Re: bind9: high default SOA value

To: debian-user@lists.debian.org
Subject: Re: bind9: high default SOA value
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Wed, 3 May 2006 11:25:56 +0200
Message-id: <[🔎] 20060503092556.GA6485@fantomas.sk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <444E77A3.6020504@dxsolutions.co.uk>
References: <444E77A3.6020504@dxsolutions.co.uk>

On 25.04.06 20:25, George Borisov wrote:
> I have just finished configuring a new bind9 server on our network. :-)
> 
> As a test I generated a report at www.dnsreport.com and it gave me the
> following error message:
> 
> ---
> WARNING: Your SOA RETRY interval is : 86400 seconds. This seems very
> high. You should consider decreasing this value to about 120-7200
> seconds. The retry value is the amount of time your secondary/slave
> nameservers will wait to contact the master nameserver again if the last
> attempt failed.
> ---
> 
> The 86400 value is supplied in the Debian default configuration and also
>  (for example) suggested here:
> http://www.debian.org/doc/manuals/network-administrator/ch-bind.html
> 
> Is Debian wrong in recommending this as a default?

I would say so. The page says zone that should be cheecked for being changed
once for a week, and if the check fails (doesn't return answer), retry
should be made a day later. Big changes can occur within one day - what
about week?

For most of zones, this it too high number. Good that we have mechanisms
like NOTIFY, however I would suggest values suggested by dnsreport.

> Should I worry about this and change the value? (The reason I am
> reluctant to do this is because there are nearly 50 domains defined on
> that server, which means I would have to remember some sed to write a
> script to change all of these values :-p )

the SOA refresh and retry values are usefull if you use slaves,
expecially stealth slaves (you do not announce them). You still can
configure master and announced slaves to send notifies to stealth slaves...

If you use any slave that does not support DNS NOTIFY, or your master does
not support it, you MUST lower those values, or prepare to have problems.

The same applies for SOA "minimum" field, which is currently being used for
negative TTL's (host does not exist). This is set to a WEEK, so, if anyone
checks for a name from remote DNS servers, and it does exist, they will
remember this value for week, so the host wil be marked as non-existing for
a week even if you create it.

The "minimum" SOA field is being used for default TTL, if you:
- don't set up TTL for records
- don't set up TTL for zone using directive
$TTL <value>

I recommend you setting default $TTL to 43200 (12 hours, good if you want
change in the evening, in the morning everything will be refreshed)

and SOA "minimum" to 900 (15 minutes)

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Reply to:

Prev by Date: Re: Integration of Spamassassin with exim 3
Next by Date: Re: problems in gnome/gdm after weekend etch upgrade
Previous by thread: Re: floppy boot for local installation
Next by thread: Re: swap and /tmp
Index(es):
- Date
- Thread