Updated 2 hours ago
You change an A record on your primary nameserver. But secondary nameservers around the world are holding copies of your zone. They can't watch your server constantly—they have millions of zones to track. So they need rules: how often to check, what counts as "updated," and when to give up if they can't reach you.
The Start of Authority record is that rulebook. Every DNS zone has exactly one, sitting at the zone apex, governing three things: who's the authoritative source, how copies stay synchronized, and how long the Internet should remember that something doesn't exist.
The Seven Fields
An SOA record packs coordination logic into seven fields:
MNAME (ns1.example.com) names the primary nameserver—the source of truth. When secondaries need fresh data, this is where they pull it from.
RNAME (admin.example.com) is the administrator's email, DNS-encoded. That's admin@example.com—DNS uses a period instead of @ because @ has special meaning in zone files. If the local part contains periods (john.smith@example.com), they're escaped with backslashes.
Serial is the version number. Every time you change the zone, this must increase. Secondaries compare their serial to the primary's; higher means "pull fresh data." The format doesn't matter—2024031501 (date plus revision) or simple incrementing integers both work. The rule is absolute: it must always go up.
Refresh (7200 = 2 hours) tells secondaries how often to check for updates. Shorter intervals mean faster propagation but more queries hitting your primary.
Retry (3600 = 1 hour) is the fallback when refresh fails. If a secondary can't reach the primary at the scheduled time, it tries again after this shorter interval rather than waiting for the next full refresh cycle.
Expire (1209600 = 14 days) is the trust deadline. When a secondary can't reach the primary, it keeps answering queries with increasingly stale data. The expire timer is how you tell it when silence is more honest than guessing.
Minimum TTL (86400 = 24 hours) controls negative caching—how long resolvers remember that a name doesn't exist. Query nonexistent.example.com, get NXDOMAIN, and that "no such name" answer gets cached for this duration.
The Serial Number Problem
Forgetting to increment the serial is the classic DNS mistake. You edit the zone file, add new records, save it, reload the nameserver. Everything looks right on the primary. But when secondaries check in, they compare serials, see they match, and skip the transfer.
Your update exists on one server and nowhere else.
This is why date-based serials work well—2024031501 obviously means March 15, 2024, revision 01. When you make changes on March 16th, you naturally write 2024031601. The format builds incrementing into the habit.
Zone transfers come in two flavors: AXFR sends the entire zone, IXFR sends only changes since a given serial. Incremental transfers only work because serials create a reliable timeline.
Choosing Values
Refresh: Dynamic zones that change often want 1800–3600 seconds. Stable zones can stretch to 21600–86400 seconds. Faster refresh means faster propagation but more load on your primary.
Retry: Keep it shorter than refresh—typically one-quarter to one-half. You want multiple retry attempts before the next scheduled refresh.
Expire: 7–14 days gives you time to fix a primary server outage before secondaries go silent. Not so long that they'd serve badly stale data during extended problems.
Minimum TTL: 300–3600 seconds covers most cases. Shorter values (300–900) help during migrations or when you're frequently adding subdomains. Longer values (1800–3600) reduce load from repeated queries for names that don't exist.
Modern DNS adds NOTIFY messages: when you update the primary, it pings secondaries to check immediately rather than waiting for their next scheduled refresh. Propagation becomes nearly instant, with SOA timing as the reliable fallback.
The Negative Caching Trap
The minimum TTL field catches people during migrations. When a resolver queries for a name that doesn't exist, it caches that NXDOMAIN response. If your minimum TTL is 86400 seconds, any resolver that tried and failed to find new-subdomain.example.com won't try again for 24 hours—even after you create it.
You're moving to new infrastructure, creating new subdomains. Someone's resolver looked up the new name yesterday, got NXDOMAIN, and cached it. Now they can't reach your service even though the record exists. You wait, confused. They wait, frustrated.
Lower your minimum TTL before major changes. Raise it again when things stabilize.
Diagnosing with SOA
The SOA record doubles as a diagnostic tool. Comparing serials across nameservers instantly reveals synchronization problems. If your primary shows serial 2024031505 but a secondary shows 2024031502, zone transfers aren't working—network issues, permissions, or the secondary can't reach the primary at all.
The expire timer tells you how long you have to fix it before that secondary stops answering. The refresh interval tells you how often it's trying.
Every field in the SOA record either controls synchronization or helps you debug it.
Frequently Asked Questions About SOA Records
Was this page helpful?