Multiple SOA records?

Kevin Darcy kcd at
Tue May 6 22:37:59 UTC 2008

Lars Hecking wrote:
>  RFC 1935 says:
>     2. Exactly one SOA RR should be present at the top of the zone.
>  Note: "should", not "must".

The language you quote from 1035 (1935 was obviously a typo) refers to 
the validation of the data being loaded from a master file. Yes, there 
*should* be only 1 SOA RR, but if the master file is *wrong*, there 
*might* be more than 1 SOA RR. Stuff happens. Implicit here is the 
conclusion that such a master file should be rejected by the nameserver.

But, when describing what is a valid zone and what isn't, I think a much 
better source of authority is Section 4.2.1 of RFC 1034 (the companion 
to 1035), which describes "

The data that describes a zone" and specifically says it includes "a single SOA RR that
describes zone management parameters.". Can't get much clearer that: "single".

Note, however, that *transactionally* a zone transfer response includes 2 SOA RRs. But those should be identical, unless perhaps the zone changed while the zone transfer was in progress. 

>  What kind of consequences can I expect trying to resolve records in a
>  domain that has more than one SOA? The domain that is making problems
>  is Querying for its SOAs returns SERVFAIL, but querying
>  the domain's name servers directly returns two (different) SOAs. This
>  appears to create problems with mail (not sure here - another entity in
>  my organisation is experiencing the problem)
> definitely seems to have a standards-conformance issue 
in the way it handles SOA queries (anyone feel like fingerprinting their 
nameservers to see what DNS implementation they're running?), but I 
wouldn't expect that to affect mail since mail shouldn't have any need 
(that I can think of) to make SOA queries.

                  - Kevin

More information about the bind-users mailing list