46

We currently have our DNS SOA record set to the following for stackoverflow.com:

    primary name server = ns1.p19.dynect.net
    serial  = 2009090909
    refresh = 3600 (1 hour)
    retry   = 600 (10 mins)
    expire  = 604800 (7 days)
    default TTL = 60 (1 min)

Are there better choices for our refresh / retry / expire / default TTL for a site like stackoverflow.com which receives close to 1M pageviews per day?

Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
Geoff Dalgas
  • 2,416
  • 5
  • 31
  • 32

3 Answers3

53

The actual traffic rate to the site is irrelevant.

All of those settings (except for "default TTL") only affect how frequently your domain's secondary DNS servers poll the primary DNS server for updates.

If your zone only changes infrequently (which I believe yours does) then your value for "refresh" is currently a bit on the low side. Typically the primary should send a NOTIFY message to each of the secondaries whenever there's an update at which point the secondaries grab the zone file immediately. These days the "refresh / retry / expire" mechanism is only a backstop to that.

In any event, it's likely that your DNS provider is automatically syncing changes to all of the relevant DNS servers on the fly without using DNS's built-in synchronisation mechanisms so the actual values are probably irrelevant.

Note that the "default TTL" field no longer means what it says. The real default TTL is set (in BIND at least) with the $TTL directive, and that's only used when there isn't an explicit TTL set on each record.

The "default TTL" field's meaning was changed in RFC 2308 and it's actually a hint for negative caching. If your server returns a negative response (e.g. NXDOMAIN or NODATA) it's how long the remote server should wait before trying again.

The current value is a bit on the low side, but there's no harm leaving it as is. It's often ignored anyway.

Community
  • 1
Alnitak
  • 20,901
  • 3
  • 48
  • 81
  • 1
    Note that the "default TTL" value is only used for the negative caching TTL if it is less than the TTL of the SOA record itself. See `5 - Caching Negative Answers` of the referenced RFC for details. More info here: https://serverfault.com/questions/426807/how-long-does-negative-dns-caching-typically-last/979926#979926 – htaccess Aug 25 '19 at 07:43
9

From Pingdom: http://dnscheck.pingdom.com/

SOA TTL  recommended >= 3600.
SOA refresh  recommended >= 14400.
SOA retry  recommended >= 3600.
SOA expire  recommended >= 604800.
SOA minimum  recommended between 300 and 86400.
Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
Octa
  • 91
  • 1
  • 1
9

Interestingly, the DNS diagnostic page from the dyn guys (our DNS hosts)..

http://dnscog.com/report/stackoverflow.com

.. says this on MINTTL:

Check SOA MINTTL

Your SOA minttl value is 60 seconds, which is lower than the recommended minimum for general DNS use. If you regularly make changes to your DNS zone, or use DNS-based load balancing services, a small value here is OK.

Recommendation

Consider putting value between 1800 and 86400 to your SOA minttl field.

and this on SOA refresh

Check SOA refresh

Your SOA refresh field is 3600 seconds, which is lower than the recommended minimum. Having a low refresh value can result in unnecessary query volume or unexpected behavior, especially if you use a value of 0. If you regularly make changes to your DNS zone, or use DNS-based load balancing services, a smaller value will help to ensure changes propagate as quickly as possible.

Recommendation

Consider putting value between 7200 and 10800 to your SOA refresh field.

Another diagnostic page at http://www.intodns.com/stackoverflow.com doesn't offer any real hints.

Community
  • 1
Jeff Atwood
  • 12,994
  • 20
  • 74
  • 92
  • 13
    Their minttl recommendation is bogus. That field hasn't had that meaning for over a decade. Their explanation of refresh is also suspect. The refresh interval _only_ affects primary -> secondary slaving, and with a small zone like yours this value would cause no problems whatsoever. Furthermore if the DNS provider is using an out-of-band sync mechanism then the actual value is moot. (NB: I do DNS for a living) – Alnitak Sep 29 '09 at 08:46
  • 4
    p.s. if someone actually gave this as their own explanation and recommendation for the values I'd give it a -1 vote. As you're quoting someone else I won't ;-) – Alnitak Sep 29 '09 at 12:56
  • ok, definitely good to know -- we're far from experts, so every little bit of info we can get helps! – Jeff Atwood Oct 01 '09 at 07:11
  • 3
    To clarify, the SOA Minimum TTL field stores the TTL value to be used to cache a *negative* request - a request made to the zone for some resource which doesn't exist. Their explanation is sort of true but fails to clarify it's only for negative responses. Secondly, the SOA Refresh is never used by normal DNS queries, it's only used in situations where you have secondary (slave) nameservers updating themselves from your primary (master) nameserver. So their explanation of that field is definitely untrue. – thomasrutter Dec 04 '12 at 12:10
  • @thomasrutter my reading of their rationale for the minttl value would be that they are _not_ considering negative caching at all. In this context (i.e. regular DNS changes and DNS-based load balancing) they're clearly referring to normal DNS TTLs for _existing_ records. – Alnitak Jun 20 '14 at 22:26
  • 3
    Really, there is so much misinformation about what these records mean online that it's hard to find anything that's actually true. In summary, most of the values in the SOA record are meaningless for actual DNS queries, and are intended instead for you to use for your own internal zone transfer mechanism from your primary to secondary nameservers. The exception is the MinTTL but that isn't, as the standards suggest, minimum TTL nor is it a "default" TTL, but instead a suggested TTL for caching negative results. What matters much more are the individual TTLs for records like A and NS. – thomasrutter Jun 21 '14 at 12:47
  • 5
    All those intodns / dnscog / dnsstuff etc type sites just copy the same misinformation from each other. You can tell because a lot of their text is copy-pasted. I've found MXToolbox (http://mxtoolbox.com/DNSCheck.aspx) to be a more reliable resource. For example, their explanation of the SOA MINTTL value [here](http://mxtoolbox.com/problem/dns/DNS-SOA-NXDOMAIN-Value?page=health_dns) is accurate - a rare quality. – thomasrutter Jun 21 '14 at 12:53