Managing authority records

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing authority records

Zones are based on a concept of server authority. When a DNS server is configured to load a zone, it uses two types of resource records to determine the authoritative properties of the zone:

  • First, the start of authority (SOA) resource record indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone.

  • Next, the name server (NS) resource record is used to notate which DNS servers are designated as authoritative for the zone. By listing a server in the NS RR, it becomes known to others as an authoritative server for the zone. This means that any server specified in the NS RR is to be considered an authoritative source by others, and is able to answer with certainty any queries made for names included in the zone.

The SOA and NS resource records occupy a special role in zone configuration. They are required records for any zone and are typically the first resource records listed in files. By default, the New Zone Wizard automatically creates these records when a new primary zone is added using the DNS console.

The SOA resource record

The start of authority (SOA) resource record is always first in any standard zone. It indicates the DNS server that either originally created it or is now the primary server for the zone. It is also used to store other properties such as version information and timings that affect zone renewal or expiration. These properties affect how often transfers of the zone are done between servers authoritative for the zone.

The SOA resource record contains the following information:

Field Description

Primary server (owner)

The host name for the primary DNS server for the zone.

Responsible person

The e-mail address of the person responsible for administering the zone. A period (.) is used instead of an at sign (@) in this e-mail name.

Serial number

The revision number of the zone file. This number increases each time a resource record in the zone changes. It is important that this value increase each time the zone is changed, so that either partial zone changes or the fully revised zone can be replicated to other secondary servers during subsequent transfers.

Refresh interval

The time, in seconds, that a secondary DNS server waits before querying its source for the zone to attempt renewal of the zone. When the refresh interval expires, the secondary DNS server requests a copy of the current SOA record for the zone from its source, which answers this request. The secondary DNS server then compares the serial number of the source server's current SOA record (as indicated in the response) with the serial number in its own local SOA record. If they are different, the secondary DNS server requests a zone transfer from the primary DNS server. The default for this field is 900 seconds (15 minutes).

Retry interval

The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, this time is less than the refresh interval. The default value is 600 seconds (10 minutes).

Expire interval

The time, in seconds, before a secondary server stops responding to queries after a lapsed refresh interval where the zone was not refreshed or updated. Expiration occurs because at this point in time, the secondary server must consider its local data unreliable. The default value is 86,400 seconds (24 hours).

Minimum (default) TTL

The default Time-To-Live (TTL) of the zone and the maximum interval for caching negative answers to name queries. The default value is 3,600 seconds (1 hour).

The following is an example of a default SOA resource record:

@   IN  SOA     nameserver.example.microsoft.com.  postmaster.example.microsoft.com. (
                               1            ; serial number
                               3600         ; refresh   [1h]
                               600          ; retry     [10m]
                               86400        ; expire    [1d]
                               3600 )       ; min TTL   [1h]

In the example SOA record shown above, the primary or originating server for the zone is shown as nameserver.example.microsoft.com. The e-mail address for the person to contact regarding questions about this zone is postmaster.example.microsoft.com.

Notes

  • Periods are used to represent e-mail addresses when writing and storing DNS domain names in a zone. In an e-mail application, the previous example address would instead likely appear as postmaster@example.microsoft.com.

  • The parentheses used in the SOA resource record as it appears in a zone file are used to enable wrapping of the record over multiple lines of text.

  • If an individual TTL value is assigned and applied to a specified resource record used in the zone, it overrides the minimum (default) TTL set in the SOA record.

The NS resource record

Name server (NS) resource records can be used to assign authority to specified servers for a DNS domain name in two ways:

  • By establishing a list of authoritative servers for the domain so that those servers can be made known to others that request information about this domain (zone).

  • By indicating authoritative DNS servers for any subdomains that are delegated away from the zone.

In the case of assigning servers with host names in the same zone, corresponding address (A) resource records are normally used in the zone to resolve the names of specified servers to their IP addresses. For servers that are specified using this RR as part of a zone delegation to a subdomain, the NS resource record usually contains out-of-zone names. For the out-of-zone names to be resolved, A resource records for the specified out-of-zone servers might be needed. When these out-of-zone NS and A records are needed to provide delegation, they are known as glue records.

Description: Used to map a DNS domain name as specified in owner to the name of hosts operating DNS servers specified in the name_server_domain_name field.

Syntax:  owner  ttl  IN  NS  name_server_domain_name

Example:

example.microsoft.com.    IN NS  nameserver1.example.microsoft.com