1

I am complete newbie in DNS world and I am moving our office subnet to another domain. Our DNS is using PowerDNS solution with MySQL backend.

I am unsure whether the SOA record for our domain is written correctly. Assuming the domain name is example.com and internal office infrastructure domain is office.example.com, office nameservers are ns0.office.example.com and ns1.office.example.com, then our SOA looks like (in MySQL records table):

ns0.office.example.com. hostmaster.office.example.com. 2013111504 28800 14400 2419200 86400

The values for refresh etc are taken from old configuration and it is not clear whether those values are standard or not.

Question: From all resources I could find on internet i still did not understand what will SOA record affect. Can someone please explain what do first two values affect? What is hostmaster value for? Old config has it as well, but there is no such host on our subnet and no DNS record for this host.

Alexey Kamenskiy
  • 774
  • 9
  • 22

1 Answers1

7

From RFC 1033 one of the core DNS RFC's (the DNS Wikipedia page has a nice list)

SOA  (Start Of Authority)

           <name>  [<ttl>]  [<class>]  SOA  <origin>  <person>  (
                           <serial>
                           <refresh>
                           <retry>
                           <expire>
                           <minimum> )

The Start Of Authority record designates the start of a zone. The one ends at the next SOA record.

<name> is the name of the zone. (Comment: typically the domainname example.com or office.example.com)

<origin> is the name of the host on which the master zone file resides. (Comment: the primary name server)

<person> is a mailbox for the person responsible for the zone. It is formatted like a mailing address but the at-sign that normally separates the user from the host name is replaced with a dot. (Comment: hostmaster@office.example.com becomes hostmaster.office.example.com)

<serial> is the version number of the zone file. It should be incremented anytime a change is made to data in the zone. (Comment: common is a timestamp like string yyyymmdd(hhmm)

<refresh> is how long, in seconds, a secondary name server is to check with the primary name server to see if an update is needed. A good value here would be one hour (3600).

<retry> is how long, in seconds, a secondary name server is to retry after a failure to check for a refresh. A good value here would be 10 minutes (600).

<expire> is the upper limit, in seconds, that a secondary name server is to use the data before it expires for lack of getting a refresh.

You want this to be rather large, and a nice value is 3600000, about 42 days.

<minimum> is the minimum number of seconds to be used for TTL value in RRs. A minimum of at least a day is a good value here (86400).

There should only be one SOA record per zone. A sample SOA record would look something like:

           @   IN   SOA   SRI-NIC.ARPA.   HOSTMASTER.SRI-NIC.ARPA. (
                           45         ;serial
                           3600       ;refresh
                           600        ;retry
                           3600000    ;expire
                           86400 )    ;minimum

The SOA records can be fitted on a single line.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Thanks for extensive answer. Most of things are clear now. I wonder if you had experience with powerdns: in order to update slave is it necessary to update serial value on master? This value seems to be coming from old named style configs, so I am not sure that if i edit records i also will have to manually alter serial value. – Alexey Kamenskiy Nov 15 '13 at 12:53
  • The standard mandates increasing serial numbers. A "proper" slave name server will query the master nameserver every `` seconds and retrieve the SOA record. If the serial number has increased the cached zone is expired and a zone transfer is initiated. I haven't looked at PowerDNS in at least a decade, so you may or may not get away with not updating the serial depending on how your secondary DNS servers are populating their zone data. (You might be using MySQL replication instead or something else). – HBruijn Nov 15 '13 at 14:03