DNS GUIDE

SOA Lookup: The Authority Record of the DNS Zone

How to read the SOA record, interpret synchronization parameters, and verify the health of your DNS zone.

SOA: the identity document of the DNS zone

The SOA (Start of Authority) record is the first and most important record of every DNS zone. It contains the fundamental metadata that govern how the zone operates: who is the primary nameserver, who is the administrator, the serial number that tracks changes, and the parameters that regulate synchronization between primary and secondary nameservers. Every DNS zone must have exactly one SOA record — it is mandatory per RFC specifications.

Although often overlooked by administrators who focus on A, MX, and CNAME records, the SOA record has a direct impact on the speed of DNS change propagation and system resilience. Misconfigured SOA parameters can cause delays in propagation, outdated DNS zones on secondary nameservers, and in extreme cases, loss of authority by secondary nameservers.

Anatomy of the SOA record

SOA record structure
$ soa-lookup --domain esempio.com

esempio.com. IN SOA ns1.esempio.com. admin.esempio.com. (
  2026030501  ; Serial number (YYYYMMDDNN)
  3600        ; Refresh (1 ora)
  900         ; Retry (15 minuti)
  1209600     ; Expire (14 giorni)
  86400       ; Minimum TTL / Negative cache (1 giorno)
)

The serial number is a counter that is incremented with each change to the zone. Secondary nameservers compare the primary's serial with their own: if the primary's is higher, they download the new version of the zone (zone transfer). The most common convention is the YYYYMMDDNN format (date + sequential number), but any increasing integer works. If you forget to increment the serial after a change, the secondaries will not update.

Refresh indicates how often (in seconds) the secondary nameserver checks if the primary's serial has changed. Retry is the interval between attempts if the refresh fails. Expire is the maximum time after which, if the primary is unreachable, the secondary stops responding for the zone (considering it stale). The Minimum TTL field (or Negative Cache TTL) indicates how long resolvers cache negative responses (NXDOMAIN — non-existent domain).

Recommended SOA values

Optimal values depend on the context. For zones with frequent changes: Refresh 300-900s, Retry 60-300s. For stable zones: Refresh 3600-7200s, Retry 900s. Expire should always be much higher than Refresh (7-14 days) to ensure that secondaries continue serving the zone during prolonged primary outages. A Negative Cache TTL of 3600s is a good default — too high and removed subdomains remain "phantom" for too long.

Use SOA Lookup to verify your zone's parameters and compare them with best practices. Combine the check with NS Lookup to verify that the nameservers listed in the SOA match those actually delegated, and with DNS Health Check for a complete zone consistency check. The SOA is rarely the direct cause of user-visible problems, but incorrect parameters can amplify the impact of other issues.

A detail that often causes confusion is the administrator email format in the SOA: admin.example.com is not a URL but an email address where the first dot replaces the @. So admin.example.com corresponds to admin@example.com. If the address contains a dot before the @, it is escaped with a backslash: john\.doe.example.com corresponds to john.doe@example.com. This legacy format is one of DNS's quirks inherited from the 1980s.

Try SOA Lookup for free
Verify the SOA record with serial, refresh and retry
Use SOA Lookup >

Explore the Network

capops.io Free tools for DevOps & SysAdmin — monitoring, deploy, CI/CD, server management and more Visit → pixcode.io Free graphic tools — image converter, color palette generator, SVG optimizer and more Visit →