The presence of several hundred or even thousands of DNS records in the same DNS zone is not a problem, given the way DNS works. This is because these DNS records are divided into many different sub-domains and record types (A, CNAME, AAAA, MX, TXT, etc.).
Resolution servers never send a query for an entire DNS zone; they only query the DNS record that interests them and that has been ‘called’ by the requestor.
Besides DNS records used for websites or other services, it is also common to find ‘validation’ records in a DNS zone.
These DNS records, usually CNAME or TXT, are requested by third-party service providers, who test their implementation on the DNS zone to check that their customer has control over the domain name in question.
Although these records are only used once, in practice they are often left in the DNS zone afterwards.
The gradual accumulation of DNS records of the same type on the same domain or sub-domain can have undesirable effects over time.
Let’s take a record that is as common as it is sensitive: the SPF (Sender Policy Framework). It takes the form of a TXT, often placed at the root of a domain name, and helps to protect against identity theft, reduce spam and improve email deliverability, among other things.
However, over the years, numerous verification TXTs can also be added to the root of a domain name on its DNS zone, as and when requested by third-party providers. If these TXTs are left on the zone, the size of the responses sent back by authoritative name servers to resolvers – when queried on the root TXT in our example – will also increase.
After a certain point, this can lead to an increase in the number of timeouts encountered by resolvers. As the size of the response from the authoritative name servers is too large, the response does not arrive. As a result, the requested TXT is not detected, even though the zone is perfectly functional and the name servers are operational.
If the resolver cannot obtain a response on the SPF TXT, the consequences on the sending of emails using the domain name in the sender’s address are real.
On the other hand, regularly removing obsolete DNS records from a DNS zone can significantly improve response time to DNS requests.
Below is an example of the before-and-after effect on the DNS zone of a client’s main domain name. On 21st November 2024, the DNS zone was purged of all obsolete verification TXTs that were still installed on the root of the domain name.
The graph below shows the response times observed. The red lines correspond to timeouts obtained by the probes. The response time may vary depending on the configuration of the network equipment or services performing the queries:
Verdict: There is a clear improvement in response time once the DNS zone has been ‘cleaned’.
Although specific, the practical case above is likely to arise for any domain name whose DNS zone contains too many obsolete DNS TXT records on the same domain.
However, it seems fairly easy to prevent this: deleting obsolete DNS records about once a year seems to be more than enough.
IP Twins help you manage your domain name portfolios and related zones. Our teams are available for any question about your DNS zones and their administration.
