dnsnetworkingnetwork-plusBeginner26 min read

What Is Start of Authority in Networking?

Also known as: Start of Authority, SOA record, DNS zone, Network+ DNS, CompTIA Network+

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A Start of Authority (SOA) record is like the master blueprint for a domain in the DNS system. It tells the internet which name server is the main source of truth for that domain and how long other servers should wait before checking for updates. Without an SOA record, the DNS system would not know who is in charge of a domain.

Must Know for Exams

The Start of Authority record is a frequent topic in the CompTIA Network+ certification exam (N10-008). It appears under Domain 1.0 Networking Fundamentals and Domain 2.0 Network Implementations, specifically in the context of DNS configuration and troubleshooting.

The exam expects candidates to understand the purpose of the SOA record, its key fields, and how misconfiguration can cause network issues. In Network+ exam questions, you might be asked to identify which DNS record type defines the primary name server for a zone. The SOA record is the correct answer.

You may also see questions about zone transfer and how secondary servers determine if they need an updated copy. The serial number in the SOA record is the mechanism that signals changes. Another common question type involves troubleshooting scenarios where DNS changes are not propagating.

The exam will present a situation where an administrator updated the IP address of a web server hours ago, but clients still receive the old IP address. The correct analysis might involve checking the refresh and expire intervals in the SOA record to understand why the change has not propagated. Candidates may also need to interpret SOA record parameters.

For example, a question might ask, Which SOA field determines how long a secondary server will continue to serve zone data if the primary server becomes unavailable? The answer is the expire interval. Additionally, the Network+ exam may test the format of the SOA record.

Look for questions that ask about the RNAME field and how the administrators email address is represented. Remember that the @ symbol is replaced with a dot. So admin@example.com becomes admin.

example.com in the SOA record. The CompTIA Network+ objectives also include understanding the role of the SOA record in DNS hierarchy and caching. While the exam does not require memorizing exact default values, you should know the purpose of each field and the effect of setting them too high or too low.

Finally, the SOA record appears in the context of DNS record types alongside A, AAAA, CNAME, MX, NS, and TXT records. Exam questions may ask you to differentiate between these types. The SOA record is unique because it defines authority and operational parameters, not a specific resource like an IP address or mail server.

Simple Meaning

Imagine you have a big office building with many departments. Each department has its own phone directory that lists employees and their extensions. But someone needs to be the main person in charge of the entire building directory.

That person decides who can update the directory, how often the directory gets reprinted, and what to do if something goes wrong. In the world of the internet, a domain name like example.com works the same way.

Computers use the Domain Name System, or DNS, to look up information about a domain. DNS records tell computers the IP address of a website, where to send email, and other important details. But for all of this to work smoothly, there needs to be one master record that says, This is the main server in charge of this domain, this is how often you should refresh your copy of the directory, and here is what happens if you cannot reach the main server.

That master record is called the Start of Authority, or SOA record. You can think of the SOA record as the home base for a domain. It is the first place a DNS server looks when it wants to confirm who is the authority for that domain.

The SOA record includes several important pieces of information. It names the primary name server, which is the main server holding the official DNS records. It also includes the email address of the person responsible for managing the domain.

Additionally, it contains timing values that control how long other DNS servers cache the information, how often they should check for changes, and what to do if a secondary server cannot reach the primary server. These timing values are like the refresh schedule for a printed directory. If the office directory is updated every month, everyone knows to get a new copy on the first day of each month.

If someone tries to check the directory more often, they are wasting effort. If they wait too long, they might have outdated information. The SOA record sets the right balance between keeping data fresh and not overloading the network.

In summary, the SOA record is the foundation of DNS management for any domain. It establishes authority, defines timing rules, and provides a way to contact the domain administrator. Without it, the DNS system would have no way to know who is in charge or how to handle updates and errors.

Full Technical Definition

The Start of Authority (SOA) record is a fundamental resource record in the Domain Name System (DNS) as defined in RFC 1035. It is required for every DNS zone and appears at the beginning of a zone file. The SOA record contains seven key fields that together define the authority and operational parameters for the zone.

The first field is MNAME, which specifies the primary master name server for the zone. This is the authoritative server where the zone file is maintained and updated. The second field is RNAME, which contains the email address of the administrator responsible for the zone, formatted as a domain name (for example, admin.

example.com represents admin@example.com). The remaining five fields are serial number, refresh, retry, expire, and minimum TTL (Time to Live). The serial number is a version number for the zone file.

When changes are made to the zone, the serial number must be incremented so that secondary servers know the zone has been updated. Typical conventions use a date-based format like YYYYMMDDNN, where NN is a sequence number for changes made on that day. The refresh interval specifies how often a secondary DNS server should check the primary server for updates.

Common values range from one to several hours. The retry interval defines how long the secondary server should wait before trying again after a failed refresh attempt. The expire interval tells the secondary server how long it can continue serving stale zone data if it cannot reach the primary server.

After this period expires, the secondary server stops answering queries for that zone. The minimum TTL field originally defined the default TTL for resource records without an explicit TTL, though modern DNS implementations use it differently. In current practice, the minimum TTL often sets the negative caching TTL, which controls how long a resolver can cache a negative response (NXDOMAIN) for a nonexistent record.

SOA records are implemented in all DNS server software, including BIND, Microsoft DNS, PowerDNS, and cloud DNS services like AWS Route 53 or Cloudflare DNS. Administrators configure the SOA record parameters to balance performance, reliability, and data freshness. A very short refresh interval keeps data synchronized quickly but increases load on the primary server.

A very long expire interval allows secondary servers to serve stale data for longer, which can help during outages but may lead to outdated information. In real IT environments, the SOA record is essential for zone transfers between primary and secondary name servers. The serial number is checked during zone transfers to determine if the secondary server needs an update.

The SOA record also appears in the response to DNS queries for the zone apex, such as when a resolver asks for the SOA record directly. Understanding the SOA record is crucial for network administrators because misconfigured SOA values can cause DNS resolution failures, slow propagation of updates, or unnecessary traffic between DNS servers.

Real-Life Example

Think of a large public library that serves a whole city. The library has a central catalog that lists every book, where it is located, and whether it is checked out. But the library system is not just one building; there are many branch libraries across the city.

Each branch has a copy of the central catalog so that patrons can search for books without traveling to the main library. However, someone must be in charge of the master catalog. That person is the head librarian at the main branch.

The head librarian decides when the catalog is updated with new books, how often branches should download a fresh copy, and what to do if a branch cannot reach the main library. In this analogy, the head librarian and the main branch together are like the Start of Authority record for the library system. The head librarian sets a schedule: refresh your catalog every night at midnight.

If a branch tries to refresh and fails, it should try again one hour later. If the branch cannot reach the main library for three days, it should stop using its catalog and tell patrons the system is down. These rules mirror the SOA record fields: primary name server is the main branch, administrator email is the head librarians email, serial number is the catalog version date, refresh is every 24 hours, retry is one hour, expire is three days, and minimum TTL tells branches how long to assume a book that was not listed truly does not exist.

Now imagine a patron walks into a branch and asks for a book that was added yesterday. If the branch refreshed its catalog at midnight, it has the new information. If it has not refreshed yet, the branch might not find the book.

The SOA record parameters determine this timing. If the refresh interval is too long, patrons get stale information. If it is too short, the main library gets overwhelmed with requests.

By configuring the SOA correctly, the library system stays efficient and reliable. This everyday example maps directly to how the DNS SOA record works. The primary name server is the main source of truth.

Secondary servers are the branches that keep copies. The serial number is the version stamp. Refresh, retry, and expire are the timing controls that keep the system running smoothly while preventing overload.

Why This Term Matters

The Start of Authority record matters because it is the backbone of DNS zone management. Every domain on the internet must have an SOA record, and without it, the DNS system cannot operate effectively for that domain. For IT professionals working in networking, system administration, or cloud infrastructure, understanding the SOA record is essential for several practical reasons.

First, the SOA record controls how changes propagate across the internet. When you update a website IP address or add a new mail server, you need the change to reach all DNS resolvers quickly. The refresh and retry intervals in the SOA record dictate how fast secondary servers pick up the change.

If these values are set too high, updates can take hours or even days to propagate, causing downtime or confusion. Second, the SOA record directly impacts DNS reliability. The expire interval determines how long secondary servers keep serving old data if the primary server goes down.

If the expire interval is too short, a brief outage at the primary server can cause the entire domain to become unresolvable. If it is too long, users might get outdated information for an extended period. Finding the right balance is a key skill for network administrators.

Third, the SOA record is involved in zone transfers. When you add a secondary DNS server to provide redundancy, it uses the SOA serial number to know whether its zone copy is current. Misconfigured serial numbers are a common source of DNS problems, where changes are made on the primary server but never get transferred to secondaries because the serial number was not incremented.

Fourth, in cloud and hybrid environments, the SOA record settings must be coordinated between different DNS providers. For example, if you use AWS Route 53 as your primary DNS and a third party as secondary, the SOA parameters must align to ensure smooth synchronization. Finally, the SOA record contains the administrators email address.

This is a practical contact point for other DNS administrators who detect issues with your domain, such as misconfigured records or security problems. In summary, the SOA record is not just a technical detail. It is a critical tool for ensuring that DNS works reliably, changes propagate correctly, and the domain remains available even during failures.

How It Appears in Exam Questions

In certification exams, Start of Authority questions take several forms. The most direct type asks you to identify the purpose or fields of the SOA record. For example, Which DNS record type specifies the primary name server and administrator email for a domain?

The answer is the SOA record. Another common pattern is the parameter interpretation question. You might see a sample SOA record like: example.com. SOA ns1.example.com. admin.example.

com. 2025010101 3600 600 86400 300. The question could ask, Which value represents the zone serial number? or How often does the secondary server attempt to refresh its zone data? You need to know the order of fields and their meanings.

Scenario-based questions are also frequent. A typical scenario: A company has two DNS servers, one primary and one secondary. The network administrator updates the primary server with a new IP address for the company website.

Three hours later, some users still see the old website. What is the most likely cause? The answer could involve the refresh interval being set too high, meaning the secondary server has not checked for updates yet.

Another scenario: The primary DNS server experiences a hardware failure and remains offline for two days. After the failure, secondary servers stop responding to queries for the domain. Which SOA parameter caused this?

The expire interval was set to less than two days, so the secondary servers stopped serving the zone. Configuration questions may ask you to recommend SOA values for specific goals. For example, An organization wants DNS changes to propagate within 30 minutes while minimizing load on the primary server.

What refresh interval should they configure? The correct reasoning would involve a refresh interval of 1800 seconds (30 minutes) or similar. Troubleshooting questions can involve serial number mismatches.

If a secondary server is not updating despite changes on the primary, the most common reason is that the serial number was not incremented. The exam might present logs showing a zone transfer request but no update, and ask what is missing. Because the SOA record is part of the DNS zone file format, exam questions may also ask about the hierarchical structure.

For instance, What type of DNS server holds the SOA record for a zone? The answer is the authoritative name server. Finally, exam questions sometimes confuse you by listing other record types as distractors.

For example, a question might ask, Which record type contains the serial number for a DNS zone? Options could include A, MX, NS, SOA, and CNAME. The correct choice is SOA.

Practise Start of Authority Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A mid sized company called GreenField Technologies runs its own website at www.greenfieldtech.com. The company has two DNS servers: one primary server in the main office and one secondary server at a backup data center.

The network administrator recently updated the website IP address from 192.168.1.10 to 192.168.1.20 because the company moved to a new hosting provider. The administrator made the change on the primary server at 9:00 AM.

For the rest of the day, the administrator receives calls from employees who say they cannot reach the website from the backup data center. When the administrator checks the secondary server, it still shows the old IP address. The administrator then checks the SOA record for www.

greenfieldtech.com and finds the following values: serial number 2025010101, refresh 43200 seconds (12 hours), retry 3600 seconds (1 hour), expire 604800 seconds (7 days). The administrator realizes the refresh interval is 12 hours, meaning the secondary server only checks for updates twice a day.

The change made at 9 AM will not be picked up until the next refresh cycle at 9 PM or later. The administrator also notices that the serial number was not incremented after the change, which means even if the secondary server did check, it would not detect the update. This scenario shows how the SOA parameters directly affect how quickly DNS changes spread.

The administrator now understands that for future changes, they should either lower the refresh interval temporarily or force a manual zone transfer after updating the serial number.

Common Mistakes

Thinking the SOA record is only needed for the root domain and not for subdomains.

Every DNS zone, including subdomain zones, must have its own SOA record. Each zone is an independent administrative boundary, and the SOA defines authority for that specific zone.

Remember that every zone, whether it is example.com or sub.example.com, requires an SOA record. If you delegate a subdomain to another name server, that subdomain zone must have its own SOA.

Confusing the SOA record with the NS (Name Server) record.

The SOA record defines the primary name server and administrative parameters for a zone. The NS record lists all authoritative name servers for the zone, which includes both primary and secondary servers. They serve different purposes.

Think of SOA as the master authority and NS as the list of all authorities. Both are needed, but they are not interchangeable.

Believing the refresh interval controls how often end users update their cached DNS data.

The refresh interval is used by secondary DNS servers to check for zone updates. End user caching is controlled by the TTL (Time to Live) values on individual resource records, not the SOA refresh.

Separate the concepts: refresh is for server to server synchronization, TTL is for client caching. They work independently.

Forgetting to increment the serial number when making zone changes.

Secondary servers use the serial number to determine if the zone has changed. If the serial number is not incremented, the secondary server thinks nothing has changed and will not update its copy, even if the refresh interval has elapsed.

Always increase the serial number every time you modify a zone file. A common practice is to use a date based format like YYYYMMDDNN and increment NN for each change that day.

Setting the expire interval too short, causing secondary servers to stop serving during planned maintenance.

If the expire interval is short, a temporary outage on the primary server can cause all secondary servers to stop answering queries for the zone. This leads to a complete DNS outage for the domain.

Set the expire interval to a value that accommodates your longest expected maintenance window. A typical value is 7 days (604800 seconds) or more.

Exam Trap — Don't Get Fooled

The exam shows a sample SOA record with the fields in a different order than expected, or the RNAME field appears with an @ symbol instead of a dot. Memorize the exact order and format of the seven SOA fields. Practice reading raw SOA records from zone files.

Remember that the email address is written with a dot instead of @. So if you see hostmaster.example.com in the RNAME field, it means hostmaster@example.com. Also understand that the serial number comes after the RNAME field, not before.

Use mnemonics like My Red Squirrel Runs Really Fast Every Morning to remember the order: MNAME, RNAME, Serial, Refresh, Retry, Expire, Minimum TTL.

Commonly Confused With

Start of AuthorityvsNS record

The NS record lists all authoritative name servers for a zone, including both primary and secondary servers. The SOA record specifically identifies the primary name server and includes administrative parameters. You can have multiple NS records but only one SOA record per zone.

If you query the NS records for example.com, you might get ns1.example.com and ns2.example.com. The SOA record would tell you that ns1.example.com is the primary server and the refresh interval is 3600 seconds.

Start of AuthorityvsA record

An A record maps a domain name to an IPv4 address. The SOA record does not map names to IP addresses. It defines authority and timing parameters for the entire zone. They serve completely different purposes in DNS.

The A record for www.example.com points to 192.168.1.1. The SOA record for example.com tells NS1 that ns1.example.com is the primary server and to refresh every 6 hours.

Start of AuthorityvsCNAME record

A CNAME record aliases one domain name to another. The SOA record is not an alias. It is a foundational record that establishes authority. The SOA record always exists at the zone apex, while CNAME records cannot exist at the zone apex in standard DNS.

A CNAME for mail.example.com might point to mail.google.com. The SOA for example.com remains at the root of the zone and has nothing to do with aliasing.

Start of AuthorityvsTTL

TTL (Time to Live) is a value on each individual DNS record that tells resolvers how long to cache that record. The SOA record contains a minimum TTL field, but that is a separate parameter used for negative caching. TTL values on A records control client caching, while SOA parameters control server to server synchronization.

An A record for www.example.com might have a TTL of 300 seconds. The SOA record for the same zone might have a refresh of 3600 seconds and a minimum TTL of 300 seconds. These are different values with different purposes.

Step-by-Step Breakdown

1

Zone Creation

When a DNS administrator creates a new zone, the first record that must be added is the Start of Authority record. The SOA establishes the zone as an administrative boundary and defines the primary name server. Without an SOA record, a zone file is considered incomplete and invalid.

2

Primary Name Server Declaration

The MNAME field of the SOA record specifies the fully qualified domain name of the primary master name server for the zone. This is the server where the zone file is edited. Secondary servers use this information to know where to check for updates. This field is essential for zone transfers.

3

Administrator Contact Information

The RNAME field stores the email address of the person or group responsible for managing the zone. The address is formatted as a domain name, with the @ symbol replaced by a dot. This contact is used when other DNS administrators need to report issues like misconfigured records or security concerns.

4

Serial Number Assignment

A serial number is assigned to the zone, typically in a date based format. Every time the zone file is modified, the serial number must be incremented. Secondary servers compare serial numbers with the primary server to determine if a zone transfer is needed. Mismatched serial numbers are a common cause of DNS synchronization failures.

5

Refresh Interval Configuration

The refresh interval defines how often secondary servers should check the primary server for updates. This value is set in seconds. A shorter interval means faster propagation of changes but more load on the primary server. The correct value balances update speed with server resources.

6

Retry and Expire Interval Configuration

The retry interval specifies how long a secondary server waits before retrying after a failed refresh attempt. The expire interval defines how long a secondary server continues to serve zone data if it cannot reach the primary server. After the expire period passes, the secondary stops answering queries for the zone. These values protect against data staleness and inform users of authoritative failures.

7

Minimum TTL Setting

The minimum TTL field originally set the default TTL for all records in the zone that did not have an explicit TTL. In modern DNS, it is often used as the negative caching TTL, which tells resolvers how long to cache the fact that a record does not exist. This helps reduce unnecessary queries for nonexistent domains.

Practical Mini-Lesson

The Start of Authority record is one of the most important DNS records you will configure as a network or system administrator. It is the first thing you create when setting up a new DNS zone, and it controls how your domain behaves across the internet. Let us walk through a practical configuration example using a typical zone file format.

In a BIND zone file, the SOA record looks like this: example.com. SOA ns1.example.com. admin.example.com. ( 2025010101 ; serial 3600 ; refresh 600 ; retry 86400 ; expire 300 ; minimum TTL ).

Every element in this record matters. The first line declares the zone name and record type. Then ns1.example.com is the primary name server. note the trailing dot after each fully qualified domain name, because DNS treats names without a trailing dot as relative to the current zone.

Forgetting the trailing dot is a common mistake that breaks the zone. The admin.example.com is the email address, which means admin@example.com. The serial number 2025010101 uses the date format.

When you make a change tomorrow, you would increment this to 2025010102 or change the date. The refresh value of 3600 seconds means secondary servers check the primary every hour. The retry value of 600 seconds means if a refresh fails, the secondary will try again in 10 minutes.

The expire value of 86400 seconds (24 hours) means if the primary goes offline, secondaries will keep serving for one day before stopping. The minimum TTL of 300 seconds tells resolvers to cache negative responses for 5 minutes. In production, you must set these values carefully.

For a critical domain that changes frequently, use a lower refresh interval like 1800 seconds (30 minutes) and a moderate expire like 172800 seconds (2 days). For a stable domain, higher values reduce server load. Always remember to increment the serial number after every change.

A common mistake is to edit the zone file but forget the serial number. The secondary server will not detect the update, and your changes will not propagate. In cloud DNS services like AWS Route 53, the SOA record is automatically managed, but you can still modify the timing parameters through the console or API.

Understanding the SOA record helps you troubleshoot issues like slow DNS propagation, zone transfer failures, and secondary server outages. For example, if you change a website IP address and it takes hours to update everywhere, check the refresh interval on the SOA. If your secondary servers stop serving unexpectedly, check the expire interval.

In summary, the SOA record is the control panel for your DNS zone. Master its fields, and you will have a reliable and responsive DNS infrastructure.

Memory Tip

Remember the seven SOA fields in order with: My Red Squirrel Runs Really Fast Every Morning. M for MNAME, R for RNAME, S for Serial, R for Refresh, R for Retry, F for Expire (think of E for Expire as F for Fall off), M for Minimum TTL.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

Is the SOA record required for every DNS zone?

Yes, every DNS zone must contain exactly one SOA record. It is mandatory because it defines the zone authority and provides essential timing parameters for name servers.

What happens if I set the SOA refresh interval too low?

Setting the refresh interval too low increases the load on the primary DNS server because secondary servers will query it frequently. This can slow down the server and cause unnecessary network traffic.

Can I have more than one SOA record in a zone?

No, a zone can only have one SOA record. It is a singleton record that defines the single source of authority for that zone.

How do I update the SOA record on my DNS server?

You edit the zone file on the primary name server, modify the SOA fields as needed, increment the serial number, and then reload the zone. In managed DNS services, you can change SOA values through a control panel or API.

What is the difference between SOA refresh and TTL on an A record?

The SOA refresh interval controls how often secondary DNS servers check the primary server for zone updates. The TTL on an A record controls how long client resolvers cache that specific record. They are independent parameters.

Why does the SOA record contain an email address?

The email address in the RNAME field identifies the administrator responsible for the zone. Other DNS administrators can use this contact to report issues like misconfigurations or security problems related to the domain.

What does the expire interval do in the SOA record?

The expire interval tells secondary servers how long they can continue to serve zone data if they cannot reach the primary server. After this period, the secondary servers stop answering queries for the zone, preventing the spread of stale information.

Summary

The Start of Authority record is the cornerstone of DNS zone management. It establishes which name server is the primary authority for a domain and provides critical timing parameters that control how DNS data is synchronized and cached. For IT professionals and certification candidates, understanding the SOA record is essential because it directly impacts DNS reliability, propagation speed, and troubleshooting.

The seven fields of the SOA record MNAME, RNAME, serial number, refresh, retry, expire, and minimum TTL each serve a specific purpose. The refresh interval determines how often secondary servers check for updates. The retry interval governs recovery from failed checks.

The expire interval sets a limit on how long stale data can be served. The serial number ensures that changes are properly versioned and propagated. In certification exams like CompTIA Network+, the SOA record appears in questions about zone transfers, DNS configuration, and troubleshooting propagation issues.

The most common mistakes include confusing the SOA with NS records, forgetting to increment the serial number, and misinterpreting the timing fields. To master this concept, remember that the SOA record is the master blueprint for a DNS zone. It is the first record created and the last record that fails when things go wrong.

Keep your SOA values balanced for your environment, always update the serial number with changes, and use the RNAME field for a valid administrator contact. With this knowledge, you will be prepared to manage DNS effectively in any IT role and to answer exam questions with confidence.