from sending out on undesirable IP addresses, where multiple IPs are set.
The MX record is also email-related. Email guides will be available on the Fedfree site before long, if not already available by the time you read this.
The A/AAAA records are domain pointers, resolving to specific IPs. For example,
the libreboot.org.
entry is for when someone only wants to resolve the top
level domain; the www
entry is for www.libreboot.org
, and the av
entry is for av.libreboot.org
. You get the idea.
I generally avoid using CNAME records in my zone files, but it's up to you how you use DNS for your purposes.
This is a pretty much full config, the type that you would see on a typical webhosting solution. I run a lot of stuff, on libreboot.org. Some of the entries in this zone file are even ancient, and should probably be cleaned up.
The Refresh
line with the corresponding number is TTL, meaning how long it
should be before a caching resolver flushes its entry for the given zone.
You will note that IPv4 and IPv6 addresses are present in this zone file. This is because I always run dual stack IPv4 and IPv6 on my infrastructure. Even my personal workstation always has IPv6 on it. I consider IPv4 to be legacy internet, and IPv6 is the real internet, or at least the current version of it. Everyone should abandon IPv4 as soon as possible. I consider the presence of A records in my zone files to be for backwards compatibility purposes.
That's what IPv4 support is. Backwards compatibility. This is the attitude that every ISP should have.
Feel free to adapt this config for your domain setup.
NOTE: the entry at the top that says leah.libreboot.org
is actually an
email address, leah@libreboot.org
, but in zone files you use the dot instead
of the at sign.
If you're making TLS setups (https://
), you should enable CAA.
It can be used to allow only your preferred CA to issue certs.
CAA records exist, in the above example. More info on these pages:
https://letsencrypt.org/docs/caa/
https://sslmate.com/caa/support
Handy dandy CAA record generator (use for BIND):
ISC's BIND documentation is available here:
https://gitlab.isc.org/isc-projects/bind9/-/tree/main/doc
You might find useful information, pertaining to zone files.