SWITCH Security-Blog

SWITCH-CERT IT-Security Blog

DNS Zone File Time Value Recommendations


When setting up a zone file for a domain name, the administrator can freely choose what time values he would like to set on the SOA record or regarding the Time To Live (TTL) value on the Resource Records (RR). There are already many useful documents describing recommendations for these time values but most lack the reference to signed zones using DNSSEC because at the time these documents were published, DNSSEC did either not exist or had no relevance. We tried to update the recommendations for these time values so that the none-experts can adapt their template or have a reference. Our recommendations work for both signed and unsigned zones and in the best case it helps improve the stability and resilience of the DNS.

Our recommended DNS example.com zone file in BIND format looks as follow:

$TTL 86400 ; (1 day)
$ORIGIN example.com.
@ IN SOA ns1.example.com. hostmaster.example.com. (
                2014012401 ; serial YYYYMMDDnn
                14400      ; refresh (4 hours)
                1800       ; retry   (30 minutes)
                1209600    ; expire  (2 weeks)
                3600       ; minimum (1 hour)
                )

         172800    IN   NS    ns1
         172800    IN   NS    ns2

                   IN   A     203.0.113.10
                   IN   AAAA  2001:DB8:BEEF:113::10
www                IN   CNAME example.com.
ftp                IN   CNAME example.com.

ns1      172800    IN   A     192.0.2.22
         172800    IN   AAAA  2001:DB8:BEEF:2::22
ns2      172800    IN   A     198.51.100.22
         172800    IN   AAAA  2001:DB8:BEEF:100::22
...

Please read the following sections for a more detailed explanation.

TTL
TTL defines the duration in seconds that the record may be cached and is specified by the $TTL directive in the zone file (RFC 2308). All TTL values for name server records (NS, A, AAAA) should be ideally a bit longer to better survive DNS attacks (RFC Draft Long TTL Values). In general, the choice of the TTL value is a tradeoff between stability versus flexibility and traffic volume. In case the zone is signed some additional precaution apply. The TTL of the RRSIG, DNSKEY and DS records of the name server records should be in accordance to its NS, A, AAAA records. However, the longer the Maximum Zone TTL, the more it may pose a negative impact on time dependent events such a key rollovers. Note also that most resolvers have a maximum time they cache a record. BIND defaults to 7 days, Unbound and PowerDNS to 1 day. On the other side, the Minimum Zone TTL should be long enough to both fetch and verify all the RRs in the trust chain. RFC 6781 suggests that the Minimum Zone TTL should not be lower then 5 to 10 minutes. Our recommendation:

  • Infrastructure records (NS related): 1-2 days
  • Default $TTL: 1 hour to 1 day
  • Minimum Zone TTL: 5 to 10 minutes
  • Maximum Zone TTL: 1-2 days

SOA Refresh and Retry
These values only affect the interval at which a secondary name server checks for a new zone at the primary name server. The values should be chosen based on the update frequency of the zone. It is strongly recommended that the primary name server sends NOTIFY (RFC 1996) messages to the secondary name server thus reducing the need of SOA checks by the Refresh and Retry values. This is especially important when DNSSEC is used and a reliable and quick zone transfer to secondary name servers is required. For the general-purpose zone, we recommend:

  • SOA Refresh: 1-4 hours
  • SOA Retry: 15-60 minutes

SOA Expire
The SOA expiration timer tells the secondary name server for how long it should answer queries even when it cannot contact the primary name server for zone updates anymore for example because of network or service outages. Therefore a value of several days is recommended. In case the zone is signed, keep in mind that the minimum Signature Validity Period needs to be valid longer or a secondary name server will answer with expired signatures before the zone expires. RFC 6781 suggests that the value should be approximately one third or a quarter of the minimum Signature Validity Period. Our recommendation:

  • SOA Expire: 1 – 3 weeks

SOA minimum
The minimum of the SOA TTL and the SOA mininum specifies the negative caching time for DNS answers who’s query question could not be answered (See also our blog post Optimizing Negative Caching Time in DNS). This value is also important when you first sign a zone. In this case, it is the minimal timespan after you have published a signed zone before you should add the DS record (chain-of-trust) to the parent zone. Our recommendation:

  • SOA Minimum: 15-60 minutes

References:

Comments are closed.