DNS (Authoritative)¶
Service ownership
Owner: network-platform (network-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
Hosted authoritative DNS, sovereign-resident, with GeoDNS, DNSSEC, and an API.
What it is¶
Bring your domain (or buy through a partner registrar — Cloud Digit doesn't directly register domains). Delegate to Cloud Digit's authoritative nameservers. Manage zones via console, CLI, API, or Terraform.
Nameservers¶
ns1.dns.clouddigit.ai— Dhaka anycastns2.dns.clouddigit.ai— Chattogram anycastns3.dns.clouddigit.ai— Sylhet anycast
All three answer for every zone — pick all three at the registrar for full anycast coverage.
Record types¶
A, AAAA, CNAME, MX, TXT, SRV, NS, PTR (in-addr-arpa), CAA, SVCB, HTTPS.
Features¶
- DNSSEC — opt-in per zone; we publish the DS, you upload at the registrar
- GeoDNS — answer differently based on resolver geography (e.g., serve Dhaka resolvers from a Dhaka LB, Chittagong resolvers from a Chittagong LB)
- Health checks → DNS failover — answer A/AAAA records based on endpoint health
- Alias records — apex
clouddigit.ai → some-lb.bd-dha-1.clouddigit.ai, no CNAME flatten gymnastics - API + Terraform for record management
- Zone signing rotation automated for DNSSEC zones
Zone limits¶
| Resource | Default per project | Cap (bumpable) |
|---|---|---|
| Zones | 50 | 500 |
| Records per zone | 5,000 | 50,000 |
| Queries per second | 25,000 | unlimited (fair use) |
Pricing¶
Per-zone-month + per-million-queries. Health-check-driven DNS failover billed at a small additional rate per check. See Pricing.
Related¶
- Load Balancer — DNS often points at LBs
- CDN — CNAME pattern at zone apex via alias records
Operate this service¶
Authoritative DNS hosting for your domains, with health-checked records, geo-routing, and DNSSEC.
Zone organization¶
- One zone per domain (
acme.com,acme-staging.com) - Use the same provider for production and staging zones — reduces cognitive load
- For DR: secondary nameservers (Cloud Digit + an external provider) — but most outages don't touch the DNS layer
IAM¶
| Role | Can do |
|---|---|
dns.viewer | List zones, read records |
dns.editor | Add / modify / delete records |
dns.zone-admin | Manage zones, NS delegation |
dns.dnssec-admin | DNSSEC key management |
dns.editor is the day-to-day role. dns.zone-admin is cd.zone-admin rare.
DNSSEC¶
Enable per-zone:
```bash cd dns zone dnssec enable --zone acme.com
Returns DS records to add at the registrar¶
```
Then update DS at the registrar (manual step — registrar interfaces vary). Verify:
bash dig +dnssec acme.com SOA @1.1.1.1
DNSSEC key rotation is automatic (yearly KSK rollover).
Default TTLs¶
| Record type | Recommended TTL |
|---|---|
| A / AAAA (with FIP backing) | 300 s (5 min) |
| A / AAAA (static, never moves) | 86400 s (1d) |
| MX | 3600 s |
| NS | 86400 s |
| TXT (SPF/DKIM) | 3600 s |
Lower TTL = faster propagation, higher resolver load (and higher Cloud Digit DNS bill).
Imports and migrations¶
Bulk import via BIND zone file:
bash cd dns zone import --zone acme.com --file acme.com.zone
Migrations from external providers: dual-host (both providers authoritative) for 1 week; verify all clients see consistent answers; then change registrar NS to Cloud Digit only.
Related¶
Metrics¶
| Metric | Healthy | Alert |
|---|---|---|
dns.queries_per_sec | varies by zone | sudden 10× spike (NXDOMAIN-flood?) |
dns.nxdomain_pct | < 5% | > 20% |
dns.health_check_passing | true for all | any failing |
dns.dnssec_validation_failures | 0 | > 0 |
Health-checked records¶
For DR-grade reliability: associate a record with a health check.
bash cd dns record put --zone acme.com \ --name www --type A --value 103.5.7.43 \ --health-check-url https://www.acme.com/health \ --failover-value 103.6.8.55
When the health check fails, the record auto-flips to the failover value. Propagation respects TTL — keep TTL low (≤ 60 s) for fast failover.
Geo-routing¶
Route BD clients to BD edges, international clients elsewhere:
bash cd dns record put --zone acme.com \ --name www --type A \ --geo bd --value 103.5.7.43 \ --geo default --value 198.51.100.5
Useful when you have BD edge + international edge and want each audience served close.
Record auditing¶
bash cd dns zone audit --zone acme.com
Reports: - Records pointing at deleted IPs - Records with TTL too low (< 60s) or too high (> 7d) - SPF/DKIM/DMARC misconfigurations - DNSSEC signature freshness
Run monthly.
Bulk operations¶
Use the BIND zone file format for bulk edits:
```bash cd dns zone export --zone acme.com > acme.com.zone
edit¶
cd dns zone import --zone acme.com --file acme.com.zone --replace
Diff displayed, confirm before apply¶
```
Related¶
Record updated but resolver shows old value¶
DNS is cached. Wait for TTL to expire, or query authoritative directly:
bash dig @ns1.cloudigit.bd acme.com A # Authoritative answer dig @1.1.1.1 acme.com A # Cached
If authoritative is correct and cached is stale: cache TTL must elapse. Set TTL low before the planned change, then revert.
DNSSEC validation failures¶
WARN: dns.dnssec_validation_failures > 0
- DS record at registrar mismatches Cloud Digit's published KSK
- Manually re-publish DS: console DNS → Zone → DNSSEC → DS records
- Update at registrar; verify with
dig +dnssec
NXDOMAIN flood¶
dns.queries_per_sec spike with high dns.nxdomain_pct:
- Random-subdomain DDoS — enable DDoS Premium for DNS
- Misconfigured client sending garbage queries — find via logs
bash cd dns log query --zone acme.com --type nxdomain --top 50
Health check flapping¶
A health-checked record flips every few minutes:
- Health check threshold too tight (single bad sample fails). Raise to "2 of 3 fail"
- Application is genuinely intermittent — fix the app, not the health check
- Health check originating from a single region — cross-region health checks reduce false flaps
Zone delegation broken after registrar change¶
After moving the domain registrar, NS records at the parent stopped pointing to Cloud Digit. Symptoms: dig acme.com NS returns the old provider; recursive resolvers can't find authoritative.
Fix at the registrar UI: - NS1: ns1.cloudigit.bd - NS2: ns2.cloudigit.bd - NS3 / NS4: additional Cloud Digit nameservers (from console)
Propagation: 24–48 h via the gTLD.
Geo-routing returning wrong region¶
The IP→country database lags reality by ~30 days. If a BD ISP launches a new netblock, geo-routing may misclassify clients for a few weeks. Workaround: add the netblock manually:
bash cd dns geo override add \ --zone acme.com \ --cidr 103.140.0.0/22 \ --country bd