A DNS zone is any distinct, contiguous portion of the domain name space in the Domain Name System (DNS) for which administrative responsibility has been delegated to a single manager.
The domain name space of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain. The individual domains of this tree may serve as delegation points for administrative authority and management. However, usually it is furthermore desirable to implement fine-grained boundaries of delegation, so that multiple sub-levels of a domain may be managed independently. Therefore the domain name space is partitioned into areas (zones) for this purpose. A zone starts at a domain and extends downward in the tree to the leaf nodes or to the top-level of subdomains where other zones start.
A DNS zone is implemented in the configuration system of a domain name server. Historically, it is defined in the zone file, an operating system text file that starts with the special DNS record type Start of Authority (SOA) and contains all records for the resources described within the zone. This format was originally used by the Berkeley Internet Name Domain Server (BIND) software package, and is defined in RFC 1034 and RFC 1035.
Domains and zones
Most top-level domain name registry operators offer their name spaces to the public or to entities with mandated geographic or otherwise scoped purpose for registration of second-level domains. Similarly an organization in charge of a lower level domain may operate its name space similarly and subdivide its space.
Each registration or allocation of subdomain space obligates the registrant to maintain an administrative and technical infrastructure to manage the responsibility for its zone, including sub-delegation to lower-level domains. Each delegation confers essentially unrestricted technical autonomy over the allocated space. An area of one or more subdomains that has been delegated for management is called a DNS zone. A zone always starts at a domain boundary to include all leaf nodes (hosts) in the domain, or it ends at the boundary of another independently managed zone.
Forward DNS zones
DNS zones contain the records for the mapping of domain names to IP addresses or other information. The resolution of a domain name to its assigned information is also referred to as forward resolution and the DNS zones associated with such processes are often referred to as forward zones.
The term arose as the opposite of reverse zones, which are used for the reverse process: finding the DNS name associated with an IP address. Such reverse zones are maintained in the Internet Address and Routing Parameter Area (domain arpa).
Another common use of the term forward zone refers to a specific configuration of DNS name servers, particularly caching name servers, in which resolution of a domain name is forwarded to another name server that is authoritative for the domain in question, rather than being answered from the established cache memory.
Internet infrastructure DNS zones
The top-level domain arpa serves as a delegation zone for various technical infrastructure aspects of DNS and the Internet, and does not implement the registration and delegation system of the country and generic domains. The name arpa is a remnant of the ARPANET, one of the predecessor stages of the Internet. Intended as a transitional aid to the DNS system, deleting the domain arpa was later found to be impractical. Consequently, the name was officially redefined as an acronym for Address and Routing Parameter Area. It contains sub-zones used for reverse resolution of IP addresses to host names (IPv4: in-addr.arpa, IPv6: ip6.arpa), telephone number mapping (ENUM, e164.arpa), and uniform resource identifier resolution (uri.arpa, urn.arpa).
Although the administrative structure of this domain and its sub-domains is different, the technical delegation into zones of responsibility is similar and the DNS tools and servers used are identical to any other zone. Sub-zones are delegated by components of the respective resources. For example, 188.8.131.52.184.108.40.206.0.8.1.e164.arpa., which might represent an E.164 telephone number in the ENUM system, might be sub-delegated at suitable boundaries of the name. An examples of an IP addresses in the reverse DNS zone is 220.127.116.11.in-addr.arpa, which represents the address 18.104.22.168 and resolves to the domain name www.example.com. In the case of IP addresses, the reverse zones are delegated to the Internet service provider (ISP) to which the IP address block is assigned. When an ISP allocates a range to a customer, it usually also delegates the management of that space to the customer by insertion of name server resource records pointing to the customers DNS facilities into their zone, or provides other management tools. Allocations of single IP addresses for networks connected through network address translation (NAT) typically are not provided such facilities.
As an example of the DNS resolving process, consider the role of a recursive DNS resolver attempting to look up the address "en.wikipedia.org.". It begins with a list of addresses for the most authoritative name servers it knows about – the root zone name servers (indicated by the full stop or period), which contains name server information for all top-level domains of the Internet.
When querying one of the root name servers, it is possible that the root zone will not directly contain a record for "en.wikipedia.org.", in which case it will provide a referral to the authoritative name servers for the "org." top level domain (TLD). The resolver is issued a referral to the authoritative name servers for the "org." zone, which it will contact for more specific information. Again when querying one of the "org." name servers, the resolver may be issued with another referral to the "wikipedia.org." zone, whereupon it will again query for "en.wikipedia.org.". Since (as of July 2010[update]) "en.wikipedia.org." is a CNAME to "text.wikimedia.org." (which is in turn a CNAME to "text.esams.wikimedia.org."), and the "wikipedia.org." name servers also happen to contain authoritative data for the "wikimedia.org." zone, the resolution of this particular query occurs entirely within the queried name server, and the resolver will receive the address record it requires with no further referrals.
If the last name server queried did not contain authoritative data for the target of the CNAME, it would have issued the resolver with yet another referral, this time to the zone text.wikimedia.org.. However, since the resolver had previously determined the authoritative name servers for the zone org., it does not need to begin the resolution process from scratch but instead start at zone org., thus avoiding another query to the root name servers.
There is no requirement that resolving should involve any referrals at all. Looking up en.wikipedia.org. on the root name servers always results in referrals, but if an alternative DNS root is used which is set up to contain a record for en.wikipedia.org., then the record is returned on the first query.
- D.B.Terry, M. Painter, D.W.Riggle, S.Zhou, University of California Berkeley, The Berkeley Internet Name Domain Server, Report No. UCB/CSD 84/182 (1984)