DNS7 min read

What Is an SOA Record? Start of Authority Explained

The SOA record is the first record in every DNS zone. It identifies the primary nameserver, the zone administrator, and timing parameters that control how the zone is managed.

Every DNS zone starts with a single record that defines who owns the zone and how it is managed: the SOA record, or Start of Authority. While most DNS records control where traffic goes, the SOA record controls how the zone itself is administered — from which server is primary to how long secondary nameservers can serve stale data.

What Is an SOA Record?

An SOA (Start of Authority) record is a mandatory DNS record that appears exactly once per zone. It is always the first record in a zone file and contains administrative information about the zone:

  • The primary authoritative nameserver for the zone.
  • The email address of the zone administrator (encoded in DNS format).
  • A serial number used to track zone changes.
  • Timing values that control zone refresh, retry, and expiry behavior for secondary nameservers.
  • The minimum TTL for negative caching.

SOA Record Format

text
example.com. 86400 IN SOA ns1.example-dns.com. admin.example.com. ( 2024120101 ; Serial number 3600 ; Refresh 900 ; Retry 604800 ; Expire 300 ; Minimum TTL )

SOA Record Fields Explained

FieldExample ValueDescription
MNAMEns1.example-dns.com.The primary authoritative nameserver for the zone
RNAMEadmin.example.com.The zone administrator's email (first dot replaced with @)
Serial2024120101Version number of the zone. Increment when records change.
Refresh3600Seconds between secondary nameserver zone refresh checks
Retry900Seconds before retrying a failed refresh
Expire604800Seconds before secondaries stop serving stale zone data
Minimum TTL300Minimum TTL for negative (NXDOMAIN) caching

The RNAME Field: Administrator Email

The RNAME field stores the zone administrator's email address in a DNS-encoded format. The @ symbol is replaced with a dot. For example, the email admin@example.com is encoded as admin.example.com. in DNS format.

RNAME encodingIf the email local part contains a dot (e.g., hostmaster.dns@example.com), the dot must be escaped with a backslash: hostmaster\.dns.example.com.. Many DNS providers use hostmaster as the conventional address.

The Serial Number

The serial number tells secondary nameservers whether the zone has changed since they last synchronized. If the primary nameserver's serial number is higher than the secondary's, the secondary performs a zone transfer to get the updated records.

The most common convention is the date-based format YYYYMMDDNN, where NN is a two-digit counter that resets each day:

text
2024120101 ; December 1, 2024, first change of the day 2024120102 ; December 1, 2024, second change of the day 2024120201 ; December 2, 2024, first change of the day

If you forget to increment the serial number after making DNS changes, secondary nameservers will not pull the updated zone, causing stale data to persist.

Refresh, Retry, and Expire

These three timing values govern how secondary nameservers interact with the primary:

  • Refresh: How often secondaries poll the primary to check if the zone has changed (by comparing serial numbers). A value of 3600 means secondaries check every hour.
  • Retry: If a refresh attempt fails (primary is unreachable), this is how long the secondary waits before trying again. Typically set to one-quarter of the Refresh value.
  • Expire: If the primary remains unreachable for this duration, secondaries stop serving the zone entirely. This prevents them from serving very stale or incorrect data indefinitely. A common value is 7 days (604800 seconds).
NOTIFY for faster propagationModern DNS setups often use the NOTIFY protocol (RFC 1996). When the primary nameserver receives a zone update, it actively notifies secondaries instead of waiting for the Refresh interval. This significantly speeds up zone propagation between nameservers.

Minimum TTL: Negative Caching

The Minimum TTL field (the last value in the SOA record) controls negative caching — how long resolvers cache a "this domain doesn't exist" (NXDOMAIN) or "this record type doesn't exist" (NOERROR/empty) response.

If a resolver queries a domain that does not exist, it caches the NXDOMAIN response for this duration. Setting this too high means that if you add a record to a previously non-existent name, some resolvers will continue returning NXDOMAIN from their cache for longer than expected.

A value of 300–900 seconds (5–15 minutes) is typically appropriate for negative caching.

How to Check an SOA Record

You can query the SOA record using the ShowDNS SOA Lookup tool or from the command line:

bash
# Query SOA record dig example.com SOA # Short output dig example.com SOA +short # Query directly at the authoritative nameserver dig example.com SOA @ns1.example-dns.com
text
; ANSWER SECTION: example.com. 86400 IN SOA ns1.example-dns.com. admin.example.com. 2024120101 3600 900 604800 300

When Does the SOA Record Matter?

For most domain owners managing basic websites and email, the SOA record runs in the background without requiring attention. It matters most in these scenarios:

  • Zone transfers: If you run primary and secondary nameservers, the SOA serial number controls synchronization. Forgetting to increment it breaks updates.
  • Debugging propagation issues: Checking the SOA record across multiple nameservers reveals whether zone data has synchronized.
  • Negative caching problems: If a newly added record is not resolving, the SOA minimum TTL may be causing NXDOMAIN responses to be cached.
  • DNS hosting migrations: When moving DNS to a new provider, the SOA record on the new provider must be correctly configured before the NS records are switched.

Frequently Asked Questions

Can a zone have more than one SOA record?

No. A DNS zone must have exactly one SOA record. Having multiple SOA records is invalid and will cause DNS resolution failures.

What happens if the SOA serial number is too high?

If the serial number is accidentally set very high (or wraps around its maximum value), secondary nameservers may refuse zone transfers. The serial number is a 32-bit unsigned integer, with a maximum value of 4,294,967,295. Some DNS providers handle wrapping automatically; others require manual correction.

What is the recommended SOA TTL?

The TTL on the SOA record itself (how long resolvers cache it) is typically set to match the NS record TTL — often 3600 to 86400 seconds. The minimum TTL within the SOA data (the last field) should be lower: 300–900 seconds is common.

Does the SOA MNAME need to match an NS record?

The MNAME field identifies the primary nameserver, but it does not have to appear in the NS records (though it usually does). In hidden primary setups, the primary nameserver is not publicly listed in NS records — only the secondary (publicly facing) nameservers are.

Related Articles