DNS zone

A domain name system (DNS) is a hierarchical system distributed throughout the world for managing data associated with Internet domains. A domain is a human-readable name that is easy to remember and use manually. One of the main tasks of the DNS is the so-called name resolution, i.e. the assignment of domain names to IP addresses. That’s why, the DNS is one of the cornerstones of the Internet’s technical structure. Here are a few examples of name resolution:

On a technical level, the DNS consists of a network of name servers. But what is the connection between domain names and name servers? In other words, where is the information actually located and how is it delimited from each other for different domains? To help you understand this better, we’ll explain the concept of the DNS zone below.

The term DNS zone was coined by the Internet Engineering Task Force (IETF) in 1987. In the document RFC 1035 “Domain Names - Implementation And Specification” the correlation between name servers and DNS zones is explained as follows.

A DNS zone is a part of the DNS namespace that is administered by a specific organization or person. In this sense, a DNS zone can be looked at as an administrative unit; it is neither the same as the term domain nor a specific name server. A DNS zone comprises at least one domain and, if applicable, further subdomains. However, subdomains can also be implemented as separate zones.

The DNS zone file makes up the technical basis for storing the DNS information of a zone. It is a text file that is stored in the file system of a server. The structure of a DNS zone file is also defined in the previously mentioned document RFC 1035. By definition, a zone file has a line-based structure, with one “directive” or “resource record” per line.

Directives begin with a dollar sign “$” and instruct the server to perform an action or apply a setting to the zone. For example, the “$INCLUDE” directive can be used to include additional, child zone files. This is useful to modularize entries of the zone file. Normally all directives are listed at the beginning of the zone file.

After the directives follow the actual DNS entries (resource records) for the described zone. To do this, a precise SOA record must exist for each DNS zone. This must be the first entry in the zone file and defines the structure of the zone and the exchange of zone data between nameservers. The SOA entry is followed by other resource records. The most important resource records include “A” records for defining server IP addresses, “MX” records for defining mail servers, and “NS” records that contain authoritative name servers for the zone.

Based on a specific name server, a zone file may exist as a writable original. In this case, the hosting server is a primary DNS server. If the zone file exists as a non-writable copy obtained from an external source, it is referred to as a secondary DNS server. A zone file can authoritatively describe a DNS zone or contain contents of a DNS cache. Let’s take a closer look at the definition as written in the document RFC 1035:

If a zone can’t be found – for example because of a technical failure within a zone file – the name server will respond to a corresponding request with the NXDOMAIN error message.

The term DNS zone is used for several, sometimes quite different concepts. Below, we’ll introduce you to a selection of the most common terms.

The DNS root zone is the highest level in the hierarchical DNS namespace. It is represented in the domain name by a terminating dot. If a domain name contains the terminating dot, it is also referred to as a “Fully Qualified Domain Name” (FQDN). For example, “example.com.” is the FQDN for the domain “example.com.” Note the final dot after the “.com” in the FQDN.

The DNS root zone is mirrored on the 13 root name servers of the DNS and contains information about the authoritative name servers for top-level domains (TLD). For example, by requesting one of the DNS root name servers, you can find an authoritative name server for one of the country code top-level domains (ccTLDs). Nowadays, the DNS root zone is signed with DNSSEC (Domain Name System Security Extensions) and in doing so secured against falsification of the DNA responses.

The restriction to exactly 13 DNS root name servers is of a technical nature. The root servers are assigned the domain names “a.root-servers.net” to “m.root-servers.net.” By using anycast technology, a much higher number of physical servers is available to answer queries to the DNS root zone. The official website of the Root Server Technical Operations Association lists the root servers and points to their geographic locations.  

The concept of the DNS zone and the associated zone file described so far is used for “forward DNS Lookup” i.e. when domain names are dissolved and turned into IP addresses. “A” records are used in the zone file for this purpose. The term “forward zone” is sometimes also used to describe a completely different concept. This is the forwarding of DNS queries from a caching DNS resolver to an authoritative name server.

Similar to the forward lookup there is the “reverse DNS lookup”. The adjective “reverse” indicates that the mechanism works exactly the other way around than the forward DNS lookup: server IP addresses are translated into the corresponding domain names.

A “reverse lookup zone” is a separate zone file that defines the dissolution of IP addresses into domain names. A reverse DNS zone file contains the same SOA and NS records as the corresponding forward lookup zone file. However, instead of “A” records, so-called “PTR” records are used. A “PTR” record associates an IP address in the format “z.y.x.w.in-addr.arpa.” with the corresponding domain name.

As previously mentioned, the terms “DNS zone” and “zone file” are often used interchangeably. As such, in connection with primary and secondary DNS, servers are also referred to as primary and secondary DNS zones. This refers to the zone file that is stored on a primary or secondary DNS server.

A DNS zone is an administrative concept. As a reminder, a DNS zone defines a part of the DNS namespace that is managed by a specific organization or person. In contrast, a DNS server is a physical part of the Internet’s technical infrastructure. A server can be authoritative for one or more zones. However, it can also be a DNS resolver that is not authoritative for any zone and merely caches DNS queries that have already been answered. It follows that a DNS zone cannot exist without a name server, whereas a name server does not necessarily define a DNS zone.