Zone Hygiene: a beginner's guide
Single-call DNS health audit — DNSSEC, CAA, AXFR, NSEC3, open-resolver, SOA, and subdomain exposure
Zone hygiene: the single-call DNS health audit
Zone hygiene is the aggregate health of a domain's DNS configuration: are the nameservers consistent, is the zone signed correctly, are the certificate-issuance controls in place, is the zone enumerable, are sensitive subdomains accidentally public, and are any of the authoritative servers being abused as open resolvers? Each of those questions has its own deep specification — DNSSEC (RFC 4033 and family), CAA (RFC 8659), AXFR (RFC 5936), NSEC3 parameters (RFC 9276), SOA values (RIPE-203) — but in practice operators want them aggregated. Zone hygiene is the umbrella that turns the individual checks into a single audit and a single score.
You should care because most DNS incidents are self-inflicted, not malicious. Primary and secondary nameservers that disagree on the current zone produce random intermittent failures nobody can reproduce. Orphan CNAMEs to deprovisioned SaaS accounts become subdomain takeover opportunities. SOA `expire` set too low causes secondaries to silently stop serving the zone after a brief outage. NSes accidentally configured as open recursors get conscripted into DNS amplification attacks against unrelated victims. None of these break anything on day one. All of them are how outages and security incidents start on day four hundred.
The nine checks that compose modern zone hygiene:
Nameserver redundancy. RFC 1034 requires at least two authoritative NSes for resilience.
SOA serial consistency across resolvers. Drift means replication is failing silently — different resolvers see different versions of your zone.
SOA field validation. RIPE-203 gives concrete bounds: refresh ≥ 24h, retry ≥ 2h, expire ≥ 14d, minimum (negative-cache TTL) ≤ 24h. Out-of-bounds values cause replication problems before they cause outages.
Wildcard detection. A wildcard at the apex isn't inherently bad, but it changes how every other check has to interpret subdomain results.
Sensitive-subdomain exposure. Public DNS records named `admin.`, `vpn.`, `jenkins.`, `kibana.`, `phpmyadmin.`, `internal.` are reconnaissance gifts — even when the underlying service is properly access-controlled.
Open-resolver behavior on each NS. Sending a recursive query for a name the NS isn't authoritative for; if it returns an answer, the NS is acting as an open recursor and is being abused for amplification attacks against third parties.
DNSSEC posture. Cryptographic verification per RFC 4034 — DS digest, RRSIG signature, expiration. "Bogus" status causes resolvers to SERVFAIL the zone.
CAA record presence. Without CAA, any CA can issue certificates for the domain.
Zone-transfer (AXFR) exposure. A zone that allows AXFR from anyone has effectively published its entire record set.
Three questions a zone-hygiene audit answers:
Are my nameservers in sync, properly configured, and not being abused for amplification?
Are my certificate-issuance, DNSSEC, and zone-walk-resistance controls all in place?
Which of my subdomains are accidentally exposed in public DNS?
The cost of skipping a regular zone-hygiene audit is the slow accumulation of drift that eventually becomes an incident nobody can trace back to its origin. The fix is a single audit — quarterly at minimum, continuous via API for production zones — that surfaces all nine signals together with a weighted score, so operators see at a glance whether the zone is in good shape or needs attention.
The Zone Hygiene endpoint, in plain language
In one sentence: Single-call [DNS (Domain Name System)](/guides/dns-lookup) health audit — [DNSSEC (Domain Name System Security Extensions)](/guides/dns-dnssec), CAA, AXFR (Asynchronous Full Transfer Zone), NSEC3, open-resolver, SOA, and subdomain exposure
Single-call DNS (Domain Name System) health audit that fans out to nine independent checks and aggregates a weighted score. In one request: DNSSEC (Domain Name System Security Extensions) posture (cryptographic verification per the official internet standard — see /v1/DNS/DNSSEC), CAA presence (the official internet standard), zone-transfer / AXFR (Asynchronous Full Transfer Zone) exposure (the official internet standard), NSEC3 the official internet standard compliance, open-resolver detection on every NS, SOA-serial consistency across resolvers, SOA-field validation against RIPE-203 bounds (refresh/retry/expire/minimum), wildcard detection, and exposure of sensitive subdomains (admin., vpn., kibana., jenkins., etc.). Each check contributes to a weighted 0–100 hygiene score and a letter grade (A–F).
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Enumerates authoritative nameservers, then runs nine checks in parallel: (1) NS redundancy (the official internet standard); (2) SOA-serial consistency across multiple resolvers — any drift means replication is failing silently; (3) SOA-field validation per RIPE-203 (refresh ≥ 24h, retry ≥ 2h, expire ≥ 14d, minimum ≤ 24h); (4) wildcard probe at the apex; (5) sensitive-subdomain probe (filtered against the wildcard's IPs to avoid false positives); (6) open-resolver test — sends `dig +rd @<ns> a.root-servers.net` to each NS and flags any that return a recursive answer (NSes acting as reflection-amplification sources); (7) DNSSEC (Domain Name System Security Extensions) analysis with cryptographic verification; (8) CAA cross-reference; (9) zone-transfer (AXFR (Asynchronous Full Transfer Zone)) check. Returns a `composite` block with the cross-endpoint signals, a `checks[]` array (one entry per check area with passed/failed/severity_max/finding_count), a weighted `hygiene_score` (0–100), and a letter `hygiene_grade`.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Zone Hygiene tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
The natural top-of-funnel question — "audit my DNS (Domain Name System) in one call" — should not require knowing about and orchestrating seven separate endpoints. Competitors lead with this exact shape (intoDNS, nslookup.io DNS Health's 39 checks, dnsviz). The composite turns "audit your DNS" from a workflow into a single API (Application Programming Interface) call with a single score. The open-resolver check alone is a top-five misconfiguration — it turns a customer's NSes into reflection-amplification weapons — and most DNS-health tools don't test it. SOA-field validation against RIPE-203 catches replication problems before they cause an outage.
Picture this in real life. Imagine a DNS administrator. Here's the situation they're walking into: Replace seven separate API (Application Programming Interface) calls (DNSSEC, CAA, zone-transfer, nsec-walkability, ns, mx, sensitive-subdomain enumeration) with one composite request. The endpoint fans out to nine independent checks in parallel, aggregates a weighted hygiene score (0–100), and returns a letter grade (A–F) alongside per-area pass/fail summaries in `checks[]`. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Zone Hygiene tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Zone Hygiene tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/dns/zone-hygiene`.
When would I actually use this?
If you're still on the fence about whether the Zone Hygiene tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a DNS administrator, a platform / SRE, a network security engineer, and a compliance officer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Single-call DNS health audit
Imagine you're a DNS administrator. Replace seven separate API (Application Programming Interface) calls (DNSSEC, CAA, zone-transfer, nsec-walkability, ns, mx, sensitive-subdomain enumeration) with one composite request. The endpoint fans out to nine independent checks in parallel, aggregates a weighted hygiene score (0–100), and returns a letter grade (A–F) alongside per-area pass/fail summaries in `checks[]`.
Why it matters: The natural top-of-funnel question — "audit my DNS (Domain Name System) in one call" — finally has a one-call answer.
Story 2: CI / pre-deploy gate
Imagine you're a platform / SRE. Block deploys (or fail a pre-flight job) when the hygiene score drops below a threshold. A grade regression from A to C between two runs almost always indicates a real configuration change — expired RRSIG (DNSSEC signature record), accidental open-resolver, leaked sensitive subdomain — caught before users see the impact.
Why it matters: Catches DNS (Domain Name System) regressions inside the deploy pipeline rather than via a customer support ticket two days later.
Story 3: Open-resolver and SOA-drift detection
Imagine you're a network security engineer. The composite probes each authoritative NS for open-recursion behavior (a top-five misconfiguration that turns customer NSes into reflection-amplification weapons) and queries SOA from multiple resolvers to detect serial drift between primary and secondary nameservers. Both are silent failure modes that don't surface in normal DNS (Domain Name System) queries.
Why it matters: Surfaces two classes of high-impact misconfiguration that most DNS (Domain Name System) tooling skips entirely.
Story 4: Compliance evidence collection
Imagine you're a compliance officer. Run on a schedule against the entire domain portfolio. The composite produces dated, structured audit evidence covering DNSSEC (Domain Name System Security Extensions) posture (with cryptographic verification), CAA + Certificate Transparency cross-reference, AXFR (Asynchronous Full Transfer Zone) exposure, NSEC3 the official internet standard compliance, and SOA-field validation against RIPE-203 — the major DNS-security controls auditors expect to see documented.
Why it matters: A single dated JSON (JavaScript Object Notation) snapshot per domain replaces a manual evidence-collection workflow that typically takes hours per scope.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Zone Hygiene tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the Zone Hygiene tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Zone Hygiene tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Zone Hygiene tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/zone-hygiene?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The zone apex to audit (e.g., example.com) | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The audited zone |
nameservers | array | Authoritative nameservers |
soa_consistency | object | Per-resolver SOA: serial, primary_ns, rname, refresh, retry, expire, minimum, error. Plus aggregate `unique_serials` array. |
soa_field_validation | array | Per-field SOA validation against RIPE-203 bounds: { field, value, recommended_min, recommended_max, status } where status is "ok", "too_low", "too_high", or "unknown" |
soa_drift_detected | boolean | Whether SOA serial drift was observed across resolvers |
wildcard_detected | boolean | True when the apex has a wildcard DNS (Domain Name System) record. Sensitive-subdomain results are filtered to those whose IPs differ from the wildcard's (so genuine subdomains still surface). |
wildcard_ips | array | IPs returned by the wildcard probe; empty for CNAME-based wildcards |
exposed_subdomains | array | Sensitive subdomain names that resolve publicly with non-wildcard IPs. Each entry: name, ips[], record_type, cname_target. |
exposed_count | number | Count of exposed sensitive subdomains |
open_resolver_check | array | Per-NS open-resolver result: nameserver, IP, is_open_resolver, status. An open recursor is a reflection-amplification vector and should be disabled. |
open_resolvers_detected | number | Number of NSes acting as open recursive resolvers |
checks | array | Per-area check summary: { check, passed, severity_max, finding_count }. Areas: nameserver_redundancy, soa_drift, soa_fields, wildcard, sensitive_subdomains, open_resolver, DNSSEC, CAA, zone_transfer. |
composite | object | Cross-endpoint signals: { dnssec_status, has_caa, caa_unauthorized_ct_issuers[], zone_transfer_vulnerable, nsec3_compliant } |
hygiene_score | number | Weighted 0–100 score deducting points by finding severity (critical=30, high=18, medium=8, low=3). Drives the letter grade. |
hygiene_grade | string | Letter grade derived from hygiene_score: A (≥90), B (≥80), C (≥70), D (≥60), F (<60) |
findings | array | Human-readable findings with severity (critical | high | medium | low | info) |
recommendations | array | Concrete remediation steps |
limitations | array | Caveats about the analysis (e.g., CNAME-wildcard skip path) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
API (Application Programming Interface) — A way for one program to ask another program for something — like a waiter taking your order to the kitchen.
RRSIG (Resource Record Signature) — The digital signature attached to a DNS record set. Validators verify the signature against the zone's public key (the DNSKEY) using the algorithm in the RRSIG header.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
VPN (Virtual Private Network) — A service that hides your real IP address by routing your internet traffic through someone else's server first. Used for privacy, getting around region locks, and connecting to work networks.
JSON (JavaScript Object Notation) — A lightweight format for sending data between programs. Looks like { "name": "example", "age": 5 }. Used by basically every modern web API.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
AXFR (Asynchronous Full Transfer Zone) — The DNS protocol for transferring an entire zone from one authoritative nameserver to another (RFC 5936). When an attacker can run AXFR, they get a complete dump of every record in the zone.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.