SOA record: Difference between revisions
Kai e'Kael (talk | contribs) m →Structure: Corrected order, explained '@' meaning. |
Kai e'Kael (talk | contribs) →Structure: Clarified '@' source. |
||
Line 9: | Line 9: | ||
== Structure == |
== Structure == |
||
; NAME: Name of the zone. '@' is a shortcut to match previous record. |
; NAME: Name of the zone. '@' is a shortcut to match previous record in [[BIND]] syntax. |
||
; CLASS: Zone class (all but universally IN for internet) |
; CLASS: Zone class (all but universally IN for internet) |
||
; TYPE: SOA, abbreviation for ''start of authority'' |
; TYPE: SOA, abbreviation for ''start of authority'' |
Revision as of 16:42, 24 July 2023
A start of authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.[1]
Background
Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.
It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone. A zone without a SOA record does not conform to the standard required by RFC 1035.
Structure
- NAME
- Name of the zone. '@' is a shortcut to match previous record in BIND syntax.
- CLASS
- Zone class (all but universally IN for internet)
- TYPE
- SOA, abbreviation for start of authority
- TTL
- Time-to-live
- MNAME
- Primary master name server for this zone
- UPDATE requests should be forwarded toward the primary master[2]
- NOTIFY requests propagate outward from the primary master[3]
- RNAME
- Email address of the administrator responsible for this zone. (As usual, the email address is encoded as a name. The part of the email address before the
@
becomes the first label of the name; the domain name after the@
becomes the rest of the name. In zone-file format, dots in labels are escaped with backslashes; thus the email addressjohn.doe@example.com
would be represented in a zone file asjohn\.doe.example.com
.) - SERIAL
- Serial number for this zone. If a secondary name server slaved to this one observes an increase in this number, the slave will assume that the zone has been updated and initiate a zone transfer.
- REFRESH
- Number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes. Recommendation for small and stable zones:[4] 86400 seconds (24 hours).
- RETRY
- Number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond. It must be less than Refresh. Recommendation for small and stable zones:[4] 7200 seconds (2 hours).
- EXPIRE
- Number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond. This value must be bigger than the sum of Refresh and Retry. Recommendation for small and stable zones:[4] 3600000 seconds (1000 hours).
- MINIMUM
- Used in calculating the time to live for purposes of negative caching. Authoritative name servers take the smaller of the SOA TTL and the SOA MINIMUM to send as the SOA TTL in negative responses. Resolvers use the resulting SOA TTL to understand for how long they are allowed to cache a negative response. Recommendation for small and stable zones:[4] 172800 seconds (2 days). Originally this field had the meaning of a minimum TTL value for resource records in this zone; it was changed to its current meaning by RFC 2308.[5]
Sample SOA record
Sample SOA record for example.org, in BIND syntax.
$TTL 86400 @ IN SOA ns.icann.org. noc.dns.icann.org. ( 2020080302 ;Serial 7200 ;Refresh 3600 ;Retry 1209600 ;Expire 3600 ;Negative response caching TTL )
Serial number changes
Several methods have been established for updates to the SERIAL field of a zone's SOA record:
- The serial number begins at 1, and is simply incremented at every change.
- The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter (e.g. 2017031405 is the fifth change dated 14 March 2017). This method is recommended in RFC 1912.[6]
- The serial number is the time of last modification to the zone's data file expressed as the number of seconds since the UNIX epoch. This method is used by default in the djbdns suite.[7] Although it uses a 32-bit counter, it is not susceptible to the year 2038 problem due to the effect of serial number arithmetic.
References
- ^ Mockapetris, P.V. (November 1987). "RFC 1035 — Domain names - implementation and specification". doi:10.17487/RFC1035. Retrieved 2017-12-28.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Thomson, S.; Rekhter, Y.; Bound, J.; Bound, J. (April 1997). Vixie, P (ed.). "RFC 2136 — Dynamic Updates in the Domain Name System (DNS UPDATE)". doi:10.17487/RFC2136. Retrieved 2017-12-28.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Vixie, P. (August 1996). "RFC 1996 — A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)". doi:10.17487/RFC1996. Retrieved 2017-12-28.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b c d "RIPE 203 — Recommendations for DNS SOA Values". 1999-06-07. Retrieved 2017-12-28.
These recommendations are aimed at small and stable DNS zones.
- ^ Andrews, M. (March 1998). "RFC 2308 — Negative Caching of DNS Queries (DNS NCACHE)". doi:10.17487/RFC2308. Retrieved 2017-12-28.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Barr, D. (February 1996). "RFC 1912 — Common DNS Operational and Configuration Errors". doi:10.17487/RFC1912. Retrieved 2017-12-28.
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Bernstein, D.J. "How to run a DNS server in place of an existing BIND server". Retrieved 2023-03-13.