SOA Records: Understanding DNS Zone Authority and Configuration

What Is an SOA Record?

The SOA record (Start of Authority) is a mandatory DNS record that exists at the top of every DNS zone. It identifies the authoritative source of information for the zone and contains parameters that govern how DNS data is replicated between primary and secondary nameservers. Without an SOA record, a DNS zone is invalid.

Here is what a typical SOA record looks like:

example.com.  IN  SOA  ns1.example.com. admin.example.com. (
                        2026040101  ; Serial number
                        3600        ; Refresh (1 hour)
                        900         ; Retry (15 minutes)
                        1209600     ; Expire (2 weeks)
                        300         ; Minimum TTL (5 minutes)
                      )

You can inspect the SOA record for any domain using our SOA Lookup tool, which displays all fields with human-readable explanations.

SOA Record Fields Explained

The SOA record contains seven fields, each serving a specific purpose in zone management:

1. MNAME (Primary Nameserver)

The MNAME field contains the fully qualified domain name of the primary (master) nameserver for the zone. This is the server that holds the authoritative, writable copy of the zone data. Secondary (slave) nameservers pull updates from this server.

Note that the MNAME does not need to match any of the NS records for the zone, although it typically does. In some configurations, the primary nameserver is a hidden master that is not listed in the NS records to prevent direct queries.

2. RNAME (Administrator Email)

The RNAME field contains the email address of the zone administrator, encoded in a special DNS format. The @ symbol in the email address is replaced with a dot. For example, admin.example.com. represents admin@example.com.

If the email address itself contains a dot before the @, the dot must be escaped with a backslash. For example, john\.doe.example.com. represents john.doe@example.com. Many DNS providers use hostmaster or admin as default values.

3. Serial Number

The serial number is a 32-bit unsigned integer that acts as a version number for the zone. Every time you make a change to the zone (add, modify, or delete any record), the serial number must be incremented. Secondary nameservers compare their serial number against the primary's serial to determine whether they need to perform a zone transfer.

The most common convention is the date-based format: YYYYMMDDnn, where nn is a revision counter for that day. For example, 2026040101 means the first revision on April 1, 2026. This format is human-readable and naturally increments over time.

Some DNS providers use a simple incrementing counter (1, 2, 3, ...) or Unix timestamps. The specific format does not matter as long as the number always increases when changes are made.

4. Refresh Interval

The refresh value (in seconds) tells secondary nameservers how often they should check the primary for zone updates. When the refresh interval expires, the secondary queries the SOA record from the primary and compares serial numbers. If the serial has increased, the secondary initiates a zone transfer.

Recommended value: 3600–86400 seconds (1 hour to 1 day). Shorter intervals mean faster propagation of changes to secondary servers, but increase DNS query load. For frequently updated zones, 3600 seconds (1 hour) is a good balance.

5. Retry Interval

The retry value (in seconds) specifies how long a secondary nameserver should wait before retrying a failed refresh attempt. If the primary nameserver is temporarily unreachable, the secondary will retry at this interval until the primary comes back online or the expire time is reached.

Recommended value: 900–3600 seconds (15 minutes to 1 hour). The retry interval should always be shorter than the refresh interval to ensure timely recovery.

6. Expire Time

The expire value (in seconds) defines how long a secondary nameserver should continue to serve zone data if it cannot reach the primary. After this time elapses without a successful refresh, the secondary stops answering queries for the zone, returning SERVFAIL instead.

Recommended value: 1209600–2419200 seconds (2–4 weeks). This gives you enough time to recover from extended primary server outages without losing DNS service.

7. Minimum TTL (Negative Caching TTL)

The minimum TTL field (sometimes called the negative caching TTL) defines how long resolvers should cache negative responses — that is, NXDOMAIN (non-existent domain) or NODATA responses. If a resolver queries for a record that does not exist, it will cache the negative result for this duration.

Recommended value: 300–3600 seconds (5 minutes to 1 hour). Lower values allow new records to become visible faster (since resolvers stop caching the "does not exist" answer sooner), but increase query load on your authoritative servers.

How Zone Transfers Use SOA Records

Zone transfers are the mechanism by which secondary nameservers receive copies of zone data from the primary. The SOA record plays a central role in this process:

1. The secondary's refresh timer expires.
2. The secondary queries the primary for the SOA record.
3. The secondary compares the serial number in the response with its own copy.
4. If the primary's serial is higher, the secondary initiates a zone transfer (AXFR for full transfer, IXFR for incremental).
5. After the transfer completes, the secondary updates its local copy of the SOA record.

Modern DNS implementations also support DNS NOTIFY (RFC 1996), where the primary immediately notifies secondary servers of zone changes, rather than waiting for the refresh interval. This dramatically reduces the propagation delay for updates. You can check your nameserver configuration using our NS Lookup tool.

Best Practice SOA Values

RFC 1912 provides guidelines for SOA timer values. Here is a recommended configuration for production zones:

example.com.  IN  SOA  ns1.example.com. hostmaster.example.com. (
                        2026040101  ; Serial (YYYYMMDD + revision)
                        3600        ; Refresh: 1 hour
                        900         ; Retry: 15 minutes
                        1209600     ; Expire: 2 weeks
                        300         ; Minimum TTL: 5 minutes
                      )

If you use a managed DNS provider (Cloudflare, Route 53, Google Cloud DNS), these values are typically set automatically and optimized for the provider's infrastructure. You can view your current SOA configuration with our SOA Lookup tool and verify all record types using the DNS Lookup tool.

Common SOA Record Mistakes

• Forgetting to increment the serial. If you update zone records but do not increase the serial number, secondary servers will not pull the changes.
• Serial number rollover. If the serial reaches its maximum value (4294967295), wrapping to 0 can confuse secondary servers. Use the date-based format to avoid this.
• Expire shorter than refresh. If the expire time is shorter than the refresh interval, secondary servers will expire their zone data before they even attempt to refresh.
• Extremely low minimum TTL. Setting the negative caching TTL to 0 or very low values floods authoritative servers with repeated queries for non-existent records.

Related Guides

• DNS Record Types Explained: A, AAAA, MX, TXT, CNAME, NS & More
• NS Records Guide: Understanding Nameserver Delegation
• DNS Propagation Explained: Why DNS Changes Take Time