← DNS RecordsRecord Type / Zone

SOA Record

Start of Authority — the required first record in every zone file. Contains zone metadata, timing parameters, and the primary nameserver reference.

Overview

Zone Authority Record

Every DNS zone must have exactly one SOA record at its apex. It identifies the primary nameserver, provides an administrative contact email, and contains the timing parameters that control how secondary nameservers replicate the zone and how long negative responses are cached.

The serial numberis the most operationally important field — secondary nameservers compare their serial against the primary's to determine whether to fetch a zone transfer. When you update zone records, you must increment the serial number or secondaries will not pick up the changes.

  • Exactly one SOA record per zone, always at the apex
  • Serial must be incremented on every zone change — the convention is YYYYMMDDNN (date + 2-digit sequence)
  • The admin email replaces @ with a dot: admin.example.com. = admin@example.com
  • Minimum TTL (last field) sets the negative cache TTL (how long NXDOMAIN is cached)
  • Managed DNS providers (Cloudflare, Route 53) handle serial and zone transfer automatically
; Syntax ; @ [TTL] IN SOA primary-ns. admin-email. ( ; serial refresh retry expire minimum) ; Annotated example @ 3600 IN SOA ns1.example.com. admin.example.com. ( 2024041201 ; serial — YYYYMMDDNN, increment on change 3600 ; refresh — how often secondaries check (1h) 900 ; retry — retry interval if primary unreachable (15m) 604800 ; expire — stop answering if can't reach primary (7d) 300 ; minimum — negative cache TTL / NXDOMAIN TTL (5m) ) ; Compact (single-line) format @ IN SOA ns1.example.com. admin.example.com. 2024041201 3600 900 604800 300
Field Reference

SOA Fields Explained

FieldTypical ValueDescription
MNAMEns1.example.com.Primary (master) nameserver for the zone. Secondaries fetch zone transfers from this host.
RNAMEadmin.example.com.Admin email with @ replaced by dot. admin.example.com. = admin@example.com
Serial2024041201Zone version number. Increment on every change. Secondaries only fetch updates when serial increases.
Refresh3600 (1h)How often secondaries poll the primary for serial changes. Lower = faster propagation to secondaries.
Retry900 (15m)How long secondaries wait before retrying after a failed refresh attempt.
Expire604800 (7d)How long secondaries continue serving the zone if they cannot reach the primary. After expiry, they stop answering.
Minimum300 (5m)Negative cache TTL — how long resolvers cache NXDOMAIN responses. Also the floor for all record TTLs in the zone.
Diagnostics

Querying SOA Records

Look up the SOA record

# Full SOA record dig thedns.guru SOA # Short format (all fields) dig thedns.guru SOA +short # Outputs: # ns1.cloudflare.com. dns.cloudflare.com. # 2024041201 10000 2400 604800 3600

Check serial across nameservers

# Compare serial on all NS servers # (should match when zone is synced) for NS in $(dig thedns.guru NS +short); do serial=$(dig thedns.guru SOA @$NS \ +short | awk '{print $3}') echo "$NS: serial=$serial" done

Verify negative cache TTL

# Query nonexistent subdomain # Check the TTL in NXDOMAIN response dig noexist.thedns.guru A # Look for SOA in AUTHORITY section # The TTL shown = negative cache TTL # (min of SOA TTL and SOA minimum field)

AXFR zone transfer test

# Attempt zone transfer (AXFR) # Should be REFUSED from most servers dig thedns.guru AXFR @ns1.cloudflare.com # Successful AXFR = misconfiguration # (allows zone enumeration) # Should only work from authorized # secondary nameserver IPs

Related Topics

NS Record

NS records name the authoritative servers for a zone — the SOA is always present alongside them.

Authoritative Nameserver

SOA parameters like REFRESH and RETRY govern how secondary nameservers sync zone data.

Recursive Resolver

Resolvers use SOA records to determine negative caching TTL (NXDOMAIN responses).