mail us  |  mail this page

contact us
isp services  | 
company  | 
downloads  | 
products  | 
support  | 

Start of Authority Record (SOA)

Defined in RFC 1035. The SOA defines global parameters for the zone (domain). There is only one SOA record allowed in a zone file.

Format

name        ttl class rr    name-server email-addr  (sn ref ret ex min)
example.com.    IN    SOA   ns.example.com. hostmaster.example.com. (
                              2003080800 ; se = serial number
                              172800     ; ref = refresh = 2d
                              900        ; ret = update retry = 15m
                              1209600    ; ex = expiry = 2w
                              3600       ; min = minimum = 1h
                              )

The most complex and most critical record in the zone file. The following notes apply:

Field Description
name The 'root name' of the zone. Most commonly written as @ or Origin Value.
ttl Standard TTL values apply (range 0 to 2147483647 clarified by RFC 2181). The data contained in the SOA record applies TTL values to the slave DNS - see below. For more information about TTL values.
class Defines the class of record and normally takes the value IN = Internet. It may also take the value HS = Hesiod and CH = Chaos both historic MIT protocols.
name-server A name server that will respond authoritateively for the domain and called the Primary Master in the context of dynamic DNS. If DDNS is not used this may be any suitable name server either in the zone file or in an external or foreign zone. This is most commonly written as a Fully-qualified Domain Name (FQDN ends with a dot). If the record points to an EXTERNAL server (not defined in this zone) it MUST end with a '.' (dot) e.g. ns1.example.net. If the name server is defined in this domain (in this zone file) can be written as ns1 (without the dot) which will be expanded to include the $ORIGIN. In the jargon this field is called MNAME field which is why we called it name-server. When to use the dot.
email-addr Email address of the person responsible for this zone. In the jargon this is called the RNAME field which is why we called it email. A suitable admin but more commonly the technical contact for the domain. By convention (in RFC 2412) it is suggested that the reserved mailbox hostmaster be used for this purpose but any sensible and stable email address will work. NOTE: Format is mailbox-name.domain.com e.g. hostmaster.example.com (not the more normal @ sign since it has other uses in the zone file) but mail is sent to hostmaster@example.com. Most commonly ending with a '.' (dot) but if the email address is in this domain you can just use hostmaster (see also example below). when to use the dot.
sn = serial number Unsigned 32 bit value in range 1 to 4294967295 with a maximum increment of 2147483647. In BIND implementations this is defined to be a 10 digit field. This value MUST change when any resource record in the zone file is updated. The convention is to use a date based value to simplify this task - the most popular being yyyymmddss where yyyy = year, mm = month and dd = day ss = a sequence number in case you update it more than once in the day! Using this date format means that the value 2005021002 means the last update was on the 10th Febrary 2005 and it was the third update that day. The date format is just a convention not a requirement so BIND will provide no validation of the field. It is easy to make mistakes and get serial numbers out of sequence. Fix Serial Numbers.

Note: the arithmetic used by the serial number is defined in RFC 1982.
refresh Signed 32 bit time value in seconds. Indicates the time when the slave will try to refresh the zone from the master. RFC 1912 recommends 1200 to 43200 seconds, low (1200) if the data is volatile or 43200 (12 hours) if its not. If you are using NOTIFY you can set for much higher values e.g. 1 or more days > 86400. BIND Time format.
retry Signed 32 bit value in seconds. It defines the time between retries retries if the slave (secondary) fails to contact the master when refresh (above) has expired. Values will depend upon local knowledge of the network speed and reliability of the master (primary) servers. Typical values would be 180 (2 minutes) to 900 (13 minutes) or higher. BIND Time format.
expiry Signed 32 bit value in seconds. Indicates when the zone data is no longer authoritative. Applies to Slaves or Secondaries servers only. BIND9 slaves stop responding to queries for the zone when this time has expired and no contact has been made with the master. Thus when the ref values expires the slave will attempt to read the SOA record for the zone - and request a zone transfer AXFR/IXFR if the sn has changed. If contact is made the expiry and refresh values are reset and tyhe cycle starts again. If the slave fails to contact the master it will retry every retry period but continue to supply authoritative data for the zone until the expiry value is reached at which point it will stop answering queries for the domain. RFC 1912 recommends 1209600 to 2419200 seconds (2-4 weeks) to allow for major outages of the master. BIND Time format.
min = minimum Signed 32 bit value in seconds. RFC 2308 (implemented by BIND 9) redefined this value to be the negative caching time - the time a NAME ERROR = NXDOMAIN record is cached. The maximum value allowed by BIND 9 for this parameter is 3 hours (10800 seconds). This value was (in BIND 4 and 8) used by any RR from the zone that did not specify an explicit TTL i.e. the zone default TTL. BIND 9 uses the $TTL directive as the zone default TTL (and which was also standarized in RFC 2308). You may find older documentation or zone file configurations which reflect the old usage (there there are still a lot of BIND 4 sites operational). BIND Time format.

NOTES:

  1. BIND and most other DNS software will accept time values in a number of formats e.g. 1h 3m etc.. Saves all that work with the calculator.
  2. The opening '(' (bracket) MUST appear on the same line as the SOA record. This is defined in RFC 1035 and BIND will reject the whole zone if this rule is broken. The terminating ')' (bracket) can appear on any line as shown in the examples.
  3. The name server defined in the SOA record will ALWAYS have a NS record (there may be more than one NS record). For the sake of completeness the NS record is shown in the example fragments.

Examples

; zone file fragment for example.com 
$TTL 2d ; zone TTL default = 2 days or 172800 seconds
$ORIGIN example.com.
@      IN      SOA   ns.example.net. hostmaster.example.com. (
               2003080800 ; serial number
               1d12h      ; refresh =  1 day 12 hours
               15M        ; update retry = 15 minutes
               3W12h      ; expiry = 3 weeks + 12 hours
               2h20M      ; minimum = 2 hours + 20 minutes
               )
        IN     NS    ns.example.net. ;name server
        IN     NS    ns.example.org. ;name server

The email address in the SOA lies within the domain and can be written as an unqualified (no-dot) name:

; zone file fragment for example.com 
$TTL 2d ; zone TTL default = 2 days or 172800 seconds
$ORIGIN example.com.
@      IN      SOA   ns.example.net. hostmaster (
               2003080800 ; serial number
               1d12h      ; refresh =  1 day 12 hours
               15M        ; update retry = 15 minutes
               3W12h      ; expiry = 3 weeks + 12 hours
               2h20M      ; minimum = 2 hours + 20 minutes
               )
        IN     NS    ns.example.net. ;name server
        IN     NS    ns.example.org. ;name server

The master DNS is within the domain. The second name server is not:

; zone file fragment for example.com 
$TTL 2d ; zone TTL default = 2 days or 172800 seconds
$ORIGIN example.com.
@      IN      SOA   ns.example.com. hostmaster.example.com. (
               2003080800 ; serial number
               1d12h      ; refresh =  1 day 12 hours
               15M        ; update retry = 15 minutes
               3W12h      ; expiry = 3 weeks + 12 hours
               2h20M      ; minimum = 2 hours + 20 minutes
               )
       IN      NS  ns.example.com.
       IN      NS  ns.example.net.
...
; A record for the NS RR above
ns     IN      A   192.168.2.1

The above rewritten to use unqualified names:
 
$TTL 2d ; zone TTL default = 2 days or 172800 seconds
$ORIGIN example.com.
@      IN      SOA   ns hostmaster (
               2003080800 ; serial number
               1d12h      ; refresh =  1 day 12 hours
               15M        ; update retry = 15 minutes
               3W12h      ; expiry = 3 weeks + 12 hours
               2h20M      ; minimum = 2 hours + 20 minutes
               )
       IN      NS  ns
       IN      NS  ns.example.net.
...
; A record for the NS RR above
ns     IN      A   192.168.2.1

Contents

tech info
guides home
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

printer friendly

SPF Record Conformant Domain Logo

Copyright © 1994 - 2005 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		 
site by zytrax		 web-master at zytrax
Page modified: February 11 2005.