DNS

What is SOA Record?

Also known as: Start of Authority Record

Definition

A DNS resource record that specifies authoritative information about a DNS zone, including the primary nameserver, responsible party's email, and timing parameters for zone replication.

The Start of Authority (SOA) record is a mandatory resource record in the DNS zone file that establishes the authoritative metadata for that zone. Every DNS zone must have exactly one SOA record, which is created when the zone is first configured on the primary nameserver. The SOA record is the first record in a zone file and tells resolvers and secondary servers who is the best source of information for the zone, how long to cache negative responses, and how to synchronize zone data.

The SOA record contains several key fields. MNAME is the domain name of the primary master nameserver for the zone. RNAME encodes the email address of the person responsible for the zone (the '@' is replaced by a dot). The serial number is a version counter that secondary servers check to determine if the zone has changed. The refresh interval tells secondary servers how often to poll for updates. The retry interval dictates how long to wait before retrying a failed transfer. The expire interval is the maximum time a secondary can serve stale data before ceasing to answer. The minimum TTL (now often used as the negative caching TTL per RFC 2308) defines how long resolvers should cache NXDOMAIN responses.

In the wider DNS resolution process, the SOA record is most commonly seen in two contexts. First, during zone transfers (AXFR/IXFR), where the SOA record marks the beginning and end of the transferred data. Second, when a query returns an authoritative NXDOMAIN, the SOA record is included in the authority section of the response, providing the negative caching TTL. Operators modify the timing parameters carefully; overly short refresh intervals increase load on the primary server, while overly long intervals delay propagation of zone changes.

Key facts

  • Every DNS zone requires exactly one SOA record, which must be the first record in the zone file.
  • The serial number in the SOA record is incremented on the primary server whenever the zone data is changed.
  • Secondary and stub servers use SOA refresh/retry/expire timers to manage zone replication behavior.
  • The RNAME field stores the zone admin email with '@' replaced by a dot (e.g. admin.example.com).
  • RFC 1035 defines the original SOA record format, later updated by RFC 2308 for negative caching semantics.

How it works in practice

When a secondary DNS server queries the primary for a zone update, it first checks the SOA serial number. If the primary's serial is higher than what the secondary holds, the secondary initiates a zone transfer (AXFR or IXFR). After a successful transfer, the secondary resets its refresh timer using the SOA refresh value, typically 3600 seconds (one hour). If the secondary cannot reach the primary, it retries after the retry interval, often 600 seconds. If days pass without contact (expire, commonly 86400 seconds), the secondary stops serving the zone.

Related terms

Zone File Primary Nameserver Secondary Nameserver AXFR IXFR NS Record TTL

References

More in DNS

A Record

A DNS resource record that maps a hostname to a 32-bit IPv4 address. It is the most fundamental record type for translating domain names to numeric addresses on the Internet.

AAAA Record

A DNS resource record that maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4.

Authoritative DNS

An authoritative DNS server holds the definitive resource records for a specific domain and responds to queries with the final answer for that zone, not a cached copy.

CAA Record

A CAA (Certification Authority Authorization) DNS record lets domain owners specify which certificate authorities are permitted to issue SSL/TLS certificates for their domain.

CNAME Record

A DNS record that maps an alias hostname to the true or canonical hostname, allowing multiple names to resolve to the same IP address without duplicating A or AAAA records.

DNS

The Domain Name System (DNS) is a hierarchical, distributed naming system that translates human-readable domain names (like example.com) into IP addresses and other resource records used by internet protocols.

DNS Anycast

DNS Anycast uses one IP address served from multiple geographically distributed nameservers; queries are routed to the nearest or healthiest node, improving resilience and reducing latency.

DNS Caching

DNS caching stores resolved domain name query results for the specified TTL duration to avoid repeated queries to upstream authoritative servers.

DNS Hijacking

DNS hijacking is an attack or misconfiguration that returns forged DNS responses, causing users to connect to attacker-controlled hosts instead of the intended server.

DNSSEC

DNSSEC (DNS Security Extensions) add cryptographic digital signatures to DNS records, enabling resolvers to verify that responses have not been tampered with or spoofed.

Who Is Online

In total there are 81 users online: 0 registered, 75 guests and 6 bots.

Bots: Facebook Googlebot Majestic Other Bot Other Spider SemrushBot

Users active in the past 15 minutes. Total registered members: 340