DNS Zones

Zone file syntax, forward and reverse zones, serial number management, zone transfers, and delegation.

Zone Concepts

A DNS zone is a contiguous portion of the namespace managed by a single authority. A zone is not the same as a domain — a domain can be split into multiple zones via delegation.

Forward Zone — Name to IP

Zone declaration in named.conf

zone "inside.domusdigitalis.dev" IN {
    type master;
    file "inside.domusdigitalis.dev.zone";
    allow-transfer { 10.50.1.3; };
    also-notify { 10.50.1.3; };
};

Minimal forward zone file

$TTL 3600
@  IN SOA  ns1.inside.domusdigitalis.dev. admin.domusdigitalis.dev. (
    2026041001  ; Serial
    3600        ; Refresh
    900         ; Retry
    604800      ; Expire
    86400       ; Negative TTL
)

; Nameservers
@      IN NS   ns1.inside.domusdigitalis.dev.
@      IN NS   ns2.inside.domusdigitalis.dev.

; Glue records
ns1    IN A    10.50.1.2
ns2    IN A    10.50.1.3

; Infrastructure
dc01   IN A    10.50.1.50
ise-01 IN A    10.50.1.20
vault  IN A    10.50.1.60
nas    IN A    10.50.1.70
bind   IN A    10.50.1.90

Reverse Zone — IP to Name

Reverse zone declaration

zone "1.50.10.in-addr.arpa" IN {
    type master;
    file "10.50.1.rev";
};

The zone name uses reversed octets plus .in-addr.arpa. For the 10.50.1.0/24 subnet, the zone is 1.50.10.in-addr.arpa.

Reverse zone file — PTR records

$TTL 3600
@  IN SOA  ns1.inside.domusdigitalis.dev. admin.domusdigitalis.dev. (
    2026041001 3600 900 604800 86400
)

@   IN NS  ns1.inside.domusdigitalis.dev.
@   IN NS  ns2.inside.domusdigitalis.dev.

; PTR records — last octet only
1   IN PTR  pfsense-01.inside.domusdigitalis.dev.
2   IN PTR  vyos-01.inside.domusdigitalis.dev.
3   IN PTR  vyos-02.inside.domusdigitalis.dev.
20  IN PTR  ise-01.inside.domusdigitalis.dev.
50  IN PTR  dc01.inside.domusdigitalis.dev.
60  IN PTR  vault-01.inside.domusdigitalis.dev.
70  IN PTR  nas-01.inside.domusdigitalis.dev.
90  IN PTR  bind-01.inside.domusdigitalis.dev.

Only the last octet is needed because the zone name already encodes the first three octets.

Zone File Syntax Rules

The $ORIGIN directive — sets the default domain for unqualified names

$ORIGIN inside.domusdigitalis.dev.

Names without a trailing dot are relative to $ORIGIN. The @ symbol is shorthand for the current origin.

Trailing dot is mandatory for absolute names

; CORRECT — absolute name, no suffix appended
ns1.inside.domusdigitalis.dev.

; WRONG — BIND appends the zone origin, creating ns1.inside.domusdigitalis.dev.inside.domusdigitalis.dev.
ns1.inside.domusdigitalis.dev

This is the most common zone file mistake. Always end FQDNs with a dot in zone files.

Comments in zone files

; This is a comment — everything after semicolon is ignored
host  IN A  10.50.1.100  ; inline comment

Serial Number Management

Format: YYYYMMDDNN — date plus sequence

; 2026-04-10, first change of the day
2026041001

; 2026-04-10, second change of the day
2026041002

The serial must always increase. Slaves compare the master’s serial with their own — if the master’s serial is lower or equal, the slave ignores the update.

Verify serial across master and slave

dig @10.50.1.2 inside.domusdigitalis.dev SOA +short | awk '{print "Master:", $3}'
dig @10.50.1.3 inside.domusdigitalis.dev SOA +short | awk '{print "Slave:", $3}'

Matching serials means replication is current. A mismatch means the slave hasn’t pulled the latest zone.

Fix a serial that was accidentally decreased

; Current serial on slave: 2026041005
; You accidentally set master to: 2026041003
; Fix: set master serial higher than 2026041005
2026041006

Then rndc reload on master and rndc retransfer on slave.

Zone Transfers

AXFR — full zone transfer

dig -t AXFR inside.domusdigitalis.dev @10.50.1.2

Transfers the entire zone. Used for initial slave setup and when the serial delta is too large for IXFR.

IXFR — incremental zone transfer

dig -t IXFR={serial} inside.domusdigitalis.dev @10.50.1.2

Transfers only the changes since the specified serial. More efficient for large zones with small changes.

Restrict zone transfers — security critical

zone "inside.domusdigitalis.dev" IN {
    type master;
    allow-transfer { 10.50.1.3; };
};

Never allow-transfer { any; } — it lets anyone dump your entire zone. Restrict to slave IPs only.

Test if unauthorized transfer is possible — security audit

dig -t AXFR inside.domusdigitalis.dev @10.50.1.90

If this succeeds from an unauthorized IP, fix the ACL immediately.

Zone Validation

Validate zone file before reloading

sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

Validate reverse zone

sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev

Validate config, then reload — the safe workflow

sudo named-checkconf /etc/named.conf && \
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone && \
sudo rndc reload inside.domusdigitalis.dev

Always validate both config and zone file before reloading. A bad zone file can take down resolution for that entire domain.

Zone Delegation

Delegate a subdomain to another nameserver

; In the parent zone file
lab    IN NS  ns1.lab.example.com.
ns1.lab IN A  10.50.2.10

The NS record delegates authority. The glue A record is required when the NS target is inside the delegated zone (ns1.lab is inside lab.example.com).

Stub Zones

Stub zone — lightweight delegation tracking

zone "lab.example.com" IN {
    type stub;
    masters { 10.50.2.10; };
};

A stub zone maintains only NS and SOA records for the delegated zone. Lighter than a full slave — useful when you need to know where to forward without hosting the zone data.