DNS: SOA records

DNS: SOA records
This is heavily based on the following url. For a through description of the SOA record see RFC 1035

http://zytrax.com/books/dns/ch8/soa.html

Typical SOA record from a DoIT run DNS server

$TTL 14400
@                  IN   SOA     adns0.doit.wisc.edu. hostmaster.doit.wisc.edu.  (
                                2009012907   ; Serial (yyyymmdd##)
                                7200         ; Refresh (2h = 7200s)
                                1800         ; Retry (30m = 1800s)
                                3628800      ; Expire (6w = 3628800s)
                                600 )        ; Minimum (10m = 600s)
                        IN      NS      adns1.doit.wisc.edu.
                        IN      NS      adns2.doit.wisc.edu.
                        IN      NS      adns3.doit.wisc.edu.

What do these fields mean?

$ {TIME TO LIVE}
{ZONE NAME}        {CLASS} {RESOURCE RECORD}  {NAMESERVER} {EMAIL}  (
                                {SERIAL NUMBER} ; Serial (yyyymmdd##)
                                {REFRESH}       ; Refresh (2h = 7200s)
                                {RETRY}         ; Retry (30m = 1800s)
                                {EXPIRY}        ; Expire (6w = 3628800s)
                                {MINIMUM})      ; Minimum (10m = 600s)

Specific comments about some of these fields.

  • email-addr: Email address of the person responsible for this zone. In RFC 2142 it is suggested that the reserved mailbox hostmaster be used for this purpose.
  • serial number: Unsigned 32 bit value in range 1 to 4294967295 with a maximum increment of 2147483647. In BIND implementations this is defined to be a 10 digit field. This value MUST change when any resource record in the zone file is updated. The convention is to use a date based value to simplify this task - the most popular being yyyymmddss where yyyy = year, mm = month and dd = day ss = a sequence number in case you update it more than once in the day! Using this date format means that the value 2005021002 means the last update was on the 10th Febrary 2005 and it was the third update that day.
  • refresh : Signed 32 bit time value in seconds. Indicates the time when the secondary will try to refresh the zone from the primary server. In reality all zone updates will occur via the 'NOTIFY' mechanism so this refresh is generally useful only when there is a problem in the network/DNS system itself and is a way to ensure that an update does not go missed.
  • retry: Signed 32 bit value in seconds. It defines the time between retries if the secondary server fails to contact the primary server when refresh (above) has expired.
  • expiry: Signed 32 bit value in seconds. Indicates when the zone data is no longer authoritative. Applies to secondary servers only. BIND secondary stop responding to queries for the zone when this time has expired and no contact has been made with the primary. This counter is reset to zero whenever the secondary is able to contact the primary. If the secondary fails to contact the primary it will retry every retry period but continue to supply authoritative data for the zone until the expiry value is reached at which point it will stop answering queries for the domain.
  • min = minimum Signed 32 bit value in seconds. RFC 2308 redefined this value to be the negative caching time - the time a NAME ERROR = NXDOMAIN record is cached.

TTL and SOA Minimum

The purpose of the "minimum" field of the SOA has changed over the last decade. Historically, BIND used the minimum value for the default TTL of records in the zone file. In more recent version of BIND, the default TTL is now set with $TTL at the top of the zone file. The SOA minimum now indicates how long a remote caching DNS server should cache NEGATIVE answers.

If a recursive DNS server was to query one of the doit.wisc.edu authoritative servers for an existing A record, it would get back the answer with a TTL of 14400 seconds. That recursive server can now cache that answer for up to 4 hours (14400s) and can give out that answer without having to query the doit.wisc.edu authoritative servers again.

Say I've asked the hostmaster to create a new A record for me, lewis.doit.wisc.edu. If a recursive server queries for this A record before it is created, the authoritative doit.wisc.edu name servers will respond back that the name doesn't exist. The recursive server can now cache this NEGATIVE answer for up to the 600 seconds specified in the MINIMUM SOA record for doit.wisc.edu. If this recursive server gets asked again in less than 600 seconds for the A record for lewis.doit.wisc.edu, the recursive server can reply the name doesn't exist without having to query the authoritative server for doit.wisc.edu again.

You generally don't want to use a large value for your SOA minimum. 600 seconds that DoIT uses is sufficiently small. Large MINIMUM numbers can result in confusion when a recursive server caches a NXDOMAIN answer for a long period of time.

Example:

[m7h@adns0]$ head doit.wisc.edu
> $TTL 14400
> @               IN   SOA     adns0.doit.wisc.edu. 
> hostmaster.doit.wisc.edu.  (
>                                 2009091802   ; Serial (yyyymmdd##)
>                                 7200         ; Refresh (2h = 7200s)
>                                 1800         ; Retry (30m = 1800s)
>                                 3628800      ; Expire (6w = 3628800s)
>                                 600 )        ; Minimum (10m = 600s)
>                         IN      NS      adns1.doit.wisc.edu.
>                         IN      NS      adns2.doit.wisc.edu.
>                         IN      NS      adns3.doit.wisc.edu.
> 


Keywords:
DNS: SOA records 
Doc ID:
8950
Owned by:
Tim C. in DDI
Created:
2009-01-29
Updated:
2022-05-23
Sites:
DNS, DHCP, and IPAM, Network Services, Systems & Network Control Center