SOA Serial Sync

What This Check Does

The SOA Serial Sync check queries each of your active nameservers for the SOA (Start of Authority) record and compares the serial numbers. If any nameserver returns a different serial number, it indicates that DNS zone data is out of sync — meaning some nameservers may be serving stale or incorrect DNS records.

DNS Spy performs this check by querying the SOA record from every active nameserver and comparing the serial values. Any mismatch triggers a failure.

Why It Matters

The SOA serial number is the primary mechanism for tracking DNS zone changes. When a zone is updated, the serial is incremented, and secondary nameservers use this to determine whether they need to refresh their copy of the zone. If serials are out of sync, some nameservers may serve outdated records, causing inconsistent behavior — users may see old IP addresses, missing records, or incorrect mail routing depending on which nameserver their resolver contacts.

NIST SP 800-81, Section 3.1, covers zone configuration best practices including proper SOA serial management. DNS Spy helps ensure your zone transfers are functioning correctly by detecting serial mismatches.

NIST SP 800-81 Compliance

Section 3.1 of the NIST Secure DNS Deployment Guide addresses zone configuration, including the importance of consistent zone data across all authoritative nameservers. SOA serial synchronization is fundamental to this consistency. DNS Spy's automated monitoring ensures compliance with NIST guidelines by alerting you immediately when zone synchronization fails.

Good vs. Bad Configuration

Bad Configuration

ns1.example.com returns SOA serial 2024010102 while ns2.example.com returns 2024010101. The secondary nameserver has not picked up the latest zone update, meaning it is serving stale DNS data.

Good Configuration

All nameservers return the same SOA serial (e.g., 2024010102). Zone transfers are working correctly, and all nameservers serve identical, current DNS data.

How DNS Spy Monitors This

DNS Spy queries the SOA record from each active nameserver during every monitoring cycle and compares serial numbers. If a mismatch is detected, an alert is sent immediately. The dashboard displays the serial number reported by each nameserver, making it easy to identify which server is out of sync and needs attention.