Some DNS zone management tips

Note: The tips presented here have been discussed on the official DNS operations mailing lists. View discussion. Since many of the people discussing this topic have been around DNS a lot longer than I have been, their input is very valuable. For example, one of the people which chirped in to the discussion wrote the book that I originally leanred DNS management from. I hope that these tips are consistent with the input offered on the list.

• Just because the offending data is no longer in your zone does not mean other people can contact the site in question: The old record will float around in other caches for a while.
• Never have the same dns labels used for NS records for your domain be used for anything else, such as MX records or CNAME records. While this is technically perfectly legal, down this path lies danger. Namely, if you ever change the IP of one of the name servers, and have a critial service (such as a web page or incoming MTA) pointing to the machine in question, you have to wait for your registrar to change the IP for the nameserver in question before that service will function again.
• If possible, make the TTLs for the NS records for your domain as long as possible (604800 seconds--one week, is a good number). This will speed up accesses to your domain, since caches will not have to query the root servers as often before querying your name servers. The down side of this construction is that care must be made to decrease the TTL of the NS records before changing the names or IPs of the name servers. Another down side is that some nameservers do not have a method of limiting the cache size, causing records with long TTLs to potentially consume inappropriate quantities of memory.
• Never have a MX point to a CNAME records. Some MTAs refuse to send mail if the domain is so configured. This can also cause mail loops.
• Never have a CNAME record and any other record use the same host name (in the same node). This will confuse caching nameservers, which usually assume that a CNAME record applies to all record types for a given host name.
• Avoid using CNAME records--they can increase the number of DNS queries needed to resolve a given host name. (With DjbDNS and MaraDNS before version 0.5.12--both do not deliver the CNAME record with the appropriate address in the answer section) In the same zone it is usually better to let several names have A records pointing at the same IP address.
• MX, NS, and CNAME records should point to host names, not IPs. Something like "example.com IN MX 10 192.168.0.64." will not work with BIND. Note, however, that both DjbDNS and MaraDNS support this kind of construct. More information
• Try to have one NS server for your domain be "in bailiwick". If you have the domain "example.com", for example, then it is best if one of the NS servers is "ns.example.com", or, DJ Bernstein's favorite "a.ns.example.com". Today, this is only a real issue if, for example, you have "example.com" with the name servers "a.ns.example.com.ar" and "b.ns.example.com.ar". These NS entries slow down access to your domain--a resolver with an empty cache now requires 7 instead of 3 queries to resolve names in the domain--more if example.com.ar uses out-of-bailiwick NS servers.