Here is a real world example zone file, the one used on 26 December 2022 for libreboot.org - this example is shown, because its quite fleshed out, and includes e-mail configuration:
; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA ns1.shlinux.org. leah.libreboot.org. ( 20221230 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; libreboot.org. IN NS ns1.shlinux.org. libreboot.org. IN NS ns2.shlinux.org. libreboot.org. IN CAA 0 issue "letsencrypt.org" libreboot.org. IN CAA 0 iodef "mailto:email@example.com" libreboot.org. IN A 188.8.131.52 libreboot.org. IN AAAA 2001:8b0:b95:1bb5::4 libreland IN A 184.108.40.206 libreland IN AAAA 2001:8b0:b95:1bb5::4 mail IN A 220.127.116.11 mail IN AAAA 2001:8b0:b95:1bb5::4 rsync IN A 18.104.22.168 rsync IN AAAA 2a01:7e00::f03c:91ff:fe1f:5810 av IN A 22.214.171.124 av IN AAAA 2a01:7e00::f03c:91ff:fe1f:5810 www IN A 126.96.36.199 www IN AAAA 2001:8b0:b95:1bb5::4 foo IN A 188.8.131.52 foo IN AAAA 2001:8b0:b95:1bb5::4 git IN A 184.108.40.206 git IN AAAA 2001:8b0:b95:1bb5::4 browse IN A 220.127.116.11 browse IN AAAA 2001:8b0:b95:1bb5::4 201707._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDJmTvK63zUlEBiUkWKBzq+55cxGSX8I" "BCA5IpxfkRGgOYFIrYtVcvLKzFwfgQeHicrIIIhi9uYk9rH0e8OMk6Q3KPw78RKn8mD7LJk0NtZ0t0" "l/tF+Q4RXR7NlAGVQ7BDPg3QJeSBJZoZAGu4GQmhwX727DyiGVRf1xVtxwSY0j2VDd6wlw22CrT/t1" "282lYjcaDZhCcPCDdp6klLqBk4D6ljGCDWWzsbcY6Jk1y1j9DVKDXik54qMHyQi1SHs/MBEqaQYvIE" "LPnNvh2wmJMQ+ZQooo48q2wMyy3zkJrKJSL5iYa16alZbqn8Wsm1ZUezcSQ/" "70dwTQKfO6qv96+QIDAQAB") _dmarc IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf; rua=mailto:firstname.lastname@example.org; ruf=mailto:email@example.com; pct=100" libreboot.org. IN TXT "v=spf1 a mx ip4:18.104.22.168 ip6:2001:8b0:b95:1bb5::4 -all" libreboot.org. IN MX 10 mail
From the above, this line is of extreme importance:
20221230 ; Serial
When you make changes to the zone file, do not save them until the following conditions are met:
The crypto key above is a public key generated by OpenDKIM, which I use for my mail server. This public key goes in your DNS records, so that mail servers can verify emails received really came from your server, because the private key (which you should never share) is used to sign emails. This is not a replacement for GPG, but it is used by mail servers for authentication purposes.
The TXT record showing SPF record is also important. I specifically enter the exact IP addresses used by my mail server, and I ensure that only those IPs are set on that host. Alternatively, I block the mail server from sending out on undesirable IP addresses, where multiple IPs are set.
The MX record is also email-related. Email guides will be available on the Fedfree site before long, if not already available by the time you read this.
The A/AAAA records are domain pointers, resolving to specific IPs. For example, the
libreboot.org. entry is for when someone only wants to resolve the top level domain; the
www entry is for
www.libreboot.org, and the
av entry is for
av.libreboot.org. You get the idea.
I generally avoid using CNAME records in my zone files, but it’s up to you how you use DNS for your purposes.
This is a pretty much full config, the type that you would see on a typical webhosting solution. I run a lot of stuff, on libreboot.org. Some of the entries in this zone file are even ancient, and should probably be cleaned up.
Refresh line with the corresponding number is TTL, meaning how long it should be before a caching resolver flushes its entry for the given zone.
You will note that IPv4 and IPv6 addresses are present in this zone file. This is because I always run dual stack IPv4 and IPv6 on my infrastructure. Even my personal workstation always has IPv6 on it. I consider IPv4 to be legacy internet, and IPv6 is the real internet, or at least the current version of it. Everyone should abandon IPv4 as soon as possible. I consider the presence of A records in my zone files to be for backwards compatibility purposes.
That’s what IPv4 support is. Backwards compatibility. This is the attitude that every ISP should have.
Feel free to adapt this config for your domain setup.
NOTE: the entry at the top that says
leah.libreboot.org is actually an email address,
firstname.lastname@example.org, but in zone files you use the dot instead of the at sign.
If you’re making TLS setups (
https://), you should enable CAA. It can be used to allow only your preferred CA to issue certs.
CAA records exist, in the above example. More info on these pages:
Handy dandy CAA record generator (use for BIND):
ISC’s BIND documentation is available here:
You might find useful information, pertaining to zone files.
Markdown file for this page: https://fedfree.org/docs/dns/zonefile-bind.md
This HTML page was generated by the untitled static site generator.