How to check SOA serial numbers with dig

DNS zone changes reach authoritative nameservers only after each server loads the updated zone data. The SOA serial is the zone version value exposed by those servers, so comparing it with dig shows whether the authority set is serving the same revision after an edit, transfer, or provider change.

The SOA record contains the primary nameserver, responsible mailbox, serial, refresh, retry, expire, and minimum values for the zone. Querying authoritative servers directly avoids cached resolver answers and keeps the check tied to the server that should be hosting the zone.

Use the delegated zone name, not a single host inside the zone. Matching serials on two authoritative servers show those two servers have loaded the same zone version, and a production change check should include every authoritative server named for the zone before treating propagation inside the authority set as complete.

Steps to check SOA serial numbers with dig:

List the delegated nameservers for the zone.
```
$ dig +noall +answer iana.org NS
iana.org.		4502	IN	NS	a.iana-servers.net.
iana.org.		4502	IN	NS	b.iana-servers.net.
iana.org.		4502	IN	NS	c.iana-servers.net.
iana.org.		4502	IN	NS	ns.icann.org.
```
Use the zone apex, such as iana.org, for an SOA serial check. If the delegated nameserver list is uncertain, confirm the authority set first.
Related: How to find authoritative nameservers with dig

Query the first authoritative server for the zone SOA record.

$ dig @a.iana-servers.net iana.org SOA +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8189
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
iana.org.		3600	IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600

The aa flag shows that the selected server answered authoritatively. +norecurse keeps the server from masking an authority problem with recursive lookup behavior.

Query another authoritative server with the same zone, type, and display options.

$ dig @b.iana-servers.net iana.org SOA +norecurse +noall +comments +answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
iana.org.		3600	IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2026062320 7200 3600 1209600 3600

Change only the @server value when comparing authoritative servers. A different zone name, record type, or option set can turn the result into a different DNS question.

Compare the SOA owner, primary nameserver, mailbox, and serial.
```
a.iana-servers.net: iana.org SOA sns.dns.icann.org. noc.dns.icann.org. serial 2026062320
b.iana-servers.net: iana.org SOA sns.dns.icann.org. noc.dns.icann.org. serial 2026062320
```
The serial is the first number after the responsible mailbox field. Treat a serial mismatch as a server-specific zone version difference until the expected transfer, reload, or provider sync has completed.

Print one SOA answer in multiline form when the field order needs labels.

$ dig +nocmd @a.iana-servers.net iana.org SOA +norecurse +noall +answer +multiline
iana.org.		3600 IN	SOA sns.dns.icann.org. noc.dns.icann.org. (
				2026062320 ; serial
				7200       ; refresh (2 hours)
				3600       ; retry (1 hour)
				1209600    ; expire (2 weeks)
				3600       ; minimum (1 hour)
				)

+multiline labels long record fields in dig output. The single-line form is easier to compare across servers, while the multiline form helps identify the serial and timer fields.

Record the accepted authority-set result after the checked authoritative servers return the expected serial.
```
zone: iana.org
expected SOA serial: 2026062320
checked servers: a.iana-servers.net, b.iana-servers.net
result: checked servers returned NOERROR, aa, and serial 2026062320
```
If any authoritative server returns REFUSED, lacks the aa flag, or shows an older serial, check that server's zone load, transfer status, provider sync state, or delegation before changing unrelated records.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.