DNS zone

A domain name system (DNS) is a hi­er­ar­chi­cal system dis­trib­uted through­out the world for managing data as­so­ci­at­ed with Internet domains. A domain is a human-readable name that is easy to remember and use manually. One of the main tasks of the DNS is the so-called name res­o­lu­tion, i.e. the as­sign­ment of domain names to IP addresses. That’s why, the DNS is one of the cor­ner­stones of the Internet’s technical structure. Here are a few examples of name res­o­lu­tion:

On a technical level, the DNS consists of a network of name servers. But what is the con­nec­tion between domain names and name servers? In other words, where is the in­for­ma­tion actually located and how is it delimited from each other for different domains? To help you un­der­stand this better, we’ll explain the concept of the DNS zone below.

The term DNS zone was coined by the Internet En­gi­neer­ing Task Force (IETF) in 1987. In the document RFC 1035 “Domain Names - Im­ple­men­ta­tion And Spec­i­fi­ca­tion” the cor­re­la­tion between name servers and DNS zones is explained as follows.

A DNS zone is a part of the DNS namespace that is ad­min­is­tered by a specific or­ga­ni­za­tion or person. In this sense, a DNS zone can be looked at as an ad­min­is­tra­tive unit; it is neither the same as the term domain nor a specific name server. A DNS zone comprises at least one domain and, if ap­plic­a­ble, further sub­do­mains. However, sub­do­mains can also be im­ple­ment­ed as separate zones.

The DNS zone file makes up the technical basis for storing the DNS in­for­ma­tion of a zone. It is a text file that is stored in the file system of a server. The structure of a DNS zone file is also defined in the pre­vi­ous­ly mentioned document RFC 1035. By de­f­i­n­i­tion, a zone file has a line-based structure, with one “directive” or “resource record” per line.

Di­rec­tives begin with a dollar sign “$” and instruct the server to perform an action or apply a setting to the zone. For example, the “$INCLUDE” directive can be used to include ad­di­tion­al, child zone files. This is useful to mod­u­lar­ize entries of the zone file. Normally all di­rec­tives are listed at the beginning of the zone file.

After the di­rec­tives follow the actual DNS entries (resource records) for the described zone. To do this, a precise SOA record must exist for each DNS zone. This must be the first entry in the zone file and defines the structure of the zone and the exchange of zone data between name­servers. The SOA entry is followed by other resource records. The most important resource records include “A” records for defining server IP addresses, “MX” records for defining mail servers, and “NS” records that contain au­thor­i­ta­tive name servers for the zone.

Based on a specific name server, a zone file may exist as a writable original. In this case, the hosting server is a primary DNS server. If the zone file exists as a non-writable copy obtained from an external source, it is referred to as a secondary DNS server. A zone file can au­thor­i­ta­tive­ly describe a DNS zone or contain contents of a DNS cache. Let’s take a closer look at the de­f­i­n­i­tion as written in the document RFC 1035:

If a zone can’t be found – for example because of a technical failure within a zone file – the name server will respond to a cor­re­spond­ing request with the NXDOMAIN error message.

The term DNS zone is used for several, sometimes quite different concepts. Below, we’ll introduce you to a selection of the most common terms.

The DNS root zone is the highest level in the hi­er­ar­chi­cal DNS namespace. It is rep­re­sent­ed in the domain name by a ter­mi­nat­ing dot. If a domain name contains the ter­mi­nat­ing dot, it is also referred to as a “Fully Qualified Domain Name” (FQDN). For example, “example.com.” is the FQDN for the domain “example.com.” Note the final dot after the “.com” in the FQDN.

The DNS root zone is mirrored on the 13 root name servers of the DNS and contains in­for­ma­tion about the au­thor­i­ta­tive name servers for top-level domains (TLD). For example, by re­quest­ing one of the DNS root name servers, you can find an au­thor­i­ta­tive name server for one of the country code top-level domains (ccTLDs). Nowadays, the DNS root zone is signed with DNSSEC (Domain Name System Security Ex­ten­sions) and in doing so secured against fal­si­fi­ca­tion of the DNA responses.

The re­stric­tion to exactly 13 DNS root name servers is of a technical nature. The root servers are assigned the domain names “a.root-servers.net” to “m.root-servers.net.” By using anycast tech­nol­o­gy, a much higher number of physical servers is available to answer queries to the DNS root zone. The official website of the Root Server Technical Op­er­a­tions As­so­ci­a­tion lists the root servers and points to their ge­o­graph­ic locations.  

The concept of the DNS zone and the as­so­ci­at­ed zone file described so far is used for “forward DNS Lookup” i.e. when domain names are dissolved and turned into IP addresses. “A” records are used in the zone file for this purpose. The term “forward zone” is sometimes also used to describe a com­plete­ly different concept. This is the for­ward­ing of DNS queries from a caching DNS resolver to an au­thor­i­ta­tive name server.

Similar to the forward lookup there is the “reverse DNS lookup”. The adjective “reverse” indicates that the mechanism works exactly the other way around than the forward DNS lookup: server IP addresses are trans­lat­ed into the cor­re­spond­ing domain names.

A “reverse lookup zone” is a separate zone file that defines the dis­so­lu­tion of IP addresses into domain names. A reverse DNS zone file contains the same SOA and NS records as the cor­re­spond­ing forward lookup zone file. However, instead of “A” records, so-called “PTR” records are used. A “PTR” record as­so­ciates an IP address in the format “z.y.x.w.in-addr.arpa.” with the cor­re­spond­ing domain name.

As pre­vi­ous­ly mentioned, the terms “DNS zone” and “zone file” are often used in­ter­change­ably. As such, in con­nec­tion with primary and secondary DNS, servers are also referred to as primary and secondary DNS zones. This refers to the zone file that is stored on a primary or secondary DNS server.

A DNS zone is an ad­min­is­tra­tive concept. As a reminder, a DNS zone defines a part of the DNS namespace that is managed by a specific or­ga­ni­za­tion or person. In contrast, a DNS server is a physical part of the Internet’s technical in­fra­struc­ture. A server can be au­thor­i­ta­tive for one or more zones. However, it can also be a DNS resolver that is not au­thor­i­ta­tive for any zone and merely caches DNS queries that have already been answered. It follows that a DNS zone cannot exist without a name server, whereas a name server does not nec­es­sar­i­ly define a DNS zone.