Questions[soa-record](server)

I want to setup a Hidden Primary DNS server, i.e. I host the zone files on my own server, but all requests should go to Secondary DNS servers hosted by a dedicated DNS company. My own DNS server should not be used by recursive resolvers or end users. Said company will copy the zone files with a zone-transfer from my server. Ideally, nobody should even know that my server exists in this DNS setup.

Of course all NS records in such a setup will point to the nameservers of the DNS company. But I am unsure about the SOA record.

According to my understanding this setup would mean that my server is the "start of authority" and thus I would have to specify it in SOA - which would make it public knowledge that my server is the real primary server. According to another answer on serverfault MNAME has to be set to "the <domain-name> of the name server that was the original or primary source of data for this zone."

If it's possible without much trouble, I would prefer not to list my NS server in SOA and instead point SOA to my nameserver hosting company.

What are the consequences if I actually set company.example.com as SOA instead of my own server myserver.example.org?

• Will I violate the RFC?
• Will some parts of the DNS system not work anymore? (I read that the entry of SOA is used for dynamic updates, but I do neither plan to accept dynamic updates from foreign people nor do I plan to send them myself)
• Will my nameserver hosting company come to me, because I wrongly specify their email address as contact for the primary DNS? (mail address field of SOA)
• Can I maybe mix different hostname and mail address in SOA to solve some issues? E.g. point to company.example.com as SOA server, but to [email protected] for mail contact?

I made two successive mistakes while updating zone records. Once I forgot to increment the serial number, then next time I did put a digit more ie 20170210111 instead of 2017021011, and each time I reloaded config : rndc reload.

When I realised it, I switched back serial to a 10 digits number, so my zone file SOA serial is now 2017021012.

I get this now :

#  host -C domain.tld
Nameserver X.X.X.X:
        domain.tld has SOA record X.X.X.X.ovh.net. postmaster.domain.tld. 2017021010 28800 7200 1209600 3600
Nameserver Y.Y.Y.Y: 
        domain.tld has SOA record X.X.X.X.ovh.net. postmaster.domain.tld. 2017021003 28800 7200 1209600 86400

Where X.X.X.X is my primary DNS server IP and Y.Y.Y.Y secondary one.

I'm not really used to DNS configuration, and I really don't know how to resynchronize serials and permit propagation. I read already a lot of posts, I'm afraid I still don't know if I should give zone record a greater number, what happened when I reloaded with 13 digits...?

I'm reading through the following dns tutorial and it has this example in it:

domain.com.  IN SOA ns1.domain.com. admin.domain.com. (
                                        12083   ; serial number
                                        3h      ; refresh interval
                                        30m     ; retry interval
                                        3w      ; expiry period
                                        1h      ; negative TTL
)

The description for the negative TTL value says this:

1h: This is the amount of time that the name server will cache a name error if it cannot find the requested name in this file.

What are the conditions that could trigger the server to cache a name error like this? An example would be really helpful.

hope you can help me with this...

Last week I was required by my registar to switch from default to custom DNS servers (ns1.status2.com / ns2.status2.com) on my domain (status2.com) in order to enable DKIM on my VPS Server.

After this change was made (and DKIM successfully enabled) I noticed the following errors when checking my dns health via: dnscheck.pingdom.com

• Superfluous name server listed at parent: ns1.status2.com
• Superfluous name server listed at parent: ns2.status2.com
• Total parent/child glue mismatch.

At this point I reported these errors to a registar support agent and they reset the DNS records but the problem persists. Also there are the following records:

• 2 different serials found.
• 2 different SOA records found.
• Delivery over IPv4 to [email protected] could not be done. Failed to deliver email for SOA RNAME of status2.com (dnsadmin.v144.vps.unifiedlayer.com) using [email protected]

we are managing our DNS data at Azure DNS. They provide 4 NS for redundancy, but just two days ago the whole Azure DNS service went down for a few hours, and all of our services with it as well. Now i'm looking for a better redundancy for such a worst case scenario.

Unfortunately Azure DNS does not support outgoing zone transfer to a secondary NS hosted by a different provider. But they provide a tool for exporting all data of a zone into a zone file.

Amazon Route 53 gives me the option, to import such a zone file. But for this i have to recreate that zone for my domain at Amazon first. And this leads to a different SOA record (and also 4 different NS entries).

My plan was to use both services (Azure and Amazon), and take from both two NS:

• MyDomain NS1 -> Azure
• MyDomain NS2 -> Amazon
• MyDomain NS3 -> Azure
• MyDomain NS4 -> Amazon

As i synchronize the zone data between the 2 providers over export / import by myself, i don't see a problem in terms of accurate DNS data. But the SOA and the NS records for the domain are not consistent.

What are the implications in such a szenario? Could that lead to problems with spam prevention or other services, who query DNS data for a domain?

Thank you in advance.