Introduction to SOA: The Start of Authority Mechanism
The SOA record marks the beginning of a DNS zone and identifies the zone's authoritative properties. Every zone has exactly one SOA record, located at the zone apex (the root of the zone — example.com. for the example.com zone). It cannot be removed; attempts to delete it in any DNS management interface will be rejected because it is required for the zone to function. Without an SOA, nameservers would have no way of knowing how to synchronize data or how to handle queries for names that don't exist in the zone.
The SOA record serves three fundamental functions: it names the primary nameserver for the zone and the administrative contact email, it governs how secondary nameservers synchronise with the primary (the zone replication logic), and it specifies how long negative (NXDOMAIN) answers should be cached. The record contains seven distinct values, usually wrapped in parentheses for clarity in zone files.
# Retrieve the SOA record for any domain
dig SOA example.com
# Output breakdown:
; MNAME: ns1.exampledns.com.
; RNAME: admin.example.com.
; Serial: 2024031501
; Refresh: 3600
; Retry: 900
; Expire: 604800
; Minimum: 300
As shown in the output above, every field has a specific role in the technical lifecycle of the zone. All five numeric values (Serial through Minimum) are specified in seconds, except for Serial, which is a version counter rather than a time duration. Every time you make a change to your zone, these numbers dictate exactly how "fast" or "slow" the rest of the DNS infrastructure will pick up those updates from your primary server.
| Field | Example Value | Unit | Purpose |
|---|---|---|---|
| MNAME | ns1.exampledns.com. | Hostname | Primary nameserver for the zone |
| RNAME | admin.example.com. | Admin contact email address | |
| Serial | 2024031501 | Integer | Zone version — triggers transfers |
| Minimum | 300 | Seconds | Negative caching global TTL |
As indicated, the metadata provided in the SOA record is foundational. In modern internet infrastructure, most administrators use a "Managed DNS" provider (like Cloudflare or Route 53) where the SOA is hidden and managed automatically. However, understanding these fields is still critical for debugging replication lag or explaining why a new record isn't showing up for certain users despite being "live" on your dashboard.
Primary Nameserver and Administrative Contact (MNAME & RNAME)
The MNAME field contains the hostname of the zone's primary nameserver—the server that holds the master copy of the zone file. Secondary nameservers use this address to know where to request zone transfers (AXFR/IXFR). It functions as the "Source of Truth" in a traditional Master-Slave DNS architecture. While it might look like a standard NS record, its role is internal to the replication process rather than external for resolver queries.
In modern cloud DNS, the MNAME often points to a provider's hidden master server. This is a common point of confusion for those running audits; you might see a hostname that doesn't match your public nameservers. This is perfectly valid as long as the indicated server is the one responsible for publishing the current serial number. If you are self-hosting, ensure this hostname has a valid A record so secondary servers can actually reach it.
The RNAME field encodes the email address of the zone administrator. DNS uses a specialized format where the @ symbol is replaced by a dot, and dots within the actual email account must be escaped. This legacy format dates back to the early internet when formatted headers were less standardized.
; Email: admin@example.com
; Encoded as: admin.example.com.
; Email: dns-admin@ops.example.com
; Encoded as: dns-admin.ops.example.com.
; Email: john.smith@example.com (local part has a dot)
; Encoded as: john\.smith.example.com.
In practice, the RNAME field is rarely used operationally by automated systems. However, it remains a requirement of the DNS specification. Security researchers and abuse investigators still occasionally check this field to find a contact point for misconfigured domains. It should be set to a valid, monitored alias (like hostmaster@yourdomain.com) rather than a placeholder or an unmonitored individual's account.
💡 Tip: Most managed DNS providers use a generic "hostmaster" or "support" email in the RNAME. Unless you have a specific regulatory requirement, it is best to leave these values as-is to avoid interrupting the provider's automated management of your zone.
Zone Replication Controls: Serial, Refresh, and Retry
Replication is the process of synchronizing your zone data from a primary server to multiple secondary servers. This is governed by three values: the Serial number, the Refresh interval, and the Retry interval. The Serial Number is the most important; it is a 32-bit integer that represents the "version" of the zone. Every time a record is added, changed, or deleted, the serial number must be incremented.
Secondary nameservers periodically poll the primary's SOA record to check for a higher serial number. If the primary serial is greater than the secondary's local copy, the secondary knows that an update has occurred and will request a zone transfer. If the serial remains the same, the secondary assumes no changes have been made and waits for the next refresh cycle.
| Value | Function | Typical Production Range |
|---|---|---|
| Serial | Versioning counter | YYYYMMDDNN format |
| Refresh | Delay between checks | 3600 – 14400s (1–4 hrs) |
| Retry | Delay after failure | 300 – 900s (5–15 mins) |
The Refresh value defines how long a secondary waits before checking the primary's serial number. The Retry value defines how long it waits if that check fails (e.g., due to a network timeout). In modern environments, the NOTIFY protocol usually renders these delays obsolete by "pushing" updates to secondaries instantly, but these values serve as a critical fallback for when notification messages are lost or blocked by firewalls.
A common convention for serial numbers is the date-based YYYYMMDDNN format. For example, 2024031501 represents the first change made on March 15, 2024. This format is highly readable and ensures that each daily change results in a higher number than the last. If you are using sequential integers (1, 2, 3...), ensure you never "reset" back to 1, as secondaries will ignore the zone until the primary's serial catches up to their higher cached version.
⚠️ Warning: If your serial number reaches the 32-bit limit (4.29 billion), it will "wrap around" to zero. While modern DNS handles this, it can cause severe replication issues in older infrastructure. For most users, date-based serials will not hit this limit for centuries.
Expiration Dynamics and Negative Caching (Minimum TTL)
The end of the SOA record contains two parameters that define the "stability" of the zone during failures. The Expire value tells secondary nameservers how long they can continue serving stale zone data if they lose contact with the primary. This provides high resilience; a 1-week expiry means that even if your primary master server is completely destroyed, your secondary servers will keep your website online for 7 days while you recover.
If the expiry period passes without the secondary successfully checking in with the primary, it will stop answering queries for the zone. At this point, the domain becomes unresolvable. RFC 1912 recommends setting this to between 2 and 4 weeks to provide a wide safety margin for infrastructure recovery.
The Minimum TTL field is the source of many troubleshooting headaches. Although the name implies a global "floor" for all record TTLs, its modern function is purely to control negative caching. This is the duration that resolvers (Google DNS, Cloudflare) will remember an "NXDOMAIN" (Name Error) response—the answer given when a user queries a hostname that does not exist in your zone.
- Record Exists: Resolver follows the specific record's TTL (e.g., 300s).
- Record Does Not Exist: Resolver follows the SOA's Minimum TTL (e.g., 3600s).
- Adding a New Record: If a user queried a name 5 minutes ago and got NXDOMAIN, they won't see your newly added record until the Minimum TTL expires.
This is why, when adding a new subdomain, some users may see a "Site not found" error for much longer than your standard 5-minute TTL would suggest. The default Minimum TTL in many legacy systems is 24 hours (86400s), which is far too long for modern web agility. We recommend setting this to 3600 seconds (1 hour) or lower.
💡 Tip: If you are planning to launch several new subdomains in a short window, lower your SOA Minimum TTL to 300 seconds several days in advance. This ensures that any "pre-launch" lookup failures are cleared from global caches within 5 minutes of the actual record being published.
Verification Methods and Industry Standard Values
Retreiving and auditing your SOA record is the first step in diagnosing replication lag or negative caching issues. You can use the dig utility to pull the raw record directly from your authoritative nameservers. It is often helpful to compare the SOA record across all your listed nameservers to ensure they are synchronized.
# Get the SOA record from the public resolver
dig SOA example.com +short
# Query your primary nameserver directly to see the master serial
dig SOA example.com @ns1.primary.com +short
# Check a secondary nameserver to verify replication
dig SOA example.com @ns2.backup.com +short
If the serial numbers on your nameservers do not match, you have a replication lag. The secondary is serving an older version of your zone than the primary. The industry standard values provided in the table below are designed to balance reliability with update agility for production-grade domains.
| Field | Recommended Value | Why? |
|---|---|---|
| Refresh | 14400 (4 hours) | Stable polling frequency for reliability. |
| Retry | 3600 (1 hour) | Fast recovery after temporary network glips. |
| Expire | 1209600 (2 weeks) | Maximum resilience during provider outages. |
| Minimum TTL | 3600 (1 hour) | Fast clearing of negative "NXDOMAIN" caches. |
As shown, these values favor stability. However, for dynamic infrastructure using APIs for thousands of record updates per day, these polling intervals are almost always bypassed by the NOTIFY mechanism. In such cases, the Refresh/Retry/Expire values serve more as documentation for the zone's theoretical "fail-stop" limits than as active timers.
You should use our SOA Lookup as part of your standard pre-migration audit. Understanding these values helps you set expectations for how long a "roll back" or a "new record launch" will actually take to manifest across the global internet, as the SOA fields govern the caching behavior that standard record TTLs cannot touch.
Troubleshooting Failures in Managed and Self-Hosted Environments
Most SOA-related support tickets fall into one of two categories: stale secondaries or stale negative caches. In a self-hosted environment, the most common error is forgetting to increment the serial number after manually editing a zone file. Without a higher serial, your backup nameservers will never pull the new records, and users will randomly get old data depending on which nameserver they happen to hit.
In a managed DNS environment (like Route 53 or Cloudflare), the provider increments the serial for you automatically. However, you may still run into issues with the "Minimum TTL" (Negative Caching). If you try to visit test.example.com before creating the record to see if it's already used, you create a negative cache entry for yourself. If your provider's Minimum TTL is 4 hours, adding the record 10 seconds later won't help—you are now "locked out" by your own resolver's cache for the next 4 hours.
- Serial Reset: If you migrate providers and the new provider uses a lower serial (e.g., they start at 1), your original nameservers might still be seen as newer.
- MNAME Mismatch: If your MNAME points to a server that is blocked by a firewall, secondaries will fail to refresh and will eventually "expire" the zone, taking the domain offline.
- RNAME Typos: A typo in the administrative email (e.g., missing the escaped dot) can cause zone file validation errors that prevent the zone from loading at all.
- Negative Caching Lag: A common cause of "new site not launching" complaints. Lowering the SOA Minimum TTL is the only way to shorten this "invisible" delay.
One critical check in any migration is verifying that the Serial Number on the target server is higher than the source server. If you are moving from Provider A to Provider B, and Provider A is at serial 2024010101, you must ensure that Provider B starts at 2024010102 or higher. Failure to do this means resolvers that have cached the old serial may ignore the new records as "outdated."
For the relationship between SOA values and broader propagation dynamics, see our DNS Propagation guide. If you are experiencing an outage related to these fields, working through our DNS Propagation Troubleshooting guide will provide the structured sequence needed to isolate whether the fault is in the replication (Primary-to-Secondary) or the propagation (Authoritative-to-Resolver) layer.
Frequently Asked Questions
Q: Does changing the SOA serial trigger propagation to end-user resolvers?
No. The SOA serial number only controls synchronization between authoritative nameservers (primary to secondary). End-user resolvers do not check serial numbers; they only care about the specific record's TTL. However, if secondaries haven't synced yet, users querying those secondaries will get old data until the refresh happens.
Q: What happens if I set my SOA serial to a number in the past?
If you set the serial to a lower number than what is currently cached by secondary nameservers, those secondaries will believe they already have the "newest" version and will refuse to fetch your updates. You must increment the serial past the highest number currently held by any secondary to resume normal replication.
Q: Why is my SOA Minimum TTL different from my record TTLs?
They serve different purposes. Record TTLs control how long existing records are cached. The SOA Minimum TTL controls how long non-existent records (NXDOMAIN) are cached. A high Minimum TTL can make it appear that a new record isn't "propagating" when in reality, the resolver has just cached the "fact" that the record didn't exist 5 minutes ago.
Q: Can I delete the SOA record if I use a different method for replication?
No. The SOA record is a mandatory part of every DNS zone according to RFC 1035. Even if you don't use secondary nameservers or zone transfers, the SOA is required to provide the negative caching (Minimum TTL) value and to mark the zone as authoritative in the global hierarchy.
Q: What is the MNAME field used for if I only have one nameserver?
Even with a single nameserver, the MNAME is required by the DNS specification. In this case, it should simply point to the hostname of that single server. It acts as a formal identifier for which server holds the master version of the zone files.
Q: How do I know if my nameserver replication is working?
Query the SOA record from each of your authoritative nameservers using dig SOA example.com @ns1.yourdns.com. If the serial numbers are the same across all servers, your replication is current. If one server has a lower number, it is lagging or failing to receive updates from the primary master.
Next Steps
Use our SOA Lookup tool to retrieve your current SOA record and check the serial number, Minimum TTL, and other values. Use our NS Lookup to compare the SOA serial across all your authoritative nameservers.
For understanding why DNS changes sometimes appear to take longer than expected, see our DNS Propagation guide and DNS Propagation Taking Too Long guide.
Browse all DNS guides on DNSnexus for related topics.