# DNS Manager — Zones

### PUQcloud Panel

##### [Order Now](https://puqcloud.com/puqcloud-panel.php) | [Download](https://github.com/puqcloud/PUQcloud) | [FAQ](https://faq.puqcloud.com/)

#### 1) What a Zone is and how it works

A **DNS Zone** is the set of DNS records for a domain (e.g., `example.com`) or a **reverse** domain (`in-addr.arpa`, `ip6.arpa`).  
In PUQcloud, every zone is assigned to exactly one **Server Group**, and that group has one or more real DNS servers attached. As a result:

- When you create or change records in **Zones**, PUQcloud writes those changes to **all servers in the selected group**.
- Zone-level meta (e.g., **Primary NS**, **NS Domains**, **SOA fields**) is stored with the zone and deployed to the group’s servers.

**Path:** **Settings → DNS Manager → Zones**

[![DNS Zones — list (columns: Name, Record Count, Server Group, Primary NS, Admin Email, Actions)](https://doc.puq.info/uploads/images/gallery/2025-11/scaled-1680-/7.png)](https://doc.puq.info/uploads/images/gallery/2025-11/7.png)

- - - - - -

#### 2) The Zones list & actions

The list shows all zones, how many records each has, which **Server Group** it belongs to, the **Primary NS** (SOA MNAME), and the **Admin Email** (SOA RNAME).

Per-row actions:

- **Edit** — open the zone editor
- **Delete** — remove the zone

Top-right: **+ Create** to add a new zone.

- - - - - -

#### 3) Create a zone

Click **+ Create** and fill the form.

[![Create DNS Zone (Name, DNS Server Group, SOA Admin Email, SOA TTL, Refresh, Retry, Expire, Minimum TTL)](https://doc.puq.info/uploads/images/gallery/2025-11/scaled-1680-/8.png)](https://doc.puq.info/uploads/images/gallery/2025-11/8.png)

##### Field reference

<table id="bkmrk-field-description-ti"><thead><tr><th>Field</th><th>Description</th><th>Tip</th></tr></thead><tbody><tr><td>**Name**</td><td>Zone name. For forward zones use `example.com`. For reverse: IPv4 uses `x.y.z.in-addr.arpa`, IPv6 uses the `…ip6.arpa` nibble format.</td><td>Use correct reverse notation.</td></tr><tr><td>**DNS Server Group**</td><td>Which group of servers will host this zone</td><td>Choose the group you prepared (e.g., *PowerDNS ns1-2* or *PowerDNS (devns)* for the ACME tech zone).</td></tr><tr><td>**SOA Admin Email**</td><td>Email in SOA (RNAME, with a dot instead of `@`)</td><td>Commonly `hostmaster@domain.tld`.</td></tr><tr><td>**SOA TTL (seconds)**</td><td>TTL for the SOA record</td><td>`3600` is a safe default.</td></tr><tr><td>**SOA Refresh**</td><td>Slave refresh interval</td><td>`86400` (24h) typical.</td></tr><tr><td>**SOA Retry**</td><td>Retry interval if refresh fails</td><td>`7200` (2h).</td></tr><tr><td>**SOA Expire**</td><td>When slaves consider zone expired</td><td>`1209600` (14 days).</td></tr><tr><td>**SOA Minimum TTL**</td><td>Negative caching (minimum TTL)</td><td>`3600`.</td></tr></tbody></table>

Click **Save** to create the zone.

- - - - - -

#### 4) Edit a zone

Opening a zone leads to **Edit DNS Zone**.

[![Edit DNS Zone (Name, DNS Server Group, Primary NS, NS Domains, SOA fields; buttons Create Record / Reload Zone / Move To / Export / Import / Save)](https://doc.puq.info/uploads/images/gallery/2025-11/scaled-1680-/9.png)](https://doc.puq.info/uploads/images/gallery/2025-11/9.png)

##### What you see

- **Name** — zone name (read-only for some reverse templates).
- **DNS Server Group** — which group serves this zone.
- **Primary NS** — SOA MNAME (main NS).
- **NS Domains** — authoritative nameserver hostnames shown as badges. These should match your actual registrar delegation.
- **SOA** fields — TTL, Refresh, Retry, Expire, Minimum TTL.
- **Records table** — the list of all records in this zone.

##### Top actions

- **+ Create Record** — add A/AAAA/CNAME/TXT/MX/SRV/NS/PTR etc.
- **Reload Zone** — force-sync this zone across all servers in the group.
- **Move To** — move the zone to another **Server Group** (useful for migrations).
- **Export / Import** — export to/import from a standard zone format (PowerDNS/BIND-compatible).
- **Save** — save changes to the zone **properties** (record edits have their own save flow in the record modal).

- - - - - -

#### 5) Add records

Click **+ Create Record**.

[![Create DNS Record (Type, TTL, Name; show PTR target field example)](https://doc.puq.info/uploads/images/gallery/2025-11/scaled-1680-/10.png)](https://doc.puq.info/uploads/images/gallery/2025-11/10.png)

##### Common record types

- **A / AAAA** — IPv4/IPv6 address mappings (e.g., `www → 203.0.113.10`).
- **CNAME** — alias (e.g., `www → @` or `example.com`).
- **TXT** — free-form text (SPF, DKIM, ACME challenges).
- **MX** — mail exchangers with priority.
- **SRV** — service records (VoIP, LDAP, etc.).
- **NS** — delegate sub-zones to other nameservers.
- **PTR** — reverse mapping (IP to hostname) for reverse zones.

##### Examples (forward)

- `@` → A → `203.0.113.10`
- `www` → CNAME → `@`

##### Example (mail)

- `@` → MX (10) → `mx1.example.com.`
- `@` → TXT → `v=spf1 include:spf.example.net -all`

##### Reverse example (PTR)

In `0.168.192.in-addr.arpa`:

- `130` → PTR → `host130.example.com.`

- - - - - -

#### 6) ACME / SSL with a technical zone

For DNS-01 challenges, SSL Manager commonly uses a **technical zone** (e.g., `acme.yourdomain.tld`) hosted by a dedicated **Server Group** (e.g., *PowerDNS (devns)*). The workflow:

1. In the **target** zone (the zone for which you want a cert), create a **CNAME**:  
    `_acme-challenge.yourdomain.tld → _acme-challenge.yourdomain.tld.acme.yourdomain.tld.`
2. During issuance, SSL Manager automatically creates/updates the **TXT** in the **tech zone** (via PowerDNS/Hestia modules).
3. The CA queries `_acme-challenge` on the target zone, **follows the CNAME** into the tech zone, and reads the TXT.
4. Once validated, the certificate becomes **ACTIVE** (see **SSL Certificates** guide).

> Ensure the tech group’s **NS Domains** are really authoritative and are properly delegated at the registrar.

- - - - - -

#### 7) Export / Import

- **Export** — download the zone in a PowerDNS/BIND-compatible format (great for backups and migrations).
- **Import** — upload a zone file to quickly populate records. After import, verify records and click **Reload Zone**.

- - - - - -

#### 8) Best practices

- Use **TTL 300–600s** while actively changing/migrating; raise later for stability.
- Keep **≥2 NS** in the serving group (prefer distinct regions/ASNs).
- For **ACME**, keep a **separate tech zone** and **separate group**.
- Always **Export** before bulk edits.
- After changing a zone’s **Server Group**, use **Move To** and then **Reload Zone**.
- Regularly verify delegation (`dig NS yourdomain.tld`) and key records resolution from multiple locations.

- - - - - -

#### 9) Troubleshooting

<table id="bkmrk-symptom-likely-cause"><thead><tr><th>Symptom</th><th>Likely cause</th><th>Fix</th></tr></thead><tbody><tr><td>Public resolvers can’t see your changes</td><td>Registrar delegation wrong or **NS Domains** don’t match real NS</td><td>Correct delegation, align **NS Domains**, wait for TTL</td></tr><tr><td>Different answers on NS1 vs NS2</td><td>One node out of sync or offline</td><td>**Reload Zone**, check server health, review logs</td></tr><tr><td>ACME DNS-01 fails</td><td>Missing/wrong CNAME to tech zone; caching</td><td>Validate with `dig`, fix CNAME/TXT, wait for TTL</td></tr><tr><td>Zone import errors</td><td>Incompatible format or invalid entries</td><td>Fix offending lines, re-import</td></tr></tbody></table>