When you see the warning "Your SOA EXPIRE number is: 3600000. That is NOT OK" from tools like intoDNS, it indicates your DNS zone's expiration timeout is improperly configured. The expire value (specified in seconds) determines how long secondary nameservers should retain zone data when they can't refresh it from the primary server.
The standard recommended range is 2-4 weeks (1209600 to 2419200 seconds). Values outside this range can cause DNS propagation issues:
- Too low (under 1 week): May cause secondary servers to discard zone data too quickly during outages
- Too high (over 4 weeks): Increases risk of serving stale DNS records during extended outages
The SOA expire value is set in your DNS zone file. Here's how to modify it for different DNS servers:
BIND (named.conf) Configuration
$TTL 86400 @ IN SOA ns1.yourdomain.com. hostmaster.yourdomain.com. ( 2023081501 ; serial 3600 ; refresh (1 hour) 600 ; retry (10 minutes) 1209600 ; expire (2 weeks) 3600 ; minimum (1 hour) )
PowerDNS Configuration
UPDATE records SET content = 'ns1.yourdomain.com hostmaster.yourdomain.com 2023081501 3600 600 1209600 3600' WHERE name = 'yourdomain.com' AND type = 'SOA';
Cloudflare API Example
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records/RECORD_ID" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"data":{"expire":1209600}}'
After making changes:
- Increment your SOA serial number
- Reload your DNS server (e.g.,
rndc reloadfor BIND) - Verify with
dig SOA yourdomain.com - Recheck with intoDNS or similar tools
For large-scale deployments:
- Consider automation through Infrastructure as Code (Terraform, Ansible)
- Implement monitoring for SOA value changes
- Document expiration policies in your runbooks
When you see the warning "Your SOA EXPIRE number is: 3600000. That is NOT OK" from tools like intoDNS, it means your DNS zone's secondary name servers will retain stale DNS records for an excessively long period (3600000 seconds ≈ 42 days) if they can't contact your primary server.
The proper range for SOA expire values is typically 1-4 weeks (604800 to 2419200 seconds). Best practices suggest:
- 2 weeks (1209600 seconds) for most setups
- 4 weeks (2419200 seconds) for very stable environments
- Avoid values below 1 week (604800 seconds)
The SOA expire value is set in your DNS zone file (usually at your domain registrar or DNS hosting provider). Here's how to locate it:
; Example zone file
$TTL 86400
@ IN SOA ns1.yourdomain.com. admin.yourdomain.com. (
2023081501 ; Serial
3600 ; Refresh
600 ; Retry
3600000 ; <-- This is the problematic Expire value
86400 ; Minimum TTL
)
For BIND/named servers, modify your zone file:
; Corrected zone file example
$TTL 86400
@ IN SOA ns1.yourdomain.com. admin.yourdomain.com. (
2023081501 ; Serial
3600 ; Refresh
600 ; Retry
1209600 ; Expire (2 weeks)
86400 ; Minimum TTL
)
For common DNS providers:
Cloudflare
Navigate to DNS → Zone → Edit SOA record
AWS Route53
aws route53 change-resource-record-sets \
--hosted-zone-id Z1PA6795UKMFR9 \
--change-batch file://changes.json
Example changes.json:
{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "example.com",
"Type": "SOA",
"TTL": 86400,
"ResourceRecords": [{
"Value": "ns-123.awsdns-45.com. awsdns-hostmaster.amazon.com. 1 3600 900 1209600 86400"
}]
}
}]
}
After changes, verify with:
dig SOA yourdomain.com
Or using DNS inspection tools:
nslookup -type=SOA yourdomain.com