Managing Public DNS Zones

In its most basic form, DNS returns an IP address (if known) when given a string in the DNS name space for that zone. However, DNS is also the way that an IP host client application knows where to get its own configuration information using DHCP (DHCID records), go to send or receive email (MX records), and more. Without DNS, client devices would have to know the proper IP addresses not only for local servers, but for every server or application they interacted with, no matter where in the world they were located. With DNS, clients can always find the correct location of www.oracle.com or any other application.

Once you create a DNS zone inside a compartment, you cannot move the zone to another compartment.

Creating a Public DNS Zone

DNS zones are created in a compartment to associate IP addresses with portions of the DNS name space. Zones are created in a compartment using the DNS service.

Using the Compute Web UI

1. In the navigation menu, under DNS, click Zones. A list of previously configured zones in compartments appears. If the compartment you are creating the DNS zone in is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click Create Zone.

3. Fill in the required zone information:

   • Zone Name: Provide a name or description for the DNS zone. Avoid using any of the organization's confidential information.

   • Compartment: Select the compartment in which to create the DNS zone.

   • Zone Type: Choose the type of DNS zone you are creating.

     • Primary: A primary DNS zone is the original authoritative DNS zone of a portion of the DNS name space. When a DNS server hosts a primary zone, that DNS server is the Authoritative DNS Server and is considered the primary source of information in that zone.

     • Secondary: A secondary DNS zone is a read-only copy of a primary DNS zone or another secondary DNS zone. A secondary DNS zone is kept on a Secondary DNS Server and reduces the load on the primary DNS zone and eliminated a single point of failure risk to name resolution inside the zone.

     For more information on DNS Zones, refer to "Name Resolution" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • Tagging: Optionally, add one or more tags to this resource.

     For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

4. Click Create Zone.

   The zone is now ready for the addition of zone records or for the configuration of TSIG Keys or Steering Policies.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

2. Run the oci dns zone create command.

   Syntax (entered on a single line):

   oci dns zone create \
   --compartment-id <compartment_OCID> \
   --name <dns_zone_OCID> \
   --zone-type <PRIMARY | SECONDARY>

   Example:

   oci dns zone create \
    --compartment-id ocid1.compartment.….….….uniqueID \ 
    –-name test-dns-zone \
    --zone-type PRIMARY 
   
   {
     "data": {
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "external-masters": null,
       "freeform-tags": {},
       "id": "ocid1.dns-zone.….….….uniqueID",
       "is-protected": null,
       "lifecycle-state": "ACTIVE",
       "name": "test_dns_zone",
       "nameservers": [
         {
           "hostname": "ns1.example.com"
         }
       ],
       "scope": null,
       "self-uri": "https://20180115/zones/test_dns_zone",
       "serial": 1,
       "time-created": "2021-08-17T18:08:00.059867+00:00",
       "version": 1,
       "view-id": null,
       "zone-type": "PRIMARY"
     },
     "etag": "3e389cab-b3fd-4783-91c1-ede81bc132d5"
   }

Working with Zone Records

Creating a DNS zone is only the beginning of working with DNS. The zone is essentially empty when created, except for a basic Start of Authority (SOA) and Name Server (NS) record The SOA record provides a kind of history of this DNS zone and holds information such as when it was last updated and things like that. The NS record contains the fully-qualified name of the DNS server for the zone. The NS record is very important and therefore has a high TTL, usually 24 hours (86400 seconds).

To make the name server truly useful, the zone must be rounded out and filled with the DNS records that form the basis of responses to the kinds of queries that clients make. These queries include IP addresses for parts of the domain name space, email server details, and so on.

Creating a Zone Record

The RDATA field is where the content of the zone record is entered. The format of the information varies according to the type of record you are creating. However, the data must be in one of the formats that DNS understands. For example, an A-type zone record RDATA is an IP address, and an MX record contains information on how to route email. Because of the authoritative nature of the zone records within a zone, RDATA is not editable. If DNS information in a zone changes, then the old record must be deleted and a new record created.

Using the Compute Web UI

1. In the navigation menu, under DNS, click Zones. A list of previously configured zones in compartments appears. If the compartment you are adding zone records to is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the name of the zone. The information screen contains general zone information such as type and compartment, OCID (which you can show in full or copy to the clipboard), and the date and time that the zone was created. The zone records that exist are also displayed, and initially there are only SOA and NS records.

3. Fill in the required zone record information:

   • Zone Record:Select the type of zone record you are creating from the drop-down list.

     • A - IPv4 Address: A host record, which is used to point a hostname to an IPv4 address. This is the most basic DNS record type.

     • You can add many other types of zone records: any types in the drop down list.

       For more information on DNS Zones, refer to "Name Resolution" in the Virtual Networking Overview in the Oracle Private Cloud Appliance Concepts Guide.

   • Domain (Optional): Type the name of the zone subdomain if used (this value is already filled in based on the zone itself: the initial dot (".") is used for adding the zone subdomain).

   • TTL: Check this box to set your own value for the TTL of that particular record type. If you do not check this box, the default TTL value for that record type is used (for example, 300 for SOA, 86400 for NS). The valid range is from 1 to 129540 seconds (from 1 second to about a day and a half).

   • Edit RDATA: Check this box if you wish to edit the RDATA information, such as the IP address or Target established by the zone record type. This box is only displayed for some zone record types.

   • (RDATA): This unlabeled field varies based on the type of zone record created. For example, you enter the 32-bit IP address that corresponds to the A-type DNS record, or Flags for a DNSKEY zone record, if that is what you are creating.

     • A - IPv4 Address: If you are creating an A type zone record, then the data is a properly formatted IPv4 address. This is the most basic DNS record, but there are many others.

     • The RDATA field reflects the correct information for the type of zone record selected.

4. Click Create Record.

   The zone record is now added to the zone. If you click the optional box to Add another record, then the screen stays at the Create DNS Zone Record state to make record entry more efficient.

Using the OCI CLI

There is no "create dns zone record" command in the CLI. Instead, the command "oci dns zone record update" command replaces records in the specified zone with the records specified in the request body of the command. If a specified record does not exist, then it will be created. Also, if a current record is not in the records list, it will be deleted. Care is needed, because if the record exists, then it will be updated with the record information in the body of the request. The command in this section adds an A resource record (IPv4 address and domain name) to a DNS zone named dns-test-zone.

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • DNS zone name (oci dns zone list --compartment_OCID <compartment_OCID>)

2. Run the oci dns record zone update command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci dns record zone update \
    --zone-name-or-id <zone_name> or <compartment_OCID> \
    --items <complex type>

   Note:

   DNS resource record types are provided as objects in JSON format. This is a JSON list with items of type RecordDetails. For documentation on RecordDetails please see https://docs.cloud.oracle.com/api/#/en/dns/20180115/datatypes/RecordDetails. This is a complex type whose value must be valid JSON. The value can be provided as a string on the command line or passed in as a file using the file://path/to/file syntax.

   The --generate-param-json-input option can be used to generate an example of the JSON which must be provided. We recommend storing this example in a file, modifying it as needed and then passing it back in via the file:// syntax.

   Example:

   oci dns record zone update
    --zone-name-or-id <zone_name> or <compartment_OCID> 
    --items 
   {
       "domain": "test-dns-zone.test-pca-comparment.example.com",
       "isProtected": true,
       "rdata": "10.225.15.10",
       "recordHash": "fkT4md",
       "rrsetVersion": "1",
       "rtype": "1",
       "ttl": 3600
   }

Editing a Zone Record

There is no "edit record" command. You can update a group of records, and if one of the records in the list is the same except for the rdata for example, in effect you have updated the record.

Deleting a Zone Record

You can delete many, but not all, DNS zone records. The initial SOA and NS records, created by default when the zone is created, cannot be deleted, To delete a zone record:

Using the Compute Web UI

1. In the navigation menu, under DNS, click Zones. A list of previously configured zones in compartments appears. If the compartment you are adding zone records to is not in the title bar, then use the drop-down tab to select the correct compartment.

2. Click on the name of the zone. The information screen contains general zone information such as type and compartment, OCID (which you can show in full or copy to the clipboard), and the date and time that the zone was created. The zone records that exist are also displayed.

3. Click on the Action square with the three dots on the right side of the zone record that you are deleting.

4. Click Delete.

The zone record is deleted and removed from the list for that DNS zone.

Using the OCI CLI

To delete resource records in a zone with the CLI, use the oci dns record rrset delete command to delete an entire resource record set (for example, all A-type IPv4 address records for a given host name). The resource records are identified by their DNS record type (A, MX, and so on). The command in this section deletes the A resource record (IPv4 address and domain name) in a DNS zone named "dns-test-zone" for a device named "test-device-1."

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • DNS zone name (oci dns zone list --compartment_OCID <compartment_OCID>)

2. Run the oci dns record rrset delete command.

   Syntax: (entered on a single line):

   oci dns record rrset delete \
    --domain <domain-name> \
    –-rtype <resource-record-type> \
    --zone-name-or-id <zone_name> or <compartment_OCID>
                              

   Example:

   oci dns record rrset delete \
    --domain "test-device-1.dns-test-zone.example.com" \
    –-rtype "A" \
    --zone-name-or-id "dns-test-zone"  

   The record is deleted from the zone.

Editing a Public DNS Zone

You can add resource tags to an existing zone. You can also edit the externalMasters field of a SECONDARY zone.

Working with Transaction Signature Keys

A DNS transaction signature (TSIG) is a network protocol defined in RFC 2845. The main purpose of the TSIG is to allow DNS to authenticate updates to a DNS database, so that malicious users cannot change name resolution records to point to a bogus IP address instead of (for example) the IP address of a bank. TSIG uses one-way hashing and shared secret keys to provide a secure means to authenticate the endpoints of a connection for processing (or responding to) DNS update requests.

The TSIG protocol uses timestamps to prevent replay of recorded responses. Therefore, DNS servers and TSIG clients need accurate clocks to provide the timestamps. A number of extensions to the basic TSIG protocol have been made to extend the types of cryptography and hashing methods that are supported by TSIG.

To use TSIG for a DNS zone, add TSIG keys to the DNS zone. The TSIG key must be base64 encoded.

Using the Compute Web UI

1. In the navigation menu, under DNS Zones, click TSIG Keys.

2. Click Create Key.

3. Fill in the required TSIG Key information:

   • Name: Provide a name or description for the TSIG key. Avoid using any of the organization's confidential information.

   • Compartment: Select the compartment in which to create the TSIG key.

   • Algorithm: Choose the security algorithm for the TSIG Key you are creating, such as hmac-sha256.

   • Secret Key: Provide the base64 string encoding the binary shared secret that corresponds to the key. The maximum is 255 characters. An example key in base64 encoding is shown in RFC3874. You can provide the key in one of two ways:

     • Select the key file: If you provide the TSIG shared secret key this way, you can drag and drop the key file into the space provided.

     • Paste the key: If you provide the TSIG shared secret key this way, you can copy and paste the contents of the key file into the space provided.

   • Tagging: Optionally, add one or more tags to this resource. For more information about tagging, see Working with Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

4. Click Create TSIG Key.

   The TSIG key now available for use in the DNS zone between TSIG client and DNS server.

Using the OCI CLI

1. Gather the information that you need to run the command:

   • Compartment OCID (oci iam compartment list --all)

2. Run the oci dns tsig-key create command.

   Note:

   This procedure shows the minimum required parameters for this command. For information about optional parameters, run the command with the --help option.

   Syntax (entered on a single line):

   oci dns tsig-key create \
   --algorithm <hmac-algorithm> \
   --name <tsig-key-name> \
   --compartment-id <compartment_OCID> \
   --secret <secret-string>
                              

   Example:

   oci dns tsig-key create --algorithm hmac-sha256 --name new-tsig-key \
   --compartment-id ocid1.compartment.….….….uniqueID \
   --secret 2o8goaon2168n(secret key string)e6um8lvd2lwdoouq46lsygak0009014
   {
     "data": {
       "-self": "https://20180115/tsigKeys/new-tsig-key",
       "algorithm": "hmac-sha256",
       "compartment-id": "ocid1.compartment.….….….uniqueID",
       "defined-tags": {},
       "freeform-tags": {},
       "id": "ocid1.dns-tsig-key..….….….uniqueID",
       "lifecycle-state": "ACTIVE",
       "name": "new-tsig-key",
       "secret": "2o8goaon2168n(secret key string)e6um8lvd2lwdoouq46lsygak0009014",
       "time-created": "2021-10-29T17:50:31.219934+00:00",
       "time-updated": null
     },
     "etag": "81eb0e02-e09c-4b25-9d21-eefa9ab2aacc"
   }         

The new key appears in the list of TSIG keys for the DNS for this compartment.

Adding a TSIG Key

To add a TSIG key to an existing list of TSIG keys, simply create another key with a unique TSIG key name and a new algorithm or a new key value. To modify fields in an existing TSIG key, use the update command.

A TSIG key is a separate object from a DNS zone. You can have a SECONDARY DNS zone reference a TSIG key as part of its ExternalMaster definition. But creating a new key doesn't do anything for a PRIMARY zone.

Removing a TSIG Key

Using the Compute Web UI

1. In the navigation menu, under DNS Zones, click TSIG Keys.

2. Click on the TSIG key that you want to remove from the drop-down list of TSIG keys.

3. Click Delete from the list of actions under the Action Menu icon (three bars), or click the Delete button at the top of the display window.

   The TSIG key is removed from the list.

Using the OCI CLI

1. Gather the information for these resources:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • TSIG OCID (oci dns tsig-key list --compartment-id <compartment_OCID>)

2. Syntax (entered on a single line):

   oci dns tsig-key delete --tsig-key-id <tsig-key_OCID>

   Example:

   oci dns tsig-key delete --tsig-key-id ocid1.dns.tsig.key.….….….uniqueID \
   Are you sure you want to delete this resource? [y/N]: y

The TSIG key is deleted from the list of TSIG keys for DNS in this compartment. Use the --force option to suppress the "Are you sure...?" message.

Deleting a Public DNS Zone

Using the Compute Web UI

1. In the navigation menu, under DNS Zones, click Zones.

2. Click on the zone name that you want to remove from the drop-down list of zones.

3. Click the Delete button at the top of the display window.

   The DNS zone is removed from the list.

   The DNS zone is deleted from the compartment. Use the --force option to suppress the "Are you sure...?" message.

Using the OCI CLI

1. Gather the information for these resources:

   • Compartment OCID (oci iam compartment list --compartment-id-in-subtree true)

   • Zone OCID (oci dns zone list --compartment-id <compartment_OCID>)

2. Syntax (entered on a single line):

   oci dns zone delete --zone-name-or-id zone_OCID-or-zone-name>

   Example:

   oci dns zone delete --zone-id ocid1.dns.zone.….….….uniqueID \
   Are you sure you want to delete this resource? [y/N]: y