Home > Network > DNS >DNSSOA | About

SOA is Start Of Authority. It is a Ressource Record (RR), or simply put a "line" in the zone file which has the SOA type, that declares the following information :

  1. Which name server is responsible for this zone ? -the primary authoritative answerer- any name server defined here MUST have an NS record in the same file.
  2. Who's the responsible for it ?
  3. For how long should the DNS client hold the info in its cache ?
  4. For how long should the DNS client hold a negative info in its cache ? (a negative info is information about the non-existence of a name, or simply put a NXDOMAIN answer).
  5. A serial number that is used for comparison with slaves. If this number changes, slaves will detect that the serial number is higher and so they automatically catch up by initiating a zone transfer. This number needs to be updated each time the zone file changes, otherwise slaves wouldn't update. A simple way to update the serial number is to put today's date, for example 20170102. That way you also have the information about when did the file last change.
  6. A refresh value that specifies when should slave servers check for an update. Recommended value is 12 hours if the zone's file doesn't change much, or more if the NOTIFYcation is used.
  7. A retry value that specifies how much should the slave servers wait if the first try to refresh the zone file failed. Recommended value is 3-15 minutes.
  8. An expiry value that specifies at what period of time with no contact with the master should a slave still answere authoritatively for the zone. Recommded value is 2-4 weeks. This means that the slave servers can still answere authoritatively for the zone even if the primary server is down for 2 weeks (big maintenance for example). If the slave makes contact within this period of time with the master server then this value is reset, along with the refresh value.
  9. A NX TTL value that specifies for how long should a NXDOMAIN answere be cached by any resolver. Maximum value is 3 hours. This means that if a resolver asks for joe.example.com and it's not there, and you add it later to the zone file, the resolver will still answer NXDOMAIN for 3 hours after the first request. This means your machine will be invisible for at most 3 hours for one particular resolver.

When do slaves do an update ?

  1. They might be NOTIFYied of the update by the primary server : this is the default for bind.
  2. The zone's refresh value has timed up.

contact : @ychaouche yacinechaouche at yahoocom

QR Code
QR Code When do slaves do an update ? (generated for current page)