Oversimplified DNS

... or, even a rocket scientist can understand DNS

Step 3 - Verify SOA (Start of Authority)

GOAL: Find your SOA record and make sure that it is accurate.

BACKGROUND: The SOA record has core information about your zone. It defines which server is your primary nameserver, your contact information (E-mail), how your secondary nameservers get updated, and the default (minimum) Time-To-Live values for your records.

Step 3a: Get your SOA data

To get your SOA data, you can use NSLOOKUP or DIG (or any other program, or a web site, that can query DNS records from a nameserver you choose). You need to use your domain as the domain name to query, query for the SOA record, once for each nameserver on the list you wrote down.

Using NSLOOKUP, enter "server nameserver.example.com" (do this once for each nameserver on your list, replacing "nameserver.example.com" with one nameserver at a time). Then, type "set type=SOA". Finally, type your domain name ("example.com"). You will see the SOA record for your domain.

Using DIG, enter your domain name as the domain name to query, and enter each server from the list you wrote down (one at a time), and look at the SOA or "Zone of Authority" section.

Problem? Make sure that the SOA record returned by each name server is identical. If the serial numbers are different, you will have to wait up to the number of seconds listed in the "refresh" section of the nameserver with the lower serial number for it to get updated (or more time if the secondary nameserver can't reach the primary). If the primary nameserver has a lower serial number than a secondary, you have a serious problem that you will need to fix. If the serial numbers are the same, but other data is different, you have a serious problem -- your primary was updated without updating the serial number (update the serial number and the problem will get fixed).

Problem? The SOA record MUST be the FIRST record in your zone file, and MUST also be the LAST record in your zone file. It must appear only those two times, and both of the entries must be identical. This can be verified correctly only on the nameserver itself; the procedure varies depending on the software you use.

Step 3b: Check your SOA data