How to Write a BIND Zone File

A practical guide to DNS zone file syntax and record types

What Is a Zone File?

A zone file is a plain text file that describes a DNS zone -- a portion of the Domain Name System namespace. It contains mappings between domain names and IP addresses, mail server preferences, and other DNS data. Zone files are used by BIND (Berkeley Internet Name Domain), the most widely deployed DNS server software.

Each zone file is authoritative for a particular domain. For example, a zone file for example.com would contain all the DNS records for that domain and its subdomains.

Zone File Structure

A zone file consists of directives and resource records. The most important directive is the $TTL directive, which sets the default Time To Live for records in the zone.

Here's the general structure:

$TTL 3600                    ; Default TTL (1 hour)

; SOA Record
@   IN  SOA  ns1.example.com. admin.example.com. (
                2024010101   ; Serial number
                7200         ; Refresh (2 hours)
                3600         ; Retry (1 hour)
                1209600      ; Expire (2 weeks)
                3600         ; Minimum TTL (1 hour)
)

; NS Records
@   IN  NS   ns1.example.com.
@   IN  NS   ns2.example.com.

; A Records
@   IN  A    93.184.216.34
www IN  A    93.184.216.34

; AAAA Records
@   IN  AAAA 2606:2800:0220:0001:0248:1893:25c8:1946

; MX Records
@   IN  MX   10 mail.example.com.

; TXT Records
@   IN  TXT  "v=spf1 mx -all"

The SOA Record

Every zone file must begin with a Start of Authority (SOA) record. The SOA record identifies the primary nameserver for the zone and contains parameters that control how secondary nameservers replicate the zone data.

SOA Record Fields

Field	Description	Typical Value
Primary NS	The primary nameserver for this zone	`ns1.example.com.`
Admin Email	Zone administrator email (@ replaced with .)	`admin.example.com.`
Serial	Version number -- must increment on every change	`2024010101`
Refresh	How often secondaries check for updates (seconds)	`7200` (2 hours)
Retry	Wait before retrying a failed refresh (seconds)	`3600` (1 hour)
Expire	When secondaries stop serving the zone if they can't refresh (seconds)	`1209600` (2 weeks)
Minimum TTL	Used for negative caching, together with the SOA record TTL	`3600` (1 hour)

Important: The serial number is critical. Secondary nameservers compare the serial number to decide whether to transfer a new copy of the zone. A common convention is to use a date-based format: YYYYMMDDnn where nn is a two-digit revision number for that day.

NS Records

NS (Name Server) records identify the authoritative nameservers for the zone. A valid zone must have at least one NS record, but in practice you should publish at least two for redundancy.

@   IN  NS   ns1.example.com.
@   IN  NS   ns2.example.com.

The @ symbol refers to the zone origin (the domain itself). Note the trailing dot on the nameserver hostnames -- this is essential (see common errors).

A and AAAA Records

A records map a hostname to an IPv4 address. AAAA records map a hostname to an IPv6 address.

; IPv4
@       IN  A     93.184.216.34
www     IN  A     93.184.216.34
mail    IN  A     93.184.216.35

; IPv6
@       IN  AAAA  2606:2800:0220:0001:0248:1893:25c8:1946

CNAME Records

CNAME (Canonical Name) records create aliases that point to another domain name. They are useful when you want multiple names to resolve to the same address.

www     IN  CNAME  example.com.
blog    IN  CNAME  example.com.
shop    IN  CNAME  myshop.shopify.com.

Important restriction: A CNAME record cannot coexist with any other record type at the same name. You cannot have a CNAME and an A record for the same subdomain. Similarly, the zone apex (@) typically cannot be a CNAME because it must have SOA and NS records.

MX Records

MX (Mail Exchanger) records specify which mail servers accept email for the domain. Each MX record has a priority value -- lower numbers indicate higher priority.

@   IN  MX  10  mail1.example.com.
@   IN  MX  20  mail2.example.com.
@   IN  MX  30  mail-backup.example.com.

In this example, mail is first sent to mail1 (priority 10). If it's unavailable, mail2 (priority 20) is tried, then mail-backup (priority 30).

TXT Records

TXT records hold arbitrary text data. They're commonly used for SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and domain verification.

; SPF record
@   IN  TXT  "v=spf1 mx a:mail.example.com -all"

; DKIM record
dkim._domainkey  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqG..."

; Domain verification
@   IN  TXT  "google-site-verification=abc123..."

TXT record data is made up of one or more character-strings. In BIND master files, quoted strings are the safest way to write TXT records because spaces otherwise split the value into multiple strings. If the value exceeds 255 characters, it must be split into multiple quoted strings.

SRV Records

SRV (Service) records define the location of specific services. They're used by protocols like SIP, XMPP, and LDAP.

; Format: _service._proto.name  TTL  IN  SRV  priority weight port target
_sip._tcp.example.com.  3600  IN  SRV  10  60  5060  sipserver.example.com.
_xmpp._tcp.example.com. 3600  IN  SRV  10  0   5222  xmpp.example.com.

PTR Records

PTR (Pointer) records are used in reverse DNS zones to map IP addresses back to hostnames. They're typically managed in special in-addr.arpa zones.

; Reverse DNS for 93.184.216.34
34.216.184.93.in-addr.arpa.  IN  PTR  example.com.

Key Syntax Rules

Trailing dots: Fully qualified domain names must end with a dot (example.com.). Without the dot, BIND appends the zone origin, so example.com becomes example.com.example.com.
The @ symbol: Represents the zone origin (the domain name of the zone itself)
Comments: Lines beginning with ; are comments
Parentheses: Allow a record to span multiple lines (commonly used in SOA records)
$TTL directive: Sets the default TTL for all records that don't specify one
$ORIGIN directive: Changes the origin for subsequent records (rarely used manually)
SOA mailbox format: The SOA "admin email" field is a DNS name, not a literal email address. admin.example.com. means [email protected], but dots in the local part must be escaped.

Complete Example Zone File

Here is a complete, working zone file for example.com with common record types:

$TTL 3600

@   IN  SOA  ns1.example.com. admin.example.com. (
                2024010101   ; Serial
                7200         ; Refresh
                3600         ; Retry
                1209600      ; Expire
                3600         ; Minimum TTL
)

; Nameservers
@           IN  NS      ns1.example.com.
@           IN  NS      ns2.example.com.

; Nameserver address records for in-zone nameservers
ns1         IN  A       93.184.216.2
ns2         IN  A       93.184.216.3

; Web server
@           IN  A       93.184.216.34
@           IN  AAAA    2606:2800:0220:0001:0248:1893:25c8:1946
www         IN  CNAME   example.com.

; Mail
@           IN  MX      10 mail.example.com.
mail        IN  A       93.184.216.35

; SPF and DKIM
@           IN  TXT     "v=spf1 mx -all"
dkim._domainkey IN TXT  "v=DKIM1; k=rsa; p=MIGfMA0..."

; Other services
ftp         IN  CNAME   example.com.
vpn         IN  A       93.184.216.40

Have a zone file to validate? Paste it into the validator and check for errors instantly.

Open the Validator