SOA record

Last updated February 04, 2024

A start of authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.^[1]

Background

Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.

It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone. A zone without a SOA record does not conform to the standard required by RFC 1035.

Structure

NAME

Name of the zone. @ is a shortcut to match previous record in BIND syntax.

CLASS

Zone class (all but universally IN for internet)

TYPE

SOA, abbreviation for start of authority

TTL

Time-to-live

MNAME

Primary master name server for this zone

UPDATE requests should be forwarded toward the primary master^[2]
NOTIFY requests propagate outward from the primary master^[3]

RNAME

Email address of the administrator responsible for this zone. (As usual, the email address is encoded as a name. The part of the email address before the @ becomes the first label of the name; the domain name after the @ becomes the rest of the name. In zone-file format, dots in labels are escaped with backslashes; thus the email address john.doe@example.com would be represented in a zone file as john\.doe.example.com.)

SERIAL

Serial number for this zone. If a secondary name server slaved to this one observes an increase in this number, the slave will assume that the zone has been updated and initiate a zone transfer.

REFRESH

Number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes. Recommendation for small and stable zones:^[4]86400 seconds (24 hours).

RETRY

Number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond. It must be less than Refresh. Recommendation for small and stable zones:^[4]7200 seconds (2 hours).

EXPIRE

Number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond. This value must be bigger than the sum of Refresh and Retry. Recommendation for small and stable zones:^[4]3600000 seconds (1000 hours).

MINIMUM

Used in calculating the time to live for purposes of negative caching. Authoritative name servers take the smaller of the SOA TTL and the SOA MINIMUM to send as the SOA TTL in negative responses. Resolvers use the resulting SOA TTL to understand for how long they are allowed to cache a negative response. Recommendation for small and stable zones:^[4]172800 seconds (2 days). Originally this field had the meaning of a minimum TTL value for resource records in this zone; it was changed to its current meaning by RFC 2308.^[5]

Sample SOA record

Sample SOA record for example.org, in BIND syntax.

$TTL86400@INSOAns.icann.org.noc.dns.icann.org.(        2020080302;Serial        7200;Refresh        3600;Retry        1209600;Expire        3600;Negative response caching TTL)

Serial number changes

Several methods have been established for updates to the SERIAL field of a zone's SOA record:

The serial number begins at 1, and is simply incremented at every change.
The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter. For example, the fifth change made on 14 March 2017 (2017-03-14 in ISO 8601) would have the serial number 2017031405. This method is recommended in RFC 1912.^[6]
The serial number is the time of last modification to the zone's data file expressed as the number of seconds since the UNIX epoch. This method is used by default in the djbdns suite.^[7] Although it uses a 32-bit counter, it is not susceptible to the year 2038 problem due to the effect of serial number arithmetic.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

A mail exchanger record specifies the mail server responsible for accepting email messages on behalf of a domain name. It is a resource record in the Domain Name System (DNS). It is possible to configure several MX records, typically pointing to an array of mail servers for load balancing and redundancy.

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

A Service record is a specification of data in the Domain Name System defining the location, i.e., the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements.

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website example.com, it might use the subdomain shop.example.com.

DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatibly with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

Round-robin DNS is a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web server, FTP servers, by managing the Domain Name System's (DNS) responses to address requests from client computers according to an appropriate statistical model.

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache.

TSIG is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

In computer networking, split-horizon DNS is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.

A TXT record is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.

References

↑ Mockapetris, P.V. (November 1987). "RFC 1035 — Domain names - implementation and specification". Network Working Group. doi:10.17487/RFC1035 . Retrieved 2017-12-28.
↑ Thomson, S.; Rekhter, Y.; Bound, J.; Bound, J. (April 1997). Vixie, P (ed.). "RFC 2136 — Dynamic Updates in the Domain Name System (DNS UPDATE)". Network Working Group. doi:10.17487/RFC2136 . Retrieved 2017-12-28.
↑ Vixie, P. (August 1996). "RFC 1996 — A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)". Network Working Group. doi:10.17487/RFC1996 . Retrieved 2017-12-28.
1 2 3 4 "RIPE 203 — Recommendations for DNS SOA Values". Network Working Group. 1999-06-07. Retrieved 2017-12-28. These recommendations are aimed at small and stable DNS zones.
↑ Andrews, M. (March 1998). "RFC 2308 — Negative Caching of DNS Queries (DNS NCACHE)". Network Working Group. doi: 10.17487/RFC2308 . Retrieved 2017-12-28.
↑ Barr, D. (February 1996). "RFC 1912 — Common DNS Operational and Configuration Errors". Network Working Group. doi:10.17487/RFC1912 . Retrieved 2017-12-28.
↑ Bernstein, D.J. "How to run a DNS server in place of an existing BIND server" . Retrieved 2023-03-13.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[RFC_1035-1] Mockapetris, P.V. (November 1987). "RFC 1035 — Domain names - implementation and specification". Network Working Group. doi:10.17487/RFC1035 . Retrieved 2017-12-28.

[RFC_2136-2] Thomson, S.; Rekhter, Y.; Bound, J.; Bound, J. (April 1997). Vixie, P (ed.). "RFC 2136 — Dynamic Updates in the Domain Name System (DNS UPDATE)". Network Working Group. doi:10.17487/RFC2136 . Retrieved 2017-12-28.

[RFC_1996-3] Vixie, P. (August 1996). "RFC 1996 — A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)". Network Working Group. doi:10.17487/RFC1996 . Retrieved 2017-12-28.

[RIPE_203-4] 1 2 3 4 "RIPE 203 — Recommendations for DNS SOA Values". Network Working Group. 1999-06-07. Retrieved 2017-12-28. These recommendations are aimed at small and stable DNS zones.

[RFC_2308-5] Andrews, M. (March 1998). "RFC 2308 — Negative Caching of DNS Queries (DNS NCACHE)". Network Working Group. doi: 10.17487/RFC2308 . Retrieved 2017-12-28.

[RFC_1912-6] Barr, D. (February 1996). "RFC 1912 — Common DNS Operational and Configuration Errors". Network Working Group. doi:10.17487/RFC1912 . Retrieved 2017-12-28.

[7] Bernstein, D.J. "How to run a DNS server in place of an existing BIND server" . Retrieved 2023-03-13.

[1]

[2]

[3]

[4]

[5]

[6]

[7]