The SOA EXPIRE value in DNS zone files determines how long secondary nameservers should retain zone data when they can't refresh from the primary server. While 3600000 seconds (≈42 days) might trigger warnings, there are technical considerations behind this setting.
Most DNS experts recommend these ranges:
; Common production values
$TTL 86400 ; 1 day default TTL
@ IN SOA ns1.example.com. admin.example.com. (
2023081501 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum TTL
)For different scenarios:
; High-availability setup
expire 604800 ; 1 week
; Enterprise environment
expire 864000 ; 10 days
; Critical infrastructure
expire 432000 ; 5 daysTesting with dig shows how values propagate:
$ dig +norec example.com SOA
;; ANSWER SECTION:
example.com. 3600 IN SOA ns1.example.com. admin.example.com. (
2023081501 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
3600 ; minimum
)When modifying BIND configurations:
// named.conf options
options {
max-expire-time 1209600; // 2 weeks maximum
min-expire-time 86400; // 1 day minimum
};Key factors to consider:
- Zone transfer frequency
- Network reliability
- Secondary server count
- Change management processes
Verify settings with:
$ dig @8.8.8.8 example.com SOA +short
ns1.example.com. admin.example.com. 2023081501 3600 600 1209600 3600The SOA (Start of Authority) EXPIRE value defines how long secondary DNS servers should retain zone data when they can't refresh from the primary server. The 3600000 seconds (about 42 days) warning from IntoDNS indicates a serious misconfiguration that could lead to DNS resolution failures.
For most production environments, these values provide optimal balance:
- Minimum: 1209600 seconds (2 weeks)
- Typical: 2419200 seconds (4 weeks)
- Maximum: 4838400 seconds (8 weeks)
Example BIND zone file configuration:
@ IN SOA ns1.example.com. hostmaster.example.com. ( 2023081501 ; serial 3600 ; refresh 900 ; retry 2419200 ; expire 3600 ; minimum TTL )
Using 3600000 (excessive):
- Stale DNS records persist too long during outages
- Violates RFC 1912 recommendations
- Potential compliance issues for regulated industries
Too short (under 1 week):
- Increased risk of zone expiration during network issues
- Unnecessary secondary server reloads
Cloudflare Terraform configuration:
resource "cloudflare_zone_settings_override" "example" {
zone_id = var.zone_id
settings {
soa_expire = 2419200 # 4 weeks
}
}
PowerDNS API call example:
curl -X PATCH https://api.powerdns.com/servers/localhost/zones/example.com \
-H "X-API-Key: $APIKEY" \
-d '{
"soa_edit_api": "INCEPTION-INCREMENT",
"soa_expire": 2419200
}'
Sample Python check using dnspython:
import dns.resolver
def check_soa_expire(domain):
soa = dns.resolver.resolve(domain, 'SOA')
expire = soa[0].expire
if expire > 4838400:
print(f"WARNING: Excessive EXPIRE {expire} for {domain}")
elif expire < 1209600:
print(f"WARNING: Short EXPIRE {expire} for {domain}")
else:
print(f"Valid EXPIRE {expire} for {domain}")