Licensing and disclaimer of warranty
For DNS, the OReilly book is probably the nicest and it explains both the easy bits and the subtle things. What follows is a fairly general homily with things that you already know, but just to present a coherent picture.
$and things like
@pseudo-domain names and “blank” domain names, and the use of "." as the last component of a domain name to mean it is absolute.
ARR that defines the address of the target of an
NSrecord. Unnecessary glue records are as a rule a very bad idea. A zone(file) should as far as possible only contain RRs about domains in that zone[file] or glue required by that zone. Some DNS server packages check this.
$ORIGIN com. .... example NS A.example.com. example NS B.example.com.A and B must be authoritative for
$ORIGIN example.com. .... @ NS A.example.com. @ NS B.example.com. @ NS C.example.com.Other authoritative servers like C may be added to the list, but it is not necessary.
Specifically about RRs (resource records, represented by lines inside a zone file):
SOARR must contain the name of an authoritative server from which other (authorized) authoritative servers can AXFR the zone. As a rule this should be the name of the master server.
@or equivalent) cannot be a
NSRR cannot be a
CNAMEand cannot be an IP address.
MXRR cannot be a
CNAMEand cannot be an IP address.
CNAMERR it cannot have any other RR, because it must be an exact synonym for the domain name it is
CNAMEd to, and one cannot superset or override the RRs for the target domain.
CNAMEshould not be another
CNAMEd domain; that is there cannot be chains of
CNAMEs. This can be difficult to avoid in practice and violating this rule is not so bad.
SOARR, but any sensible values will not violate them.
$INCLUDEto achieve an equivalent effect is often not a good idea.
US.CA.SF.dotCom.garageif the domain name for the zone is
garage.dotCom.SF.CA.US. The reason for this is that the inverted order unfortunately used by the DNS for domains makes them hard to sort in a meaningful way.
.to ensure they are understood as absolute unless they do refer to domains in the zone file.
@or a verbatim repetition of the field in the previous line.
$ORIGINmakes non absolute domain names belong to the specified zone explicitly, and means that one cannot share a zone file between two zones, which instead is often desirable.
MXcannot target IP addresses means that in practice their targets must be
AAAARRs. The no-CNAME restriction is often not enforced, and the symbolic name only one sometimes is not enforced.
$TTLthan put one on every RR or take whatever default is assumed by BIND.
RPfor a subdomain is not necessary, but some ISPs/services require it (mostly for weak antispam reasons).
SRV, ... and some obscure practices especially concerning reverse DNS mappings that I do out of a sense of historical style or for geek value but are not necessary. They are often only explained in the OReilly book on DNS.
MXrecords and there is any other RR for them. I do something like that, but it is for carefully calculated reasons and for very great benefit.
; -*- outline-regexp: ";;* " -*- vim:ft=bindzone $TTL 1H @ SOA DNS hostmaster ( ;serial refresh retry expire negTTL 2004022300 1H 30M 20D 1H ) @ RP root rp @ TXT "Zone for example.org" rp TXT "example.org hostmaster" ; ; '@', name servers and mail exchangers cannot be 'CNAME's. ; @ NS DNS ; @ MX 1 SMTP ; @ A IPaddress ; DNS A IPaddress SMTP A IPaddress ; POP3 CNAME @ WWW CNAME @ FTP CNAME @ ; ; Anti-SPAM domains. ; remove-this TXT "This is a spamtrap subdomain. Remove it from email addresses." ; ; Recipient-specific domains. ; *.to MX 1 SMTP *.to MX 99 MXbackup.Gradwell.net. *.for MX 1 SMTP *.for MX 99 MXbackup.Gradwell.net.
; -*- outline-regexp: ";;* " -*- vim:ft=bindzone $TTL 1H @ SOA DNS hostmaster ( ;serial refresh retry expire negTTL 2004060900 1H 30M 20D 1H ) @ RP root rp @ TXT "Zone for example.com" rp TXT "example.com hostmaster" @ LOC 52 14 05 N 00 08 50 E 50m ; ; '@', name servers and mail exchangers cannot be 'CNAME's. ; @ NS ns1.Gradwell.net. @ NS ns2.Gradwell.net. @ NS DNS ; hq NS DNS ; @ MX 10 @ @ MX 20 SMTP @ MX 30 SMTP2 @ MX 99 MXbackup.Gradwell.net. ; @ A IPaddress IP6 AAAA IPv6address ; DNS A IPaddress DNS.IP6 AAAA IPv6address SMTP A IPaddress SMTP.IP6 AAAA IPv6address SMTP2 A IPaddress SMTP2.IP6 AAAA IPv6address ; POP3 CNAME @ POP3.IP6 CNAME IP6 WWW CNAME @ WWW.IP6 CNAME IP6 FTP CNAME @ FTP.IP6 CNAME IP6 SSL CNAME @ SSL.IP6 CNAME IP6 H323 CNAME @ H323.IP6 CNAME IP6 SIP CNAME @ SIP.IP6 CNAME IP6 ; ; The IPv6 network is 2001:0618:0400:b4eb::/64. gw.IP6 AAAA IPv6address net.IP6 AAAA IPv6prefix:: net.IP6 PTR IPv6reversemap.IP6.ARPA. net.IP6 PTR IPv6reversemap.IP6.INT. sm.IP6 AAAA ffff:ffff:ffff:ffff:: ; ; Anti-SPAM domains. ; 0406.exp TXT "This subdomain loses its MX RR sometime after Jun 2004" 0406.exp MX 1 SMTP ; remove-this TXT "This is a spamtrap subdomain. Remove it from email addresses." ; ; Recipient-specific domains. Remember special rules about '*'. ; *.to MX 1 SMTP *.to MX 99 MXbackup.Gradwell.net. *.for MX 1 SMTP *.for MX 99 MXbackup.Gradwell.net. ; ; Dynamic subzone. ; ;dyn NS @
One might want to add a section for listing services:
; ;domain [ttl] IN NAPTR order preference flags service regexp target @ NAPTR 0 0 "s" "DNS+D2U" "" _dns._udp @ NAPTR 0 0 "s" "DNS+D2T" "" _dns._tcp @ NAPTR 0 0 "s" "SMTP+D2T" "" _pop3._tcp @ NAPTR 0 0 "s" "SSMTP+D2T" "" _ssmtp._tcp @ NAPTR 0 0 "s" "POP3+D2T" "" _pop3._tcp @ NAPTR 0 0 "s" "POP3+D2T" "" _pop3._tcp @ NAPTR 0 0 "s" "POP3S+D2T" "" _pop3s._tcp @ NAPTR 0 0 "s" "HTTP+D2T" "" _http._tcp @ NAPTR 0 0 "s" "HTTPS+D2T" "" _https._tcp @ NAPTR 0 0 "s" "FTP+D2T" "" _ftp._tcp @ NAPTR 0 0 "s" "H323+D2T" "" _h323._tcp @ NAPTR 0 0 "s" "SIPS+D2T" "" _sips._tcp @ NAPTR 1 0 "s" "SIP+D2T" "" _sip._tcp @ NAPTR 2 0 "s" "SIP+D2U" "" _sip._udp ; ;_service._proto.name SRV prio weight port target _dns._udp SRV 1 10 53 DNS _dns._tcp SRV 1 10 53 DNS _smtp._tcp SRV 1 10 25 POP3 _ssmtp._tls SRV 1 10 465 SSL _pop3._tcp SRV 1 10 110 POP3 _pop3s._tls SRV 1 10 995 SSL _http._tcp SRV 1 10 80 WWW _https._tls SRV 1 10 443 SSL _ftp._tcp SRV 1 10 21 FTP _h323._tcp SRV 1 10 1720 H323 _sips._tcp SRV 1 10 5060 SIP _sip._tcp SRV 1 10 5060 SIP _sip._udp SRV 1 10 5060 SIP
The services above are generic ones. For a list of (some) of the names used for Microsoft AD compatibility, check the Samba Network Browsing HOWTO.