SOA Record: Start of Authority for DNS Zones

The SOA record defines the authority and synchronization parameters for your DNS zone.

The SOA (Start of Authority) record is the most important record in a DNS zone. Present at the apex of every zone, it identifies the primary nameserver, the zone administrator, and defines synchronization parameters between primary and secondary servers. Without SOA, a DNS zone simply cannot function.

SOA plays a critical role in DNS infrastructure: it controls how secondary servers refresh their zone copies, how long they should retry on failure, and when to consider data expired. Poorly configured SOA parameters can cause propagation delays, secondary desynchronization, or excessive DNS traffic.

Understanding SOA is essential for anyone managing authoritative DNS. Whether you use a managed DNS provider or run your own servers, SOA parameters directly impact your domain's reliability and failover behavior.

SOA Record Components

An SOA record contains seven important fields:

  • MNAME (Primary NS): The authoritative primary nameserver for the zone. This server holds the master copy that secondaries sync from.
  • RNAME (Admin Email): Technical contact email in DNS format (first dot becomes @). "admin.example.com" means [email protected].
  • Serial Number: Version number of the zone. MUST be incremented on every change. Secondaries compare serials to detect updates.
  • Timers (Refresh/Retry/Expire/Minimum): Control secondary behavior: how often to check for updates (refresh), retry delay on failure, when to stop serving stale data (expire).

Why SOA Matters

Proper SOA configuration ensures reliable DNS operation:

  • Zone synchronization: SOA serial and timers ensure secondaries stay in sync with the primary. Wrong values cause inconsistent DNS responses across servers.
  • Failover reliability: Expire timer determines how long secondaries serve the zone if they can't reach primary. Too short and you lose redundancy; too long and you serve stale data.
  • DNS efficiency: Refresh interval controls how often secondaries query primary. Too frequent wastes bandwidth; too infrequent delays propagation.
  • Troubleshooting: Serial number is your first debug tool. If secondaries have different serials than primary, zone transfers are failing.

Configure SOA Parameters

Here's how to set up SOA properly:

  1. Set MNAME correctly: Use your actual primary nameserver FQDN. This server should accept zone transfer requests from secondaries.
  2. Use proper serial format: Recommended format: YYYYMMDDNN (year-month-day-change#). E.g., 2024011501 for first change on Jan 15, 2024.
  3. Set reasonable timers: Common values: Refresh 3600-86400s, Retry 600-3600s, Expire 604800-2419200s (1-4 weeks), Minimum 300-3600s.
  4. Test zone transfers: After changes, verify secondaries sync correctly. Check serial numbers match across all nameservers.

SOA Configuration Examples

Here are SOA records and verification commands:

; Standard SOA record format
example.com.  IN SOA ns1.example.com. admin.example.com. (
                    2024011501 ; Serial (YYYYMMDDNN)
                    7200       ; Refresh (2 hours)
                    1800       ; Retry (30 minutes)
                    1209600    ; Expire (2 weeks)
                    300        ; Minimum TTL (5 minutes)
)

; Explanation of timers:
; Refresh: Secondaries check for updates every 7200 seconds
; Retry: If refresh fails, retry every 1800 seconds
; Expire: Stop serving after 1209600s without successful refresh
; Minimum: Negative cache TTL (NXDOMAIN responses)

# Query SOA record
$ dig SOA example.com +short
ns1.example.com. admin.example.com. 2024011501 7200 1800 1209600 300

# Check serial across multiple nameservers
$ for ns in ns1 ns2 ns3; do
    echo -n "$ns: "
    dig SOA example.com @$ns.example.com +short | awk '{print $3}'
  done
ns1: 2024011501
ns2: 2024011501
ns3: 2024011501

# Force zone transfer (AXFR) from primary
$ dig AXFR example.com @ns1.example.com

The serial number is critical: secondaries only update when they see a higher serial. If you forget to increment it, changes won't propagate to secondaries.

SOA Best Practices

Optimize your SOA configuration:

  • Always increment serial: Make serial incrementation part of your change process. Automate it if possible. Forgetting causes secondary desync.
  • Use YYYYMMDDNN format: This format is human-readable and naturally increments. Allows up to 99 changes per day, enough for most use cases.
  • Balance timer values: For dynamic zones: shorter refresh (1h), shorter expire (1 week). For stable zones: longer refresh (24h) reduces traffic.
  • Monitor serial consistency: Regularly verify all nameservers have the same serial. Mismatch indicates zone transfer failures that need investigation.

SOA Configuration Checklist

  • MNAME points to actual primary nameserver
  • RNAME contains valid administrator email
  • Serial follows YYYYMMDDNN format
  • Refresh interval appropriate for change frequency
  • Expire long enough to survive primary outages
  • Serial consistent across all authoritative nameservers

FAQ - SOA Records

What happens if I forget to increment the serial?

Secondary nameservers won't detect the change and won't request a zone transfer. Your updates will only be served by the primary.

Can I use a random serial number?

Yes, but YYYYMMDDNN is recommended for readability and debugging. Whatever format you use, always increment on changes.

What if my serial is "stuck" at a high number?

If you accidentally set a serial too high, you can't go back. Options: wait for the number to become valid (YYYYMMDDNN) or perform a full zone refresh on all secondaries.

How often should secondaries refresh?

Depends on change frequency. Static zones: 24-48 hours. Dynamic zones: 1-4 hours. Note: NOTIFY messages trigger immediate refresh.

What does the Minimum field actually control?

Despite its name, Minimum now primarily controls negative caching TTL - how long resolvers cache NXDOMAIN (name doesn't exist) responses.

Does MoniTao monitor SOA?

Yes, MoniTao can monitor your SOA records and alert you if serials become inconsistent across nameservers or if parameters change unexpectedly.

Master Your DNS Zone Authority

The SOA record is the foundation of DNS zone management. Proper configuration ensures reliable synchronization between primary and secondary nameservers, critical for redundancy and global DNS performance.

Use consistent serial numbering, set appropriate timers for your change frequency, and monitor serial consistency across servers. MoniTao helps you track SOA health and detect synchronization issues before they impact users.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing