Bind9 zone file configuration

Return to index

Here is a real world example zone file, the one used on 26 December 2022 for - this example is shown, because its quite fleshed out, and includes e-mail configuration:

; BIND data file for local loopback interface
$TTL	604800
@	IN	SOA (
		       20221230		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;	IN	NS  IN      NS	IN	CAA	0 issue ""	IN	CAA	0 iodef ""	IN	A  IN      AAAA    2001:8b0:b95:1bb5::4
libreland	IN	A
libreland	IN	AAAA	2001:8b0:b95:1bb5::4
mail		IN	A
mail		IN	AAAA	2001:8b0:b95:1bb5::4
rsync		IN	A
rsync		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
av		IN	A
av		IN	AAAA	2a01:7e00::f03c:91ff:fe1f:5810
www		IN	A
www		IN	AAAA	2001:8b0:b95:1bb5::4
foo		IN	A
foo		IN	AAAA	2001:8b0:b95:1bb5::4
git		IN	A
git		IN	AAAA	2001:8b0:b95:1bb5::4
browse		IN	A
browse		IN	AAAA	2001:8b0:b95:1bb5::4
201707._domainkey IN	TXT	 ( "v=DKIM1; k=rsa; s=email; "
_dmarc		IN	TXT	"v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rf=afrf;;; pct=100"	IN	TXT	"v=spf1 a mx ip4: ip6:2001:8b0:b95:1bb5::4 -all" 	IN	MX	10 mail

Always update the serial string!

From the above, this line is of extreme importance:

		       20221230		; Serial

When you make changes to the zone file, do not save them until the following conditions are met:

Other entries in the above example

DKIM public key

The crypto key above is a public key generated by OpenDKIM, which I use for my mail server. This public key goes in your DNS records, so that mail servers can verify emails received really came from your server, because the private key (which you should never share) is used to sign emails. This is not a replacement for GPG, but it is used by mail servers for authentication purposes.


The TXT record showing SPF record is also important. I specifically enter the exact IP addresses used by my mail server, and I ensure that only those IPs are set on that host. Alternatively, I block the mail server from sending out on undesirable IP addresses, where multiple IPs are set.

The MX record is also email-related. Email guides will be available on the Fedfree site before long, if not already available by the time you read this.

A/AAAA records

The A/AAAA records are domain pointers, resolving to specific IPs. For example, the entry is for when someone only wants to resolve the top level domain; the www entry is for, and the av entry is for You get the idea.

I generally avoid using CNAME records in my zone files, but it’s up to you how you use DNS for your purposes.

This is a pretty much full config, the type that you would see on a typical webhosting solution. I run a lot of stuff, on Some of the entries in this zone file are even ancient, and should probably be cleaned up.

SOA section

The Refresh line with the corresponding number is TTL, meaning how long it should be before a caching resolver flushes its entry for the given zone.

Dual stack IPv4/IPv6

You will note that IPv4 and IPv6 addresses are present in this zone file. This is because I always run dual stack IPv4 and IPv6 on my infrastructure. Even my personal workstation always has IPv6 on it. I consider IPv4 to be legacy internet, and IPv6 is the real internet, or at least the current version of it. Everyone should abandon IPv4 as soon as possible. I consider the presence of A records in my zone files to be for backwards compatibility purposes.

That’s what IPv4 support is. Backwards compatibility. This is the attitude that every ISP should have.

Feel free to adapt this config for your domain setup.

Email address (SOA section)

NOTE: the entry at the top that says is actually an email address,, but in zone files you use the dot instead of the at sign.


If you’re making TLS setups (https://), you should enable CAA. It can be used to allow only your preferred CA to issue certs.

CAA records exist, in the above example. More info on these pages:

Handy dandy CAA record generator (use for BIND):


ISC’s BIND documentation is available here:

You might find useful information, pertaining to zone files.

Markdown file for this page:

Site map

This HTML page was generated by the untitled static site generator.