System Records: Why Some DNS Records Are Protected
Learn what system records are in DNS, why SOA and apex NS records are protected from modification, and how DNS providers manage them automatically.
Answer snapshot
System records are the SOA and apex NS records — the records that define a zone's authority and delegation. DNScale (and most managed providers) creates and protects them automatically: you can't accidentally delete the SOA or rewrite the apex NS to break delegation. You can still create NS records at sub-zones for delegation; only the apex NS is protected.
What you'll learn
- Understand why SOA and apex NS records are classified as system records and protected from direct modification
- Explain the two-level NS delegation system and why parent and child NS records must stay in sync
- Distinguish between protected apex NS records and user-managed subdomain NS records for delegation
- Identify the API and dashboard behaviors when system record modification is attempted
Every DNS zone contains records that are critical to its operation — records that define the zone's authority and delegation. These are commonly called system records, and DNS providers protect them from direct modification to prevent accidental breakage.
What Are System Records?
System records are DNS records that the platform creates and manages automatically when you add a zone. They define how the zone functions at a fundamental level:
| Record | Name | Purpose |
|---|---|---|
| SOA | Zone apex (@) | Declares the primary authority, serial number, and timing parameters for the zone |
| NS | Zone apex (@) | Lists the authoritative nameservers for the zone |
These records exist at the zone apex (the bare domain, like example.com) and are essential for DNS resolution to work. Without them, resolvers cannot find your zone or determine which DNS servers are authoritative for it.
System records are sometimes called "protected records", "managed records", or "infrastructure records" depending on the DNS provider.
Why Are System Records Protected?
SOA Record Protection
The SOA (Start of Authority) record controls zone transfers, negative caching, and serial number tracking. If the SOA were deleted or misconfigured:
- Secondary nameservers would stop synchronizing
- NXDOMAIN responses could be cached for too long (or not at all) — see TTL best practices for how the SOA minimum field controls this
- Zone transfer mechanisms would break
- The zone would violate the DNS specification (every zone must have exactly one SOA)
DNScale manages SOA records automatically — incrementing the serial number on every change and setting timing parameters optimized for reliability.
What the SOA Controls
The SOA record contains several fields that directly affect zone behavior:
| Field | Purpose | Why It's Managed |
|---|---|---|
| MNAME | Primary nameserver | Must match the actual primary; incorrect values break NOTIFY |
| RNAME | Admin email (encoded) | Standardized to a platform contact |
| Serial | Change counter | Auto-incremented on every record change |
| Refresh | Secondary check interval | Tuned for DNScale's replication architecture |
| Retry | Retry after failed refresh | Set to prevent excessive retry storms |
| Expire | When secondaries stop serving | Balanced between data freshness and resilience |
| Minimum | Negative cache TTL | Controls how long NXDOMAIN responses are cached |
If any of these fields were set incorrectly, the consequences would ripple across the entire zone. An MNAME pointing to a non-existent server would break NOTIFY-based updates. A serial number that was accidentally decreased would cause secondaries to ignore all subsequent changes.
Apex NS Record Protection
NS records at the zone apex declare which nameservers are authoritative for your domain. They work together with the delegation NS records at the parent zone (set at your registrar) to form the chain of trust in DNS.
DNScale's own NS records (ns1.dnscale.eu, ns2.dnscale.eu, etc.) are protected and cannot be removed or modified — they keep the zone connected to the anycast infrastructure.
However, you can add additional NS records at the apex for multi-provider DNS setups. For example, if you use both DNScale and another provider, you can add that provider's nameservers alongside DNScale's:
example.com. NS ns1.dnscale.eu. ← protected (cannot be removed)
example.com. NS ns2.dnscale.eu. ← protected (cannot be removed)
example.com. NS hydrogen.ns.hetzner.com. ← user-added (can be removed)
example.com. NS oxygen.ns.hetzner.com. ← user-added (can be removed)This ensures the zone's apex NS records match your registrar delegation when using multiple providers.
Apex NS Records and Registrar Delegation
A common question is why apex NS records need to match the nameservers configured at your registrar. Understanding the relationship requires knowing how DNS delegation works.
The Two-Level NS System
When a resolver looks up your domain, two sets of NS records are involved:
- Parent zone NS records (at the registrar/TLD) — non-authoritative "hints" that bootstrap the lookup by telling resolvers where to find your zone
- Child zone NS records (at the apex) — the authoritative declaration of which servers serve your zone
Per RFC 2181 Section 6, the child zone's NS records are authoritative and take precedence in resolver caches, while the parent's delegation records are non-authoritative hints used only for bootstrapping.
What Happens When They Diverge
When the parent and child NS records don't match, DNS resolution doesn't break outright — but mismatches cause real problems:
- Lame delegations — the parent points to a server that doesn't serve the zone, causing timeouts and SERVFAIL responses
- Increased latency — resolvers retry against non-responsive servers before finding one that works
- Reduced resilience — fewer effective nameservers means less redundancy during outages or DDoS attacks
- Unpredictable behavior — different resolver implementations handle mismatches differently, leading to inconsistent results across networks
- DNSSEC failures — if the child NS set includes servers that don't serve DNSSEC-signed responses, some resolvers may get validation failures
Apex NS records should match your registrar's delegation. The child zone's NS set is authoritative (RFC 2181) and takes precedence in resolver caches, while the parent's delegation NS records are non-authoritative hints used for bootstrapping. When they diverge, mismatches can cause lame delegations, increased latency, and unpredictable behavior across resolver implementations.
Changing Your Nameservers
To change the nameservers for your domain, update them at your domain registrar — not in your DNS zone. The registrar updates the parent zone (e.g., .com, .eu), and your DNS provider updates the apex NS records to match.
If you're migrating to DNScale from another provider:
- Note the DNScale nameservers assigned to your zone (shown in the dashboard)
- Update the nameservers at your registrar
- Wait for propagation (typically 24-48 hours for NS changes)
When migrating, you can use zone import to bring your existing records into DNScale before switching nameservers. This lowers disruption risk when both providers serve matching data and the old provider stays active during the transition.
What Other Records Are Protected?
Beyond SOA and apex NS records, there are additional records that DNS providers may manage or restrict:
DNSSEC Records
DNSSEC introduces additional record types that are auto-managed:
- DNSKEY — contains the public keys used to verify signatures
- RRSIG — contains the actual signatures for each record set
- NSEC/NSEC3 — proves the non-existence of records (used for authenticated denial)
These records are generated and rotated automatically by the signing infrastructure. Manually modifying them would break DNSSEC validation across the entire zone.
Records That Are NOT Protected
All other record types are fully under your control:
| Record Type | User-Managed? | Common Use |
|---|---|---|
| A | Yes | IPv4 addresses |
| AAAA | Yes | IPv6 addresses |
| CNAME | Yes | Aliases |
| MX | Yes | Mail servers |
| TXT | Yes | SPF, DKIM, verification |
| CAA | Yes | Certificate authority authorization |
| SRV | Yes | Service location |
| PTR | Yes | Reverse DNS |
| TLSA | Yes | DANE certificate association |
| SSHFP | Yes | SSH fingerprints |
| HTTPS/SVCB | Yes | Service binding |
The only restriction on user-managed records is standard DNS rules — for example, a CNAME cannot coexist with other record types at the same name.
Subdomain NS Records Are Not Protected
While apex NS records are system records, subdomain NS records are fully user-managed. You can create, update, and delete NS records on any subdomain to delegate it to a different provider:
# Delegate a subdomain to AWS Route 53
curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "aws",
"type": "NS",
"content": "ns-123.awsdns-12.com",
"ttl": 3600
}'This is a standard DNS operation called subdomain delegation — see the NS record guide for more examples. Subdomain delegation is commonly used in multi-provider DNS deployments and DNS delegation by region.
What Happens If You Try to Modify a System Record
Adding Third-Party NS Records (Multi-Provider)
You can add additional NS records at the apex to support multi-provider DNS. This is useful when you want resolvers to query both DNScale and another provider for redundancy. Add the other provider's nameservers via the API or dashboard, and update your registrar delegation to include all nameservers.
Deleting DNScale NS Records
If you try to delete DNScale's own nameservers, the API returns a 403 Forbidden response:
{
"status": "error",
"error": {
"code": "PROTECTED_RECORD",
"message": "protected record type cannot be modified: DNScale nameservers (ns1/ns2.dnscale.eu, ns1/ns2.dnscale.com) cannot be removed"
}
}User-added NS records (e.g. a second provider's nameservers) can be deleted normally.
SOA Records
SOA records are fully protected — create, update, and delete operations all return 403 Forbidden:
{
"status": "error",
"error": {
"code": "PROTECTED_RECORD",
"message": "protected record type cannot be modified: SOA records are managed automatically and cannot be modified"
}
}Via Infrastructure as Code Tools
If you use Terraform or DNSControl, you can manage third-party NS records at the apex alongside your other records. DNScale's own NS records are excluded from the sync process.
Summary
| Record | At Apex | At Subdomain |
|---|---|---|
| SOA | Protected (auto-managed) | N/A (only exists at apex) |
| NS | Protected (auto-managed) | User-managed (subdomain delegation) |
| All others | User-managed | User-managed |
System records exist to keep your zone functional and correctly delegated. DNScale manages them so you can focus on the records that matter to your applications — A, AAAA, CNAME, MX, TXT, and everything else.
Related Topics
- What Is an NS Record — how NS records and delegation work
- What Is an SOA Record — SOA fields and zone authority
- What Is a DNS Zone — understanding zones and their structure
- DNSSEC Key Management — another category of auto-managed records (DNSKEY, RRSIG)
- DNS Record Types — the full list of user-managed record types
- Domain Registrar vs DNS Hosting — understanding the registrar's role in NS delegation
Frequently asked questions
- Why can't I edit the SOA record directly?
- The SOA holds zone-wide parameters (serial number, refresh, retry, expire, minimum TTL) that the DNS infrastructure manages itself. Editing it manually risks breaking zone transfers, secondary synchronisation, and DNSSEC signatures. DNScale increments the serial automatically on every record change and tunes the timer values for healthy resolution.
- Can I add NS records for a subdomain?
- Yes — sub-zone NS delegation is fully user-managed. You can create NS records at, say, blog.example.com to delegate that subdomain to a different nameserver set. Only the NS records at the zone apex (example.com itself) are protected, because changing those would break the delegation chain at the TLD.
- What happens if I try to delete the apex NS in the API?
- The API returns an error indicating the record is protected. The dashboard greys out the delete option. If you genuinely need to migrate away from DNScale, the right path is to update NS records at your registrar to point to the new provider, wait for TLD propagation, then close the DNScale account or delete the zone.
- Do other DNS providers protect system records the same way?
- Cloudflare, Route 53, Google Cloud DNS, and most managed providers protect SOA and apex NS records by default. Self-hosted DNS (BIND, PowerDNS) gives you the rope to break them — useful if you know what you're doing, dangerous if you don't.
- Is the SOA serial number visible to me?
- Yes — it shows in the dashboard zone view and via dig SOA yourdomain. DNScale uses the YYYYMMDDNN convention by default (year, month, day, two-digit revision), which is human-readable and increments cleanly through multiple changes per day.
Related guides
Platform
How to Close Your Account
Learn how to permanently close your DNScale account, what happens to your data, and how to resolve outstanding invoices before closing.
Platform
How to Update Your Payment Method
Learn how to update your credit card, change your default payment method, or update billing information on your DNScale account.
Platform
Multi-User Accounts and Zone Access Control
Learn how to invite team members to your DNScale account, assign roles, and control which DNS zones each user can access.
Platform
Paid Plans vs Pay As You Go
Understand the differences between DNScale's subscription plans and Pay As You Go pricing, and find out which option suits your needs best.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free