SOA Record
A DNS Start of Authority (SOA) record is a mandatory record in every DNS zone that stores important administrative information about the zone. It contains details about the zone such as the primary nameserver, the email address of the zone administrator, the zone's serial number, and timing parameters that control zone transfers and updates between nameservers.
How it works
Every DNS zone must have exactly one SOA record, and it must be the first record in the zone file. The SOA record serves as the authoritative source of information about the zone and is critical for coordinating zone transfers between primary and secondary nameservers. It contains timing parameters that determine how often secondary servers check for updates and how long they should cache zone data.
The SOA record contains several key fields that control zone behavior:
**Primary Nameserver (MNAME):**
The hostname of the primary (master) nameserver for the zone. This is the authoritative source for the zone's data.
**Administrator Email (RNAME):**
The email address of the person responsible for the zone, with the @ symbol replaced by a dot (e.g., admin.example.com represents admin@example.com).
**Serial Number:**
A version number for the zone, typically formatted as YYYYMMDDNN (year, month, day, revision). This number must increment each time the zone file changes. Secondary nameservers check this number to determine if they need to request a zone transfer.
**Refresh:**
The time interval (in seconds) that a secondary nameserver should wait before checking with the primary server to see if the zone has been updated. Recommended value: 86400 seconds (24 hours).
**Retry:**
If a secondary server fails to contact the primary server during a refresh, this is how long (in seconds) it should wait before trying again. Recommended value: 7200 seconds (2 hours).
**Expire:**
If a secondary server cannot contact the primary server for this amount of time (in seconds), it should stop responding to queries for the zone, as its data is too old to be authoritative. Recommended value: 3600000 seconds (about 41 days).
**Minimum TTL:**
The default TTL for the zone, which specifies how long resolvers should cache negative responses (like NXDOMAIN).
Key Points
- Every DNS zone must have exactly one SOA record as the first record in the zone
- The serial number must increment whenever zone data changes to trigger updates on secondary servers
- Refresh, retry, and expire values control zone transfer timing between nameservers
- The email address in the SOA record uses a dot instead of @ symbol
- SOA records are primarily used for zone management and aren't typically queried by end users
Common Use Cases
- Zone Transfer Coordination: Secondary nameservers use SOA serial numbers to detect when zone data has changed and needs to be transferred from the primary server
- Zone Authority Identification: The SOA record identifies the primary nameserver and administrator responsible for a DNS zone
- Stale Data Prevention: The expire field ensures secondary servers stop serving outdated zone data if they can't reach the primary server for an extended period
- Update Scheduling: Refresh and retry values determine how quickly zone changes propagate to secondary nameservers
code Example SOA Record
| Type | Host / Name | Value / Points to | TTL |
|---|---|---|---|
| SOA | @ | ns1.example.com admin.example.com 2025121301 86400 7200 3600000 172800 | 3600 |
| Field | Primary NS | ns1.example.com | — |
| Field | Admin Email | admin@example.com | — |
| Field | Serial | 2025121301 | — |
| Field | Refresh | 86400 (24h) | — |
| Field | Retry | 7200 (2h) | — |
| Field | Expire | 3600000 (~41d) | — |
| Field | Minimum | 172800 (48h) | — |
* An SOA record contains multiple fields with specific timing and administrative values. Values are typically in seconds.
Frequently Asked Questions
Why must the serial number increment when making changes?expand_more
The serial number is how secondary nameservers detect that zone data has changed. When a secondary server performs a refresh check, it compares its cached serial number with the primary server's current serial number. If the primary's number is higher, the secondary knows it needs to request a zone transfer to get the updated records. If you forget to increment the serial when making changes, secondary servers won't know to update, and they'll continue serving outdated data.
What serial number format should I use?expand_more
The most common format is YYYYMMDDNN, where YYYY is the year, MM is the month, DD is the day, and NN is the revision number for that day (starting at 01). For example, 2025121301 represents December 13, 2025, first revision. This format makes it easy to track when changes were made and allows for up to 99 revisions per day. However, any incrementing number system works - the only requirement is that the serial must increase with each change.
Can I have multiple SOA records for one domain?expand_more
No, each DNS zone must have exactly one SOA record, and it must be the first record in the zone file. Having multiple SOA records or no SOA record violates DNS specifications and will cause the zone to be non-functional. The SOA record defines the authoritative source for the zone, and having multiple would create ambiguity about which is authoritative.
What happens if the expire time is reached?expand_more
If a secondary nameserver cannot contact the primary server for the duration specified in the expire field, it will stop responding to queries for that zone. This is a safety mechanism to prevent secondary servers from serving extremely outdated data. The expire value should be set long enough to account for extended maintenance windows or outages (typically 1-4 weeks) but not so long that stale data persists indefinitely.
Do I need to manually edit SOA records?expand_more
Most managed DNS services and control panels automatically handle SOA record management, including incrementing the serial number when you make changes. You typically don't need to manually edit SOA records unless you're running your own authoritative nameserver using software like BIND. If you do manage your own nameserver, remember to increment the serial every time you modify the zone file, or use automatic serial number management features if your DNS software supports it.