Introduction

The SOA serial tells secondary DNS servers whether a zone has changed and needs to be refreshed. If records are updated but the serial does not increase, secondaries may never pull the new data even though the primary zone looks correct. The fix is to verify how the authoritative zone is managed and whether the update workflow actually republishes the zone with a new serial.

Symptoms

  • Secondary DNS servers continue serving old records after a zone change
  • Public answers differ between primary and secondary authoritative nameservers
  • Zone transfers appear healthy, but secondaries never pick up recent edits
  • DNS management changes look correct in the control panel but do not propagate to all authoritative servers
  • The issue started after migrating DNS providers or changing zone management tooling

Common Causes

  • Zone edits do not trigger a serial increment in the primary DNS system
  • Manual zone file changes were made without updating the SOA serial value
  • The DNS provider abstracts serial handling and a publishing step never completed
  • Secondary DNS is pointed at a source that is not the truly updated primary zone
  • Automation overwrote the zone with an older serial after a change was made

Step-by-Step Fix

  1. Compare the SOA serial returned by each authoritative nameserver for the zone and confirm where the divergence begins.
  2. Check how the primary zone is managed, whether through raw zone files, an API, or a provider UI, and verify the publish workflow for changes.
  3. Confirm that recent record edits actually updated the source-of-truth zone rather than a stale replica or abandoned panel.
  4. If the zone is managed manually, increment the SOA serial correctly whenever you change records.
  5. If the provider manages serials automatically, inspect whether the change was saved, published, and accepted by the primary service.
  6. Verify that secondary DNS pulls from the correct primary and that zone transfer permissions still allow refreshes.
  7. Trigger a refresh or retransfer after the primary serial is known to be higher than the copies on secondary servers.
  8. Re-run authoritative queries until all nameservers return the same SOA serial and current record data.
  9. Keep zone update workflows consistent so DNS changes and serial publication cannot drift apart unnoticed.