SOA serial increment when we update SOA RR

Darcy Kevin (FCA) kevin.darcy at
Wed Oct 4 17:58:24 UTC 2017

Well, it's not *obvious* how Dynamic Update works in the case of an SOA RR, but RFC 2136 does say: Any Update RR whose CLASS is the same as ZCLASS is added to
   the zone.  In case of duplicate RDATAs (which for SOA RRs is always
   the case, and for WKS RRs is the case if the ADDRESS and PROTOCOL
   fields both match), the Zone RR is replaced by Update RR.  If the
   TYPE is SOA and there is no Zone SOA RR, or the new SOA.SERIAL is
   lower (according to [RFC1982]) than or equal to the current Zone SOA
   RR's SOA.SERIAL, the Update RR is ignored.

So, the server ignores the update if the serial number of the new one is equal or lower. If the serial number is higher, the new SOA replaces the old one.

Bottom line: you can explicitly bump the serial number of an SOA RR, via Dynamic Update, by replacing the SOA RR with one that has a higher serial number.

In nsupdate terms, this is an "update add" operation, even though the effect is intended to be a "replace".

-          Kevin

Kevin Darcy
Information Security Projects - North America

1075 W Entrance Dr,
Auburn Hills, MI 48326

Telephone: +1 (248) 838-6601
Mobile: +1 (810) 397-0103
Email: kevin.darcy at

From: bind-users [mailto:bind-users-bounces at] On Behalf Of Alberto Colosi
Sent: Wednesday, October 04, 2017 8:16 AM
To: rams <bramesh80 at>; bind-users <bind-users at>
Subject: Re: SOA serial increment when we update SOA RR

SOA is a special record. As already said to read ................

you update SOA (should be only for email address if not ONLY intranet NS).

In all case if u make n update mean is needed n update. So the question is:           wy to not reflect on slave NS            if any

Increasing SN , start a NOTIFY to NS defined as slave and ALSO NOTIFY.

If n update is made and r slaves or a distribution recursive and secondary(slave) and so on, is correct to update and start a ZONE TRANSFER.

If u hve only 1 DNS at all and is not internet faced, u can decide to not update SN

Simply , the change start an incremental transer o a total transfer (depending on DNS engine on slaves NS and also notify)

From: bind-users <bind-users-bounces at<mailto:bind-users-bounces at>> on behalf of rams <bramesh80 at<mailto:bramesh80 at>>
Sent: Wednesday, October 4, 2017 11:39 AM
To: bind-users
Subject: SOA serial increment when we update SOA RR

When we change any resource record like A or AAAA, then SOA serial number gets incremented. But If we update only SOA record ,Is serial number of SOA remain same as before or serial number of SOA will increment?.

Do we have any RFC for this?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3764 bytes
Desc: image001.jpg
URL: <>

More information about the bind-users mailing list