DNS SOA Record
Start of Authority RecordWhat is a SOA Record?
A DNS SOA record (Start of Authority record) is the first record in every DNS zone and defines key parameters about the zone itself. It identifies the primary name server for the zone, the email address of the zone administrator, and a set of timing values that control how secondary name servers synchronize their copies of the zone data.
Every DNS zone must have exactly one SOA record at the zone apex. The SOA record contains a serial number that must be incremented each time the zone is modified. Secondary (slave) name servers compare this serial number with their cached version to determine if they need to request a zone transfer. A common convention is to use the date-based format YYYYMMDDNN (e.g., 2024010101) for the serial number.
The SOA record also defines several timing intervals: Refresh (how often secondaries check for updates), Retry (how long to wait before retrying a failed refresh), Expire (when secondaries should stop serving the zone if they can't reach the primary), and Minimum TTL (the default negative caching TTL for NXDOMAIN responses). These values are critical for ensuring DNS zone consistency across all authoritative servers.
Syntax & Examples
The syntax of a DNS SOA record contains multiple fields:example.com. 86400 IN SOA ns1.example.com. admin.example.com. (
2024010101 ; Serial number
3600 ; Refresh (1 hour)
900 ; Retry (15 minutes)
1209600 ; Expire (2 weeks)
86400 ; Minimum TTL (1 day)
)The fields are: zone name, TTL, class, record type, primary name server (MNAME), admin email (RNAME — with the @ replaced by a dot, so admin.example.com means [email protected]), followed by the serial number and four timing values in seconds. The parentheses allow the record to span multiple lines.How to Query SOA Records
To query the SOA record using dig, run: dig example.com SOA. For concise output: dig +short example.com SOA. The output shows the primary name server, admin email, serial number, refresh, retry, expire, and minimum TTL values. To check the serial number on a specific name server: dig @ns1.example.com example.com SOA +short.
With nslookup, use: nslookup -type=SOA example.com. On Windows PowerShell: Resolve-DnsName -Name example.com -Type SOA. To verify zone consistency, compare the serial numbers across all authoritative servers by querying each one individually. If serial numbers differ, a zone transfer issue may exist. The SOA record is also returned in the authority section of NXDOMAIN responses.
Related Record Types
Frequently Asked Questions
What is a DNS SOA record?
A DNS SOA (Start of Authority) record is the first record in a DNS zone that defines essential zone parameters. It identifies the primary name server, zone administrator's email, serial number for change tracking, and timing values that control zone transfers and caching behavior.
What is the SOA serial number?
The SOA serial number is a 32-bit unsigned integer that must be incremented each time the zone is modified. Secondary name servers use it to determine if they need to download an updated copy of the zone. The common convention YYYYMMDDNN (e.g., 2024010101) allows 99 changes per day while being human-readable.
What do the SOA timing values mean?
Refresh is how often secondary servers check the primary for updates. Retry is the wait time after a failed refresh attempt. Expire is how long secondaries will serve stale data if they can't reach the primary. Minimum TTL defines the default negative caching duration (how long NXDOMAIN responses are cached).
Why is the email address in SOA written with a dot instead of @?
In the SOA record, the administrative email address uses a dot instead of @ because the @ symbol has special meaning in DNS zone files (it represents the current zone origin). So [email protected] is written as admin.example.com in the SOA RNAME field.
Can I have more than one SOA record?
No, each DNS zone must have exactly one SOA record, and it must be at the zone apex (the top of the zone). Having multiple SOA records would create ambiguity about zone authority and is not permitted by the DNS specification (RFC 1035). DNS servers will reject zones with multiple SOA records.