soac

Section: Domain Debug Tools Manual (1)
Updated: May 17 1993
Index Return to Main Contents
 

NAME

soac - check DNS authority information  

SYNOPSIS

soac [ msglevel ]  

DESCRIPTION

Soac (start of authority check) analyzes the RRs describing zone authority and delegations defined in the zone files. It verifies if the timers used in the SOA records are within the values defined in the file /usr/local/lib/ddt/cmd/SOA-timers and the validity of the authoritative name servers for the zone, including version number and NS lists matching tests.

It verifies the adequacy of SOA timers according to the characteristics of the zones (top level or non-top level). The file /usr/local/lib/ddt/cmd/SOA-timers must contain the recommended values for the timers (see below).

If the absolute value of the difference between the actual value and the recommended value is greater than the recommended interval, then the following message (Warning 3) will be displayed: 

<field> <actual time> [recommended value: <recommended time>]

where field defines one of the timers: refresh, retry, expire or default_ttl; actual time is the value defined in the SOA; and recommended value is the value defined in the file /usr/local/lib/ddt/cmd/SOA-timers

If this file does not exist, the following values are used:

For top level domain servers:
86400; Refresh24 hours
7200; Retry 2 hours
2592000; Expire30 days
345600; Default TTL 4 days

For other servers:
28800; Refresh8 hours
7200; Retry2 hours
604800; Expire7 days
86400; Default TTL1 day

However, these are not necessarily the values you should use. You should note that the frequency of changes, the speed of the lines, etc., play an important role in optimizing the timers values. See also the comments in the file /usr/local/lib/ddt/SOA-timers.template

The RRs that describe the zone delegations are the NS RRs. Therefore, each NS is queried on-line about the zone, in order to verify if it is running authoritative for that zone. The diagnostics that can occur are the following: 



Connection timed out                          (Comment)
The server doesn't answer to a query after a certain amount of
time (1 second, by default) 
Non-authoritative answer                              (Warning 1)
The name server doesn't reply as authoritative for the zone. This is the
well-known "lame delegation problem". 
Serial number mismatch. cached:<value1> , current:<value2>   (Warning 3)
The server replies with an authoritative answer but the serial number does not match with the one cached. 
Bad server                                    (Warning 1)
There isn't information associated with this name (server) in the DNS database.
zone has only one name server          (Warnig 1)
Any domain must have at least two name servers (a primary and a secondary)
for reliability.

Absence of a diagnostic means that the server passed the tests above.

If msglevel is specified, only those messages belonging to level msglevel are displayed. Default is level 4.

 

EXAMPLES

$ cat ii.pt | soac
 ### II.PT. ###
Authoritative servers
 inesc.inesc.pt.      [Not authoritative answer]

A NS RR stating that inesc.inesc.pt is a server of the ii.pt domain is present in the zone ii.pt. However, when the server was queried, it wasn't the case. 

$ cat  ua.pt | soac
 ### UA.PT. ###
SOA Record
     Refresh        172800 [recommended value:    28800]
     Expire        3600000 [recommended value:   604800]

The refresh and expire values are 172800 (2d) and 3600000 (1000h) respectively while the recommended values are 28800 (8h) and 604800 (7d). 

$ cat fc.up.pt | soac
 ### FC.UP.PT. ###
Authoritative servers
 obelix.fe.up.pt.  [Not authoritative answer]
     ciup1.ncc.up.pt. [Serial number mismatch. cached:4 , current:5]
     fc1.fc.up.pt.    [Serial number mismatch. cached:4 , current:5]

A serial number mismatch doesn't mean necessarily an error condition as the new version may be in the process of propagation. However, you should verify it carefully. An unintentional regression of the version number is a frequent and dangerous error. 

$ cat mat.upm.es | soac
 ### MAT.UPM.ES. ###
Authoritative servers
 wotan.mat.upm.es.    [Bad server]

This server is an invalid host or doesn't run a DNS server.

 

FILES

/usr/local/lib/ddt/cmd/SOA-timers recommended timers configuration file.  

SEE ALSO

ddt(1), dig(1), named(8), RFC 1033, RFC 1034  

AUTHORS

Jorge Frazao <frazao@puug.pt>

Artur Romao <artur@dns.pt>

 

Index

NAME
SYNOPSIS
DESCRIPTION
EXAMPLES
FILES
SEE ALSO
AUTHORS
This document was created by man2html, using the manual pages.
Time: 07:06:09 GMT, May 19, 2025