SOA Configuration

What This Check Does

The SOA Configuration check validates your Start of Authority (SOA) record against recommended best practices. It checks the serial number format (expecting YYYYMMDDxx date-based format), and verifies that refresh, retry, and expire values fall within recommended ranges.

DNS Spy queries your SOA record and evaluates each field against industry-standard recommendations.

Why It Matters

The SOA record controls critical aspects of DNS zone management, including how secondary nameservers synchronize with the primary. Misconfigured SOA values can cause zone transfer failures, stale cached data, or excessive load on your primary nameserver. The serial number format affects how zone changes are tracked and propagated.

NIST SP 800-81, Section 3.1, provides guidance on zone configuration including SOA record best practices. Properly configured SOA values ensure reliable zone transfers, appropriate caching behavior, and predictable DNS operation.

NIST SP 800-81 Compliance

Section 3.1 of the NIST Secure DNS Deployment Guide covers zone configuration, with specific attention to SOA record parameters. Recommended values include: refresh of 3600-86400 seconds, retry of 600-3600 seconds, expire of 86400-604800 seconds, and a date-based serial format (YYYYMMDDxx). DNS Spy validates your SOA against these NIST-aligned recommendations.

Good vs. Bad Configuration

Bad Configuration

SOA with serial 1 (non-date format), refresh of 60 seconds (too aggressive), retry of 10 seconds (too frequent), and expire of 3600 seconds (too short — secondary nameservers will stop serving your zone after just 1 hour if they cannot reach the primary).

Good Configuration

SOA with serial 2024010101 (date-based YYYYMMDDxx format), refresh of 7200 seconds (2 hours), retry of 900 seconds (15 minutes), and expire of 604800 seconds (7 days). These values provide reliable synchronization and appropriate fallback behavior.

How DNS Spy Monitors This

DNS Spy queries your SOA record during each monitoring cycle and validates the serial format, refresh, retry, and expire values. Any values outside recommended ranges trigger an alert with specific guidance on which fields need adjustment. Historical tracking shows how your SOA configuration changes over time.