At the apex of every DNS zone is a start of authority (SOA) record containing critical information about the domain and zone configuration—including the email address of the domain administrator, primary nameserver, zone serial number, and a set of timing parameters related to caching and refreshing zone data. When you create a primary zone on the IBM NS1 Connect platform, you specify the SOA details, and the SOA record is automatically generated upon saving the zone.
The time to live (TTL) values and other time limits set in the SOA record are integral to the DNS configuration as they ensure the continuous refresh of zone data and prevent resolvers from serving outdated zone data after failed attempts to refresh. They also impact the volume of incoming queries to your authoritative nameservers. Refer to the descriptions below to learn more about each TTL setting and the default value.
-
The SOA TTL is the minimum amount of time DNS resolvers should cache or store the zone data before requesting updated zone data from the authoritative nameserver. This value is inherited by the DNS records in the zone. The default value is 3600 seconds; as in, one hour.
-
The Refresh value is the amount of time between each request by the secondary DNS servers for updated zone data from the primary servers. The secondary servers will query the SOA record and, if successful, check to see if the zone serial number has changed which indicates changes to the zone data. If the serial number has changed, the servers will send an AXFR request for an update zone file. The default value is 43200 seconds; as in, 12 hours.
-
The Retry value is the amount of time a secondary DNS server will wait after a failed attempt to refresh zone data before querying the primary zone's SOA record again. Typically, this value is less than the refresh value. Secondary servers will keep trying to refresh the zone data at this interval until it receives a successful response or the zone file expires. The default value is 7200 seconds; as in, two hours.
-
The Expire value is the maximum amount of time from the first failed attempt to refresh zone data to the point when the zone data becomes stale. Secondary servers may continue to serve the cached zone data until the expiration time is reached at which point the primary nameservers are considered "down" and no longer authoritative for this zone. This value should be larger than the sum of the retry and refresh values. The default value is 1209600 seconds; as in, 14 days.
-
The NX TTL value is the amount of time a "negative" DNS response—such as an NXDOMAIN, EBOT, or NODATA—is cached by DNS resolvers. The negative response will continue to be served to requesting clients during this time. The default value is 3600 seconds; as in, one hour.
Refer to the following best practices and key considerations when setting or modifying SOA TTL values:
-
The SOA TTL value directly impacts the volume of DNS queries to your authoritative nameservers. A lower TTL value reduces the amount of time between each query from the resolver, resulting in more incoming queries. On the other hand, increasing the TTL value extends the period of time between each refresh, increasing the risk that requesting clients will not receive the latest DNS data.
-
The SOA TTL value set in the zone configuration is inherited by the DNS records within the zone, but you can override the inherited TTL when you create or modify a record. This may be recommended if a record contains a Filter Chain configuration—in which case, you should keep the TTL value as low as possible to increase the opportunities to optimize traffic distribution across multiple endpoints.
-
Note that most recursive resolvers do not support a TTL value below 30 seconds.
-
For records that rarely change (such as TXT or MX records), it is best to keep the TTL between one hour (3600 seconds) and 24 hours (86400 seconds). Then, when you need to make a change to the record, you can reduce the record TTL value temporarily before making the change to expedite propagation.
-
For help with random label traffic that logs against your base domain, you can increase the NX TTL value causing resolvers to not re-request that same domain again for longer.
-
Increasing the NX TTL value can help prevent random prefix attacks where someone sends a lot of traffic to subdomains that are associated with the zone FQDN but are unlikely to exist. These attacks can overload your authoritative nameservers. Note that the IBM NS1 Connect platform applies API rate-limiting mechanisms to prevent abusive rates of incoming requests.