DNS Record Types
SOA Records: The Start of Authority Explained
8 min read · Updated 2026-06-19
Every DNS zone has exactly one SOA record — "Start of Authority" — sitting at its apex. It is the administrative heart of the zone: it names the zone's primary nameserver, records who is responsible for it, and carries the timers that control how secondary nameservers stay in sync and how long negative answers are cached.
This guide walks through what the SOA record holds, what each of its fields means, how primary and secondary nameservers use them to transfer the zone, and how to view a domain's SOA on who.is.
What the SOA record is
The SOA (Start of Authority) record marks the beginning of a DNS zone and holds the zone's top-level administrative settings. There is exactly one SOA record per zone, and it always lives at the zone apex — the root name of the zone itself, such as example.com. You cannot have two SOA records, and you cannot have a zone without one; it is mandatory and unique.
Because it sits at the apex, the SOA describes the whole zone rather than any single hostname. It answers three questions: which nameserver is the authoritative primary for this zone, who is the human responsible for it, and on what schedule should other nameservers and resolvers treat its data as fresh or stale. For how zones fit into the wider system, see What is DNS? and Nameservers and NS records.
What the SOA defines
An SOA record bundles three kinds of information into one entry:
- The primary nameserver — the server that holds the master copy of the zone (the
MNAMEfield). - The responsible party — an administrative email address, written in a special dotted form (the
RNAMEfield). - The timers — a serial number plus four time values (
REFRESH,RETRY,EXPIRE, andMINIMUM) that govern zone transfers and negative caching.
The next two sections break those fields down one by one.
The SOA fields in detail
An SOA record has seven fields. The first two are names; the rest are numbers:
| MNAME | The primary (master) nameserver for the zone — the server considered the authoritative source of the zone data, e.g. ns1.example.com. |
| RNAME | The responsible party's email, with the @ written as a dot. So hostmaster.example.com means hostmaster@example.com. |
| SERIAL | The zone's version number. You must increase it on every edit; secondaries compare it to decide whether to pull a fresh copy. A common convention is YYYYMMDDnn (date plus a two-digit counter), e.g. 2026061901. |
| REFRESH | How often (in seconds) a secondary checks the primary's serial to see if the zone has changed. |
| RETRY | How long a secondary waits before trying again after a failed refresh attempt. |
| EXPIRE | How long a secondary keeps serving the zone if it cannot reach the primary at all. After this, it stops answering for the zone. |
| MINIMUM | The negative-caching TTL — how long resolvers may cache "no such record" (NXDOMAIN) answers, per RFC 2308. |
The RNAME dotted form trips people up: because the local part is encoded with a dot, an address like john.doe@example.com has to escape that internal dot. In practice administrators avoid the issue by using a simple role mailbox such as hostmaster — which is exactly why hostmaster.example.com is the conventional value.
How primary and secondary nameservers use the timers
The timers exist to keep secondary (slave) nameservers in sync with the primary (master). The primary holds the editable copy of the zone; each secondary pulls a copy via a zone transfer and serves identical answers. The SOA timers choreograph that relationship:
- Every REFRESH seconds, a secondary asks the primary for its SOA and compares the SERIAL. If the primary's serial is higher, the zone changed, so the secondary transfers the new version.
- If that check fails (the primary is unreachable), the secondary waits RETRY seconds and tries again, repeating until it succeeds.
- If the primary stays unreachable for as long as EXPIRE, the secondary decides its data is too old to trust and stops serving the zone entirely, rather than handing out stale answers indefinitely.
So EXPIRE should always be comfortably larger than REFRESH and RETRY — it is the safety net for a prolonged primary outage. The SERIAL is the linchpin of the whole loop: it is the single signal a secondary uses to know whether anything needs transferring.
A worked example
Here is a realistic SOA record for example.com:
- MNAME:
ns1.example.com— the primary nameserver. - RNAME:
hostmaster.example.com— i.e.hostmaster@example.com. - SERIAL:
2026061901— the zone was last edited on 2026-06-19 (first change of the day). - REFRESH:
7200— secondaries check for changes every 2 hours. - RETRY:
3600— after a failed check, retry every 1 hour. - EXPIRE:
1209600— keep serving for up to 14 days without reaching the primary. - MINIMUM:
3600— cache "no such record" answers for 1 hour.
In standard zone-file form the same record reads roughly: example.com. IN SOA ns1.example.com. hostmaster.example.com. 2026061901 7200 3600 1209600 3600. Read left to right, those numbers are serial, refresh, retry, expire, and minimum.
Why forgetting to bump the serial breaks secondaries
The single most common SOA mistake is editing the zone but forgetting to increase the SERIAL. Remember that secondaries detect changes purely by comparing the serial. If you change an A record but leave the serial untouched, each secondary's periodic check sees the same number it already has, concludes nothing changed, and never pulls the update.
The result is a split-brain zone: the primary serves the new answer, but every secondary keeps serving the old one until something else forces a transfer. Because resolvers treat all authoritative nameservers as equal, visitors get inconsistent results depending on which nameserver they happen to reach. The fix is simple discipline — increase the serial on every edit — which is exactly why the YYYYMMDDnn convention is so popular: it makes a forgotten bump easy to spot and keeps serials monotonically increasing.
How managed DNS providers handle the SOA
If you run your DNS through a managed provider — a registrar's DNS, a cloud DNS service, or a CDN's DNS — you usually never touch the SOA by hand. The provider creates the SOA automatically when the zone is set up, fills in its own primary nameserver and a default responsible-party address, and picks sensible default timers.
Crucially, these providers bump the serial for you on every change you make through their dashboard or API, so the stale-secondary problem above simply doesn't arise. Many large providers also run their own internal replication rather than classic public zone transfers, so the REFRESH/RETRY/EXPIRE values you see are essentially informational. The fields most worth checking on a managed zone are the MNAME (does it point at the right provider?) and the MINIMUM negative-cache TTL.
The MINIMUM field and negative caching
The MINIMUM field no longer means what its name suggests. Originally it was a floor on record TTLs; under RFC 2308 it was redefined to set the negative-caching TTL — how long a resolver may cache a negative answer such as NXDOMAIN ("this name does not exist") or a "no records of this type" response.
This matters more than it looks. If you create a brand-new subdomain and resolvers recently cached an NXDOMAIN for it, that name can appear "not to exist" until the negative cache expires — governed by MINIMUM. A long MINIMUM makes mistakes and absences linger; a short one lets new names appear faster but slightly increases query load. It is the negative-answer counterpart to a record's own TTL, covered fully in TTL and propagation.
How to view a domain’s SOA on who.is
To see a domain's SOA record, run it through the who.is DNS lookup and look for the SOA entry. You'll see the primary nameserver, the responsible-party address, the current serial, and the four timers — a quick way to confirm the zone is hosted where you expect and that its serial is advancing as it should.
Pair it with the nameserver lookup to confirm the MNAME matches the delegated nameservers, and with WHOIS for the registration-side view. When the SOA's primary nameserver, the delegation, and WHOIS all agree, your zone is healthy and consistently configured.
Key takeaways
- Every zone has exactly one SOA (Start of Authority) record, and it lives at the zone apex.
- The SOA holds the primary nameserver (MNAME), the responsible-party email (RNAME, with @ written as a dot, e.g. hostmaster.example.com), a serial number, and four timers.
- Secondaries check the SERIAL every REFRESH, RETRY after a failed check, and stop serving after EXPIRE if they can’t reach the primary — so you must increase the serial on every edit.
- The MINIMUM field sets the negative-caching TTL (RFC 2308): how long resolvers cache NXDOMAIN / "no such record" answers.
- Managed DNS providers create the SOA and bump the serial automatically, so you rarely edit it by hand.
- View any domain’s SOA with the who.is DNS lookup to check the primary nameserver, serial, and timers.
Look up a domain’s DNS records
Inspect the SOA record and full DNS configuration for any domain on who.is.
Frequently asked questions
What does SOA stand for?▾
SOA stands for Start of Authority. It is the DNS record that marks the start of a zone and carries the zone's administrative settings: its primary nameserver, the responsible-party email, a version serial, and the timers that control zone transfers and negative caching.
What is the SOA serial number for?▾
The SERIAL is the zone's version number. Secondary nameservers compare the primary's serial to their own to decide whether the zone has changed and needs to be transferred. You must increase it on every edit — a common convention is YYYYMMDDnn (date plus a counter, e.g. 2026061901). Forget to bump it and secondaries won't pick up your changes.
What is the minimum / negative TTL in an SOA record?▾
The MINIMUM field sets the negative-caching TTL, as redefined by RFC 2308. It controls how long resolvers may cache a negative answer — an NXDOMAIN ("this name doesn't exist") or a "no records of this type" response. A long value means a name that was recently absent can keep appearing missing even after you create it. See TTL and propagation for the full picture.
How many SOA records can a zone have?▾
Exactly one. An SOA record is mandatory and unique: every zone must have one, and it always sits at the zone apex (the zone's root name). You cannot have two SOA records or a zone without one.
Do I need to edit the SOA myself?▾
Usually not. If you use a managed DNS provider — a registrar, cloud DNS service, or CDN — it creates the SOA for you and bumps the serial automatically whenever you change the zone, so the stale-secondary problem never appears. You'd edit the SOA by hand mainly when you run your own authoritative nameservers from a raw zone file.
What does the RNAME field mean?▾
RNAME is the responsible party's email address, written with the @ replaced by a dot. So hostmaster.example.com in an SOA record means hostmaster@example.com. Administrators favor a simple role mailbox like hostmaster precisely because addresses with a dot in the local part would need extra escaping in this format.