DNS & Domain Guides

SOA Records and DNS Zones Explained

Learn what an SOA record is, how DNS zones work, what SOA serial numbers mean, and how to troubleshoot common DNS zone problems.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 8 min read Beginner

Introduction

Every domain with DNS records has a DNS zone, and every DNS zone has an SOA record. The SOA record identifies important authority information for the zone, including the primary nameserver, responsible contact, serial number and timing values used by DNS systems.

Most domain owners do not edit SOA records directly, but SOA information is useful when troubleshooting DNS propagation, nameserver changes, secondary DNS, stale records or changes that do not appear as expected.

Quick answer

Quick answer

An SOA record, or Start of Authority record, identifies the authoritative DNS zone for a domain. It includes the primary nameserver, responsible contact, zone serial number and timing values. The SOA record helps DNS systems understand which zone is authoritative and whether zone data has changed.

What is an SOA record?

An SOA record is a required DNS record that appears at the start of a DNS zone. It contains administrative and version information about the zone.

An SOA record usually includes:

  • primary nameserver
  • responsible email/contact
  • serial number
  • refresh time
  • retry time
  • expire time
  • minimum TTL or negative cache TTL

You usually do not create SOA records manually. Most DNS providers generate and manage them automatically when a DNS zone is created.

What is a DNS zone?

A DNS zone is the collection of DNS records managed by an authoritative DNS provider for a domain or subdomain.

A zone can contain records such as:

  • A and AAAA records
  • CNAME records
  • MX records
  • TXT records
  • CAA records
  • NS records
  • SOA record

If example.com uses Cloudflare nameservers, the live DNS zone is usually managed in Cloudflare. If the same records also exist in cPanel, they may not matter unless cPanel nameservers are authoritative.

SOA record fields explained

Primary nameserver

The main authoritative nameserver listed for the zone.

Responsible contact

Administrative contact for the zone, often written like hostmaster.example.com instead of hostmaster@example.com.

Serial number

A version number for the DNS zone. It usually changes when DNS records are updated.

Refresh

How often secondary DNS servers should check the primary server for zone updates.

Retry

How long secondary servers should wait before retrying after a failed refresh.

Expire

How long secondary servers may keep serving the zone if they cannot reach the primary server.

Minimum TTL / negative cache TTL

Often used for caching negative answers such as “record not found.”

Many modern DNS providers manage these values automatically. Users usually only need to understand them for troubleshooting.

Why SOA serial numbers matter

The SOA serial number is like a version number for the DNS zone. When records change, the serial number usually increases.

This matters because secondary DNS systems may use the serial number to decide whether they need to update their copy of the zone.

  • If a secondary DNS server shows an old serial, it may be serving stale data.
  • If serial numbers do not increase after changes, zone transfers or secondary DNS updates may fail.
  • If two providers show different SOA records, you may be checking different DNS zones.

Authoritative zone vs inactive zone

A domain may have DNS records in multiple places, but only the zone behind the active nameservers is authoritative.

Example: the domain is registered at Provider A, hosting is at Provider B, and DNS nameservers point to Provider C. In this case, Provider C controls the live DNS zone. Records edited at Provider A or Provider B may not affect public DNS unless their nameservers are active.

If DNS changes are not working, check nameservers first. The correct DNS zone is the one served by the active authoritative nameservers.

Why this matters

Why this matters

SOA records and DNS zones matter because they help identify which DNS provider is authoritative and whether zone data has changed. When DNS records appear outdated, inconsistent or edited in the wrong place, SOA and nameserver checks can help confirm which zone is actually live.

SOA records usually do not break websites by themselves, but they can reveal zone-management problems.

How to check an SOA record

Use DNS Lookup to check the SOA record for a domain. You can also compare SOA results from different public resolvers to confirm whether they return the same authoritative zone data.

What to compare

When checking SOA records, compare these five values.

Domain

The domain or zone you are checking.

Primary nameserver

The main nameserver listed in the SOA response.

Serial number

The zone version number returned by DNS.

Active nameservers

The nameservers currently delegated for the domain.

Expected DNS provider

The provider where you expect the live zone to be managed.

If the SOA record points to a provider you did not expect, you may be checking or editing the wrong DNS zone.

Check SOA record now

Use DNS Lookup to inspect SOA, NS and other DNS records for your domain.

Run DNS Lookup →

Common SOA and DNS zone problems

Editing records in the wrong DNS zone

High

The domain uses nameservers from one provider, but records are being edited in another provider’s DNS zone.

Next step: Check active nameservers and edit records only in the authoritative zone.

SOA points to an unexpected provider

Medium

The SOA primary nameserver shows a DNS provider different from the one you expected.

Next step: Confirm nameserver delegation and DNS provider ownership.

Old zone data after nameserver change

Medium

Some resolvers may still return records from the previous DNS zone due to caching.

Next step: Allow cache expiry and compare results from multiple resolvers.

Secondary DNS not updating

Medium

Secondary DNS servers may not be receiving updated zone data.

Next step: Check SOA serial numbers, zone transfer settings and provider configuration.

SOA serial does not change after edits

Medium

The zone version may not be updating correctly, or the change was made in an inactive zone.

Next step: Confirm that the edited DNS zone is authoritative and that records were saved.

Missing or broken DNS zone

High

Nameservers are delegated, but the provider does not have a working zone for the domain.

Next step: Create the DNS zone and add required records, or restore correct nameservers.

DNSSEC mismatch after zone move

High

Old DS records at the registrar may not match the new DNS zone’s DNSSEC keys.

Next step: Update or remove DS records according to the new DNS provider’s DNSSEC setup.

How to fix DNS zone issues

  1. Check active nameservers

    Start by checking which nameservers are delegated for the domain. These nameservers determine the authoritative DNS provider.

  2. Identify the live DNS zone

    Log in to the provider that controls the active nameservers and confirm that the DNS zone exists there.

  3. Compare SOA responses

    Check the SOA record using public resolvers. Confirm that the primary nameserver and serial number match the expected provider.

  4. Make changes in the authoritative zone

    Apply DNS changes only in the live DNS zone. Changes made in inactive zones will not affect public DNS.

  5. Check important records

    After confirming the zone, verify A, AAAA, CNAME, MX, TXT, CAA and important subdomain records.

  6. Allow for caching

    Some resolvers may keep old values until TTL or negative cache values expire.

  7. Review DNSSEC if the zone moved

    If DNSSEC is enabled, confirm DS records at the registrar match the current DNS provider.

SOA record examples

SOA record example
example.com.  3600  IN  SOA  ns1.provider.com. hostmaster.example.com. (
  2026062801 ; serial
  3600       ; refresh
  900        ; retry
  1209600    ; expire
  300        ; negative cache TTL
)
Check commands
dig example.com SOA
dig +short example.com SOA
dig example.com NS
dig @8.8.8.8 example.com SOA
dig @1.1.1.1 example.com SOA

These examples are for understanding and testing only. Most DNS providers generate SOA records automatically.

SOA records and DNS propagation

SOA records can help troubleshoot propagation and stale DNS data. If different resolvers return different answers, comparing SOA records and serial numbers can help show whether they are using different zone versions or cached data.

Propagation issues are often caused by caching, nameserver changes or edits made in the wrong DNS zone. SOA checks help confirm which zone is being queried.

SOA records and secondary DNS

Secondary DNS setups use SOA values to decide when to refresh zone data from the primary server. The serial number is especially important because it tells secondary servers whether the zone has changed.

Most simple domains do not use secondary DNS directly, but agencies, hosting providers and larger setups may use it for redundancy.

DNS zones during migrations

During hosting, DNS or nameserver migrations, it is common to accidentally create two DNS zones: one old zone and one new zone. Only the zone behind the active nameservers is live.

Before switching nameservers, copy required records into the new zone:

  • website A/AAAA/CNAME records
  • MX records
  • SPF, DKIM and DMARC TXT records
  • CAA records
  • verification records
  • subdomain records

After switching nameservers, use DNS Lookup to confirm that public DNS returns records from the new authoritative zone.

Frequently asked questions

Do I need to create an SOA record manually?

Usually no. Most DNS providers create and manage the SOA record automatically when a DNS zone is created.

What is an SOA serial number?

The SOA serial number is a version number for the DNS zone. It usually increases when records are changed.

Can an SOA record break my website?

The SOA record itself usually does not break a website, but it can reveal problems such as wrong nameservers, inactive zones or stale DNS data.

What is a DNS zone?

A DNS zone is the set of DNS records managed by an authoritative DNS provider for a domain or delegated subdomain.

Why do I see different SOA records from different resolvers?

You may be seeing cached data, different delegated nameservers or an incomplete nameserver migration.

What does the responsible contact in SOA mean?

It is an administrative contact for the zone, often written with a dot instead of an @ symbol.

Does SOA affect email delivery?

Not directly. Email depends mainly on MX, SPF, DKIM and DMARC records, but SOA can help confirm whether you are checking the correct DNS zone.

Should I worry about SOA timing values?

Most users do not need to change them. They mainly matter for DNS providers, secondary DNS and advanced troubleshooting.

Use these free tools to verify your configuration after applying changes.

Browse all DNS & Domain guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.