When setting up a zone file for a domain name, the administrator can freely choose what time values he would like to set on the SOA record or regarding the Time To Live (TTL) value on the Resource Records (RR). There are already many useful documents describing recommendations for these time values but most lack the reference to signed zones using DNSSEC because at the time these documents were published, DNSSEC did either not exist or had no relevance. We tried to update the recommendations for these time values so that the none-experts can adapt their template or have a reference. Our recommendations work for both signed and unsigned zones and in the best case it helps improve the stability and resilience of the DNS.
Our recommended DNS example.com zone file in BIND format looks as follow:
$TTL 86400 ; (1 day)
$ORIGIN example.com.
@ IN SOA ns1.example.com. hostmaster.example.com. (
2014012401 ; serial YYYYMMDDnn
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
86400 IN NS ns1
86400 IN NS ns2
IN A 203.0.113.10
IN AAAA 2001:DB8:BEEF:113::10
www IN CNAME example.com.
ftp IN CNAME example.com.
ns1 86400 IN A 192.0.2.22
86400 IN AAAA 2001:DB8:BEEF:2::22
ns2 86400 IN A 198.51.100.22
86400 IN AAAA 2001:DB8:BEEF:100::22
...
Please read the following sections for a more detailed explanation.
SWITCH Security-Blog 