How to Check SOA Records and Zone Configuration

The SOA (Start of Authority) record is the most fundamental record in any DNS zone. It defines the primary nameserver, the zone administrator's contact, and the timing parameters that control how secondary nameservers synchronize with the primary. A misconfigured SOA record can cause propagation delays, stale DNS data, and subtle issues with email delivery and website availability. This guide explains each SOA field and shows you how to check and optimize it.

Step 1: Query the SOA Record

Use dig to retrieve the SOA record for your domain:

dig example.com SOA +short

A typical SOA response looks like this:

ns1.example.com. admin.example.com. 2026040101 3600 900 1209600 86400

The fields, in order, are: primary nameserver, zone administrator email (with the first dot replacing the @ symbol), serial number, refresh interval, retry interval, expire time, and minimum TTL (negative caching TTL).

Step 2: Understand Each SOA Field

• Primary NS — The authoritative nameserver for the zone. It should match one of your NS records.
• Admin email — The zone administrator's email, encoded with dots. admin.example.com means admin@example.com.
• Serial — A version number that must increment with every zone change. The common format is YYYYMMDDNN (date plus revision number).
• Refresh — How often (in seconds) secondary servers check for updates. Typical: 3600.
• Retry — How long a secondary waits before retrying a failed refresh. Typical: 900.
• Expire — How long a secondary serves data if it cannot reach the primary. Typical: 1209600 (two weeks).
• Minimum TTL — The TTL for negative responses (NXDOMAIN). Typical: 86400 (one day).

Step 3: Verify the Serial Number Is Incrementing

Make a DNS change in your zone and then re-query the SOA record. The serial number should have increased. If it has not, secondary nameservers will not pick up the change. Managed DNS providers handle this automatically, but if you manage your own zone files, you must increment the serial manually with every edit.

Step 4: Check Timer Values

Review the refresh, retry, and expire values. An overly long refresh interval delays propagation. An expire value that is too short may cause secondary servers to drop your zone prematurely if the primary has a brief outage. RFC 1912 recommends: refresh 3600, retry 900, expire 1209600, minimum TTL 86400. Adjust based on how frequently your zone changes.

Step 5: Cross-Check with NS Records

The primary nameserver in the SOA record should be listed in your NS records. Verify with:

dig example.com NS +short

A mismatch can cause confusion during zone transfers and troubleshooting. Also check that all nameservers listed in NS records are responding and serving consistent data. Use the DNS Compare tool to compare responses from different nameservers for the same domain.

Frequently Asked Questions

What is the SOA serial number and why does it matter?

The SOA serial number is a version identifier for your DNS zone. Secondary nameservers compare the serial number to decide whether to request a zone transfer. If you update DNS records without incrementing the serial, secondary servers will not pick up the changes.

What should I set the SOA refresh interval to?

A refresh interval of 3600 to 7200 seconds (one to two hours) is standard for most domains. High-traffic or frequently updated zones may use shorter intervals. Very long refresh intervals can delay propagation of DNS changes to secondary nameservers.

Can a bad SOA record cause email delivery problems?

Indirectly, yes. If the SOA record has misconfigured timers or the serial number is not incrementing, secondary nameservers may serve stale records. This can cause MX, SPF, and DKIM lookups to return outdated data, leading to delivery failures or authentication errors.

Related Guides

• How to Check DNSSEC
• How to Compare DNS Records
• How to Look Up CNAME Records