When setting up a zone file for a domain name, the administrator can freely choose what time values he would like to set on the SOA record or regarding the Time To Live (TTL) value on the Resource Records (RR). There are already many useful documents describing recommendations for these time values but most lack the reference to signed zones using DNSSEC because at the time these documents were published, DNSSEC did either not exist or had no relevance. We tried to update the recommendations for these time values so that the none-experts can adapt their template or have a reference. Our recommendations work for both signed and unsigned zones and in the best case it helps improve the stability and resilience of the DNS.
Our recommended DNS example.com zone file in BIND format looks as follow:
$TTL 86400 ; (1 day) $ORIGIN example.com. @ IN SOA ns1.example.com. hostmaster.example.com. ( 2014012401 ; serial YYYYMMDDnn 14400 ; refresh (4 hours) 1800 ; retry (30 minutes) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) ) 86400 IN NS ns1 86400 IN NS ns2 IN A 203.0.113.10 IN AAAA 2001:DB8:BEEF:113::10 www IN CNAME example.com. ftp IN CNAME example.com. ns1 86400 IN A 192.0.2.22 86400 IN AAAA 2001:DB8:BEEF:2::22 ns2 86400 IN A 198.51.100.22 86400 IN AAAA 2001:DB8:BEEF:100::22 ...
Please read the following sections for a more detailed explanation.
TTL defines the duration in seconds that the record may be cached and is specified by the $TTL directive in the zone file (RFC 2308). All TTL values for name server records (NS, A, AAAA) should be ideally a bit longer to better survive DNS attacks (RFC Draft Long TTL Values). In general, the choice of the TTL value is a tradeoff between stability versus flexibility and traffic volume. In case the zone is signed some additional precaution apply. The TTL of the RRSIG, DNSKEY and DS records of the name server records should be in accordance to its NS, A, AAAA records. However, the longer the Maximum Zone TTL, the more it may pose a negative impact on time dependent events such a key rollovers. Note also that most resolvers have a maximum time they cache a record. BIND defaults to 7 days, Unbound and PowerDNS to 1 day. On the other side, the Minimum Zone TTL should be long enough to both fetch and verify all the RRs in the trust chain. RFC 6781 suggests that the Minimum Zone TTL should not be lower then 5 to 10 minutes. Our recommendation:
- Infrastructure records (NS related): 1 day
- Default $TTL: 1 hour to 1 day
- Minimum Zone TTL: 5 to 10 minutes
- Maximum Zone TTL: 1 day
SOA Refresh and Retry
These values only affect the interval at which a secondary name server checks for a new zone at the primary name server. The values should be chosen based on the update frequency of the zone. It is strongly recommended that the primary name server sends NOTIFY (RFC 1996) messages to the secondary name server thus reducing the need of SOA checks by the Refresh and Retry values. This is especially important when DNSSEC is used and a reliable and quick zone transfer to secondary name servers is required. For the general-purpose zone, we recommend:
- SOA Refresh: 1-4 hours
- SOA Retry: 15-60 minutes
The SOA expiration timer tells the secondary name server for how long it should answer queries even when it cannot contact the primary name server for zone updates anymore for example because of network or service outages. Therefore a value of several days is recommended. In case the zone is signed, keep in mind that the minimum Signature Validity Period needs to be valid longer or a secondary name server will answer with expired signatures before the zone expires. RFC 6781 suggests that the value should be approximately one third or a quarter of the minimum Signature Validity Period. Our recommendation:
- SOA Expire: 1 – 2 weeks
The minimum of the SOA TTL and the SOA mininum specifies the negative caching time for DNS answers who’s query question could not be answered (See also our blog post Optimizing Negative Caching Time in DNS). This value is also important when you first sign a zone. In this case, it is the minimal timespan after you have published a signed zone before you should add the DS record (chain-of-trust) to the parent zone. Our recommendation:
- SOA Minimum: 15-60 minutes
- RFC 1912 – Common DNS Operational and Configuration Errors, D. Barr, February 1996
- RFC 1996 – A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY), P. Vixie, August 1996
- RFC 2308 – Negative Caching of DNS Queries (DNS NCACHE), M. Andrews, March 1998
- RFC 6781 – DNSSEC Operational Practices, Version 2, O. Kolkman, W. Mekking, R. Gieben, December 2012
- RFC DRAFT – Improving DNS Service Availability by Using Long TTL Values, V. Pappas, E. Osterweil, February 2012