Zone settings

This page can be used to manipulate general zone settings and, in case of a DNSSEC-enabled zone, to access any signing keys associated with the zone. Also, new DNSSEC keys can be added via the Add DNSSEC key page accessible at the menu bar.

General settings

Enable zone

When this setting is on, the zone will be normally served to secondaries and other requests for it that come to the hidden primary server on NameSurfer. If the setting is turned off, NameSurfer stops answering all such requests. Please note that Secondaries are not reconfigured automatically, they will stop serving the disabled zone when their TTL is expired and they cannot get update from NameSurfer. If you want to make Secondaries stop serving the zone immediately, you should remove the REMSEC records from the disabled zone, this removes the zone from the secondaries automatically.

Default TTL value for zone records

Changing this setting will alter the default TTL (time-to-live) value given to new resource records in the zone. If this value has not been previously set for the zone, the field will be pre-filled with the value from the zone SOA minimum TTL field, which will also be used as the minimum TTL if this value is not set. The format of this field is an integer number, denoting the number of seconds for the default time-to-live of resource records.

Enable DNSSEC

Turning this setting on makes the zone ready for DNSSEC secured use. When this setting is not on, adding/manipulating DNSSEC keys on the zone is not possible, and any DNSSEC functionality on the hidden primary server is also unavailable.

To allow DNSSEC secured data to be returned by the server, the zone will need to be equipped with one or more signing keys in addition to selecting this option.

Turning this option off does NOT delete existing signatures from the zone, it only turns of signing of subsequent updates. To remove existing signatures, disable all zone signing keys first before turning the option off.

Use NSEC3 denial of existence authentication (DNSSEC only)

This setting allows use of NSEC3 records instead of the NSEC records for data denial of existence queries.

Enabling this setting on doesn't automatically switch the zone to using NSEC3 immediately. Instead, it disables use of NSEC3-incompatible key types for zone signing and adds the NSEC3PARAM definition box to the settings page. Unless there is a previously set NSEC3PARAM for the zone, however, the NSEC records of the zone will be replaced by NSEC3 records only after a NSEC3PARAM record is defined.

If this setting is in use, there MUST be at least one active zone signing key that is of a NSEC3 compatible type, otherwise the zone data will not be signed at all. If this setting is off, both NSEC3 compatible active keys and non-NSEC3 compatible ones will be used for signing.

Turning this option off does NOT immediately remove existing NSEC3 data from the zone, it will only switch any subsequent updates to use traditional NSEC records. To remove NSEC3 records, remove the NSEC3PARAM record first before turning the option off.

Zone specific change log collection time

Changing this setting allows the user to adjust the time the DNS change log will be stored for a zone. The change log is used for the DNS undo function as well as incremental zone transfers from the server, so this setting controls how old changes can still be seen and undone and how long a zone can be updated to a secondary server using IXFR without reverting to the full AXFR zone transfer.

The default value for this setting is determined on the DNS server component configuration file server.conf, and is typically 90 days on a standard clean NameSurfer installation. If the value for a zone is specifically set on the settings page, the server default will always be used as the change log cleanup threshold. In most cases, this value should be at least a few days to allow incremental transfers, but for example when there are frequently updating secondary zones (e.g. from Microsoft AD) in the systems, it can be useful to not collect change log at all to avoid system congestion caused by collection of change data that is not needed.

If a long term storage of change value is needed for change accounting purposes, the cleanup threshold can be adjusted up to 3650 days. However, on large zones that are very frequently adjusted or updated by dynamic DNS, this can lead to collection of huge amount of change data, which can slow down the system and cause undesired database growth.

Use TSIG key for outbound DNS messages

If outbound DNS messages associated with this zone - i.e. change notifications (RFC1996 DNS NOTIFY messages) and other outbound requests - are to be signed using TSIG signatures, please select a key for this purpose from this list.
Please note: no key is chosen and the outbound messages will not be signed by default.

This selection has no effect on signing inbound queries, zone transfer requests, dynamic DNS updates, or on responses sent to any of the aforementioned. The setting only affects new messages sent by the NameSurfer server component.

DNSSEC keys

This part of the page is hidden if DNSSEC is not enabled on the zone.

If the Enable DNSSEC option is set on in general settings, a listing of all signing keys associated with the zone will be shown. An individual key can be accessed for closer examination or editing by clicking on its ID/Keytag in the listing.

Secondary zone settings

This part of the page is hidden if the zone is a locally managed primary zone on NameSurfer.

The secondary zone settings allow editing the list of IPv4 and IPv6 master servers which NameSurfer must use to receive updates on secondary zones. It also allows defining whether the specific master servers can receive Dynamic DNS updates from NameSurfer and which TSIG key - if any - should be used to sign these updates. If an invalid, non-existent key name is defined for a master, a message about invalid key is shown on the key selector box and clicking OK on the settings page will erase the current setting. If the current setting is not changed, the selection will become valid again by creating a key identified by that name in the key management section.

Edit NSEC3PARAM record data

This part of the page is hidden unless use of NSEC3 authenticated denial of existence is enabled for the zone. This form can be used to add, remove and change the NSEC3PARAM record data on the zone, and thus define the parameters used to generate NSEC3 hash nodes on it.

If the NSEC3 records should be generated on the zone, a NSEC3PARAM record must be defined. Otherwise, the zone signing process will revert to using traditional NSEC records instead.

The NSEC3PARAM record is defined by entering a Salt length value betwen 0-255, and then adding the new Salt string in hexadecimal (numbers 0-9 and letters a-f, two characters for each salt byte) manually, or generating it by pressing the "e;Generate new salt"e; action button. Additionally, Hashing iterations contains a numeric value between 0 and 65535, telling how many times the hashing function is repeated on each original value and salt before storing it into a resource record. The length of salt, randomness of the salt value and the number of iterations work together to reduce the possibility of dictionary based decomposition of the original domain name from the hashed value.

To enable use of NSEC3 records, the NSEC3PARAM record must be inserted into the zone either by entering the Salt length, Salt string and Hashing iterations and then pressing the "OK" action button on the page, or by entering just the Salt length and Hashing iterations values and pressing the "Generate new salt" action button. To disable use of NSEC3, press the "Remove" action button to remove the NSEC3PARAM record from the zone and the database.