Best Practice – DNS SOA

nPoday asked:

i have 2 DNS-Server and setup a Domain with SOA-Record. Now i checked at denic and got 2 Warnings:

Warning 112 Minimum TTL out of range (expected, found)


Warning 110 Retry value out of range (expected, found)

7200 -> here is used the values from Ripe-203)
Whats better use DENIC-Ranges or RIPE?


My answer:

The best thing to do is to think about what the values mean, and then tune them appropriately.

If you haven’t already read the RIPE-203 document you cited, you should do so, since it explains each of the records and why RIPE chose particular values:

4.4. The Refresh and Retry Values

The refresh and retry values primarily affect the zone maintainer and the secondary service providers and may be negotiated between them. The values chosen here are aimed at scalability. Modern DNS software implements NOTIFY [RFC 1996] and reduces the need for frequent SOA checks, as does the assumption of stability of the zone. While lower values would only slightly increase the bandwidth usage, they would increase the load on servers which are slaves for thousands of zones.

In other words, you can safely raise the retry value. If you run your own DNS servers you probably don’t need to worry about it. Though if you contract with someone else to provide your DNS service, you may want to raise the value to improve performance. Or they may ask you to use specific values.

4.6. The Minimum TTL Value

There are two meanings for this value with practical relevance. First, it serves as a default value for the TTL of all RRs without a given value. To be cache-friendly this value was chosen to be two days, which also follows the stability assumption. The second meaning is the default negative TTL [RFC 2308], which would call for a lower value. We are in a transition phase now with software implementing either of both meanings, so the TTL of one hour is recommended for the SOA itself, which will lead to nearly the same effect.

In practice, two days is utterly absurd for this. Suppose you are about to add a new hostname to your record, but it doesn’t currently exist. So you look it up, and you get NXDOMAIN. Now that NXDOMAIN will be cached for two days, even if you add it to your zone file five minutes later! I have this set to 3600 (one hour) for most of my zones.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.