IT-LINUXMAKER, OpenSource, Tutorials

SOA Resource Record

DNS nameservers are typically deployed in clusters. The data within a cluster is synchronized using zone transfers. The SOA entry in the zone file (the file containing the complete configuration and description of the zone) contains data that controls the zone transfer. This data includes the serial number and various timers.
The email address of the person responsible for this zone and the name of the primary master server are also listed. Normally, an SOA record is located at the beginning of the file. A zone without this entry does not comply with the DNS standard and cannot be transferred.

Example of an SOA record in BIND9

mycompany.com. IN SOA ns1.mycompany.com. hosmaster@mycompany.com. (
                                   2026032701 ; Serial
                                           10800 ; refresh after 3 hours
                                             3600 ; retry after 1 hour
                                          604800 ; expire after 1 week
                                              1800 ; minimum TTL of 30 minutes)

In this example, a slave server is configured to synchronize with its master server every 3 hours via zone transfer. If its master server is unreachable, a new attempt is made every hour. If the master server cannot be contacted within one week, the slave server declares the zone mycompany.com inactive and will no longer respond to DNS requests for this domain. DNS also caches failed requests. The TTL (Time To Live) is 30 minutes.
Furthermore, it is defined that the primary domain of this zone is master.mycompany.com and that the administrator can be reached via the email address hostmaster@mycompany.com. The "@" symbol is replaced by a "." and any "." before the "@", e.g., firstname.lastname@mycompany.com, is escaped with a "\" (e.g., firstname\.lastname.mycompany.com).

The serial number is listed here as 2026032701. At the next change, it must be (manually) incremented to at least 2026032702. The serial number should be a maximum of 10 digits long (minimum 1 and maximum 9999999999). According to RFC 1912 2.2, the serial number consists of the current date and a two-digit counter in the format "YYYYMMDDzz".

The serial number is changed by incrementing it by 1 before each reload of the BIND server.

Composition of the SOA record

Name
This is the zone name.
IN
This is the zone class (usually IN for Internet)
SOA
The abbreviation stands for Start Of Authority
Primary
The primary master for this zone has little practical significance:
Definition of to whom dynamic updates should be sent. (Dynamic Update)
Definition of who should not receive notifications (Zone transfer)
Email address
The email address of the person responsible for this zone.
Serial number
This serial number must be incremented with every change.
Refresh
Determines the interval at which secondary nameservers check whether the zone has been updated at the primary nameserver.
Retry
Specifies how long secondary nameservers wait before attempting to refresh if the primary nameserver was unreachable during the previous refresh.
Expire
Specifies how long a secondary nameserver caches valid zone data if a connection to the primary nameserver cannot be established. After one week without a successful update, the zone is considered expired and is no longer served.
TTL
Defines the time-to-live (TTL) for non-existent entries (NXDOMAIN). Queries for non-existent hostnames are cached for the specified number of minutes before the nameserver is queried again. Also known as negative caching TTL (DNS caching).

DENIC recommended values

DENIC (Deutsches Network Information Center) provides recommendations for configuring .de zones, which relate to the SOA time values. The recommended values ​​are listed here:

  1. Refresh (Recommended: 1 hour = 3600 seconds)
    • Secondary nameservers check every hour for changes to the primary nameserver.
    • Reduces unnecessary requests to the primary server and distributes the load evenly over time.
    • At the same time, it ensures that changes are implemented within a manageable timeframe.
  2. Retry (Recommended: 15 minutes = 900 seconds)
    • After a failed refresh, another attempt will be made after 15 minutes.
    • If the primary server is temporarily unavailable, a short retry interval ensures that secondary servers quickly re-establish a connection.
    • Prevents outdated data from being used for too long.
  3. Expire (Recommended: 1 week = 604800 seconds)
    • Secondary nameservers continue to use the zone data for up to one week if a connection to the primary nameserver is not possible.
    • Secondary nameservers use the zone only for a limited time without a successful update.
    • Guaranteed that outdated or faulty zone data will not be distributed indefinitely.
  4. Minimum TTL / Negative Caching (Recommended: 1 hour = 3600 seconds)
    • Time-to-Live for non-existent entries is set to 1 hour.
    • Responses to non-existent entries (NXDOMAIN) are cached for one hour.
    • Reduces unnecessary queries to the nameserver, without new entries remaining undiscovered for too long.
In summary:

DENIC's values ​​balance load balancing, DNS consistency and up-to-date data provision to ensure a stable and reliable .de zone.

Interpretation of the SOA

Let's interpret this dig query

~# dig @localhost SOA mycompany.com

; <<>> DiG 9.16.37-Debian <<>> @localhost SOA mycompany.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38190
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cbaf6884b625d4fc0100000069c7adfca38ca2e8c985bb58 (good)
;; QUESTION SECTION:
;mycompany.com.             IN      SOA

;; ANSWER SECTION:
mycompany.com.      1800    IN      SOA     ns1.mycompany.com. hostmaster.mycompany.com.mycompany.com. 2026032707 600 7200 604800 300

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Mar 28 11:31:24 CET 2026
;; MSG SIZE  rcvd: 176

Because we want to understand how we are provided with crucial information. In the ANSWER SECTION, we see anything but unimportant figures that certainly provide explanations as to why the zone is not published on the internet.

The relevant number fields mean:
  • 1800 → TTL (Time To Live) des SOA-Records
  • 600 → Refresh
  • 7200 → Retry
  • 604800 → Expire
  • 300 → Negative Caching TTL (Minimum / NXDOMAIN TTL)

The process, viewed logically

  1. Secondary successfully loads zone (time X)
  2. Thereafter:
    • Every 600 seconds (refresh), an attempt is made to check the changes.
  3. If the primary server is unreachable:
    • If the attempt fails, a second attempt is made after 7200 seconds (Retry).
  4. Wenn 7 Tage (604800 Sekunden) lang kein erfolgreicher Kontakt:
    • The zone is considered obsolete (expired).
    • As a result, deliveries will no longer take place.

This means that publication occurs immediately after a successful zone transfer. The Expire value is only a shutdown limit, not a delay value!

Conclusion

  • Low TTL/Refresh means fast updates.
  • Expire high (7 days) means long survival time in case of primary cell failure.

IT-LINUXMAKER, OpenSource, IT-Support, IT-Consulting

© IT-LINUXMAKER 2026