Developer Tools

SOA Record Generator

Build and parse a DNS SOA record in your browser. Set the primary name server, contact email, serial, and timers, then copy zone-file and provider snippets.

Every zone has one SOA record at its apex. The data is MNAME RNAME serial refresh retry expire minimum: the primary name server, the responsible email (with the @ as a dot), and five timers.

Start from a timer profile

Zone and contacts

Zone (domain)

The zone the SOA sits at the top of.

TTL (seconds)

Optional. 3600 = 1 hour.

Primary name server (MNAME)

The master name server for the zone.

Responsible email (RNAME)

Stored as hostmaster.example.com.

Serial and timers

Serial

Convention is YYYYMMDDnn. Increase it every time you change the zone, or secondaries will not pull the update.

Refresh

2 hours

Retry

1 hour

Expire

2 weeks

Minimum (neg. TTL)

1 hour

Output

Your SOA record

Full zone-file SOA block (BIND)

example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. (
                2026062301  ; serial
                7200        ; refresh (2 hours)
                3600        ; retry (1 hour)
                1209600     ; expire (2 weeks)
                3600        ; minimum negative TTL (1 hour)
                )

One-line form

example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. 2026062301 7200 3600 1209600 3600

ns1.example.com is the primary name server for example.com, and hostmaster@example.com is the contact. Secondary servers check the serial every 2 hours, keep serving for up to 2 weeks if the primary is unreachable, and resolvers cache "name does not exist" answers for 1 hour.

Validation

NoteIn a BIND zone file primary name server should end with a trailing dot so it is not treated as relative to the zone.

DNS provider snippets

Publish the record

Many managed DNS hosts create and update the SOA for you. Use these as a reference or for hosts that let you edit it. Replace ZONE_ID, ZONE_NAME, and RG_NAME with your own values.

BIND zone file

example.com. 3600 IN SOA ns1.example.com. hostmaster.example.com. (
                2026062301  ; serial
                7200        ; refresh (2 hours)
                3600        ; retry (1 hour)
                1209600     ; expire (2 weeks)
                3600        ; minimum negative TTL (1 hour)
                )

Cloudflare DNS

Cloudflare manages the SOA record automatically.
On a primary zone the SOA is read-only in the dashboard.
If you run Cloudflare Secondary DNS, set the timers on your
hidden primary instead. For reference, this zone would use:

  Primary NS:  ns1.example.com
  Contact:     hostmaster@example.com
  Serial:      2026062301
  Refresh:     7200
  Retry:       3600
  Expire:      1209600
  Minimum TTL: 3600

AWS Route 53 (CLI)

# Route 53 creates the SOA when you create a hosted zone.
# Use UPSERT to change the timers (keep one space between values).
aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "example.com.",
        "Type": "SOA",
        "TTL": 3600,
        "ResourceRecords": [{ "Value": "ns1.example.com. hostmaster.example.com. 2026062301 7200 3600 1209600 3600" }]
      }
    }]
  }'

Google Cloud DNS (gcloud)

gcloud dns record-sets update example.com. \
  --zone=ZONE_NAME \
  --type=SOA \
  --ttl=3600 \
  --rrdatas="ns1.example.com. hostmaster.example.com. 2026062301 7200 3600 1209600 3600"

Azure DNS (CLI)

az network dns record-set soa update \
  --resource-group RG_NAME \
  --zone-name example.com \
  --email hostmaster.example.com \
  --serial-number 2026062301 \
  --refresh-time 7200 \
  --retry-time 3600 \
  --expire-time 1209600 \
  --minimum-ttl 3600

What the seven values do

MNAME is the primary name server, the source of truth secondaries pull from.
RNAME is the responsible email with the @ written as a dot, so hostmaster@example.com becomes hostmaster.example.com.
Serial is a version number. Bump it on every change or secondaries keep the old zone.
Refresh and retry control how often secondaries check and re-check the serial.
Expire is how long a secondary keeps answering with no contact before going silent.
Minimum is the negative-caching TTL (RFC 2308): how long a does not exist answer is cached.

Common mistakes this tool catches

Writing the RNAME with an @. SOA uses a dot in place of the @, and dots inside the mailbox are escaped with a backslash.
Forgetting to bump the serial, so a zone change never reaches the secondaries.
A retry longer than the refresh, or an expire too close to the refresh, which can expire the zone during a brief outage.
Pointing MNAME at an IP address instead of a host name, or leaving off the trailing dot in a BIND zone file.

Privacy

Records are built and validated entirely in your browser with plain string parsing. No DNS lookups are performed, and the zone names, name servers, contact emails, and timers you enter are never uploaded, logged, or stored.

How to use

Keep the Build record tab selected and pick a timer profile like Balanced or Modern to seed the refresh, retry, expire, and minimum values.
Enter the zone, the primary name server (MNAME), and the responsible email; the tool shows the RNAME wire form (with the @ written as a dot) as you type.
Set the serial in YYYYMMDDnn form, or click Today + bump to use today's date plus a counter, and adjust the four timers (each is shown in human time).
Copy the full zone-file block, the one-line form, or a provider snippet for BIND, Cloudflare, Route 53, Google Cloud DNS, or Azure, and watch the validation panel for any errors or warnings.
Switch to Parse and explain to paste an existing SOA record, decode its contact email, and confirm every field and timer is correct.

About this tool

SOA Record Generator is a two-mode browser tool for the DNS Start of Authority resource record defined in RFC 1035, with operational guidance from RFC 1912 and the negative-caching rules of RFC 2308. Every DNS zone has exactly one SOA record at its apex, and it is the record that declares who is authoritative for the zone and how secondary servers and resolvers should treat its data. The RDATA is seven values in a fixed order: MNAME, RNAME, serial, refresh, retry, expire, and minimum. MNAME is the primary (master) name server, the source of truth that secondaries pull from. RNAME is the responsible party's email written in a way that confuses almost everyone the first time: the @ sign is replaced by a dot, so hostmaster@example.com is stored as hostmaster.example.com., and any literal dot inside the mailbox part is escaped with a backslash, so john.doe@example.com becomes john\.doe.example.com. The serial is a 32-bit version number, conventionally written as YYYYMMDDnn (a date plus a two-digit counter), and secondaries compare it to decide whether to transfer a fresh copy: if you change the zone but forget to raise the serial, the change never propagates. The four timers are all in seconds. Refresh is how often a secondary checks the serial. Retry is how long it waits to try again after a failed refresh and should be shorter than refresh. Expire is how long a secondary keeps answering for the zone with no contact from the primary before it stops, and it should be comfortably larger than refresh so a brief outage never silently expires the zone. Minimum, since RFC 2308, is the negative-caching TTL: how long a resolver caches an NXDOMAIN or no-data answer for the zone. The Build tab lets you start from a timer profile (a balanced RFC 1912 default, a modern profile tuned for zones that use NOTIFY, a fast-propagation profile, or a stable profile for zones that rarely change), fills the fields with sensible values, shows the RNAME in wire form as you type your email, and includes a one-click serial helper that sets the serial to today's date plus a counter or increments the counter if it is already today. It renders every timer in human time (so 1209600 reads as 2 weeks) and emits the record three ways: a full multi-line zone-file SOA block with aligned comments, a one-line form, and the raw RDATA, plus ready-to-paste snippets for BIND, Cloudflare, the AWS Route 53 CLI, the Google Cloud DNS gcloud CLI, and the Azure DNS CLI. Live validation flags the mistakes the wire format quietly tolerates: an MNAME that is an IP address instead of a name, an email still written with an @, a missing or non-numeric serial, out-of-range 32-bit values, a retry that is not shorter than the refresh, and an expire that is too close to the refresh plus retry. The Parse tab accepts a full zone-file block (comments and the surrounding parentheses are stripped automatically), a one-line record, or just the seven values, then validates each field, decodes the RNAME back into a readable email, renders every timer in human time, and explains in one summary how secondaries and resolvers will treat the zone. A reference grid lays out what each value does and the errors most operators make, so the page doubles as a study sheet. Useful for setting up a new authoritative zone, fixing an inherited SOA before it breaks replication, decoding the contact email hidden in a SOA you looked up, and double-checking timer values against best practice. Everything runs locally in your browser. The zone names, name servers, contact emails, and timers you enter never leave your device, and no DNS queries are made.

Free to use. Works in your browser. No signup, no login.

Related tools

SOA Record Generator

Your SOA record

Publish the record

How to use

About this tool

You may also like

MX Record Generator

SRV Record Generator

CAA Record Generator

NAPTR Record Generator

SPF Record Generator

DNS Record Types Reference

SOA Record Generator