SOA record lookup

SOA holds zone administrative metadata: primary NS, contact email, serial number (incrementing on every change), and timing values for slave-server refresh.

advanced SOA

How to look it up

Four ways to query — pick by what's available on your machine.

digdig SOA example.com +short

dotdigdotdig soa example.com

Sample response

ns1.example.com. hostmaster.example.com. 2026042801 3600 600 1209600 86400

Format

Fields: primary-NS, RNAME (admin email — `.` replaces `@`), serial, refresh, retry, expire, minimum-TTL. Serial often `YYYYMMDDNN` format.

Common pitfalls

Serial number is critical for slave NS sync. If you edit zone but forget to bump serial, slaves keep old data. Most DNS UIs auto-bump.
RNAME format: `hostmaster.example.com.` = `hostmaster@example.com`. The first dot replaces `@`. Dots within the local-part need escaping.
Negative-cache TTL (= minimum field, last in SOA) controls how long NXDOMAIN is cached. Aggressive low value = more queries; high value = slow propagation of new records.

Why it matters for security

security relevance SOA contact email may be public — attackers harvest for phishing. Use a role address, not personal. Serial numbers leak zone change frequency.

Use cases

Diagnose stale slave NS issues
Audit zone change frequency
Verify primary NS during migration
Cache-poisoning forensics

Look up DNS without flag soup

dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.

Open dotdig

Related DNS lookups

TXT (DKIM) · DNSKEY / DS / RRSIG · CAA · TXT (SPF)