You can change a secondary zone to a primary zone via the NS1 portal or API. During this process, you have the option to publish the zone to a new network, reassign nameservers, and enable DNSSEC for the new primary zone.
Warning
If you plan to enable DNSSEC on the new primary zone, NS1 strongly recommends removing the existing DS record from the parent zone at least 24 hours before converting the secondary zone. If NS1’s nameservers are part of the domain’s delegation (as in, the zone’s delegation), then the conversion to primary will remove all related DNSSEC records, and this will break the chain of trust. Thus, any resolver that validates DNSSEC will see any query response from the NS1 platform as invalid, potentially breaking DNS resolution. Once converted, you must add a new DS record at the domain registrar with the new DNSSEC configuration details. Refer to Enabling DNSSEC for a primary (or non-secondary) zone for details.
Follow the steps below to convert a secondary zone to a primary zone via the NS1 portal. Alternatively, refer to “API example: Convert a secondary to a primary zone” below for programmatic instructions.
-
In the NS1 portal, navigate to DNS > Zones to view a list of all zones.
-
Navigate to the relevant secondary zone, and click the zone's name to view details. Tip: Select the “Secondary” checkbox to filter the list or perform a search for the specific zone.
-
Click the Zone settings tab to view additional details for the secondary zone.
-
Under “Secondary zone status,” click Change to primary.
-
By default, the network on which the secondary zone is already published is selected as the network on which to publish the primary zone, if applicable. Use the search bar to search for other available networks on which you can publish the zone if desired. Note that you can click the “X” next to the network name to remove it.
-
Optionally, click the checkbox next to “Replace current NS record set with the nameservers of the DNS networks to which you are publishing the zone.” If selected, the answers listed within the NS record are automatically updated upon saving your changes. Enabling this option might be preferred if you have changed or plan to change the delegation for the domain, preventing you from having to update the NS records manually, later on.
Note
If selected, you must update the zone delegation settings at the domain registrar to point to the new nameservers for this zone.
-
Click Next step.
-
Optionally, toggle the switch to enable DNSSEC on the primary zone.
Warning
If you plan to enable DNSSEC on the new primary zone, NS1 strongly recommends removing the existing DS record from the parent zone at least 24 hours before converting the secondary zone. If NS1’s nameservers are part of the domain’s delegation (as in, the zone’s delegation), then the conversion to primary will remove all related DNSSEC records, and this will break the chain of trust. Thus, any resolver that validates DNSSEC will see any query response from the NS1 platform as invalid, potentially breaking DNS resolution. Once converted, you must add a new DS record at the domain registrar with the new DNSSEC configuration details. Refer to Enabling DNSSEC for a primary (or non-secondary) zone for details.
-
Once complete, click Confirm zone change to primary. A message appears in the top right corner of the screen indicating the conversion was successful.
-
If you replaced the nameservers associated with the zone (see step 6), you must complete the reconfiguration by updating the zone delegation at the domain registrar to point to the new nameservers.
You can view the new nameservers under the Nameservers tab in the zone details, or by navigating to the zone’s NS record to see the associated answers — each answer representing a nameserver for this domain.
Warning
If you plan to enable DNSSEC on the new primary zone, NS1 strongly recommends removing the existing DS record from the parent zone at least 24 hours before converting the secondary zone. If NS1’s nameservers are part of the domain’s delegation (as in, the zone’s delegation), then the conversion to primary will remove all related DNSSEC records, and this will break the chain of trust. Thus, any resolver that validates DNSSEC will see any query response from the NS1 platform as invalid, potentially breaking DNS resolution. Once converted, you must add a new DS record at the domain registrar with the new DNSSEC configuration details. Refer to Enabling DNSSEC for a primary (or non-secondary) zone for details.
The request below converts an existing secondary zone to a primary zone on the NS1 platform, indicating the new network(s) on which to publish the zone and, optionally, enabling DNSSEC online signing.
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" -d ' { "zone": "string", "networks": [ 0 ], "secondary": { "enabled": false } } ' https://api.nsone.net/v1/zones/{zoneName}
Table 3. Path parameters
{zoneName} string |
(Required) Unique name of the zone. Typically, this is the same as the zone FQDN unless a custom name was applied or the zone was associated with a DNS view during zone creation. |
Table 4. Request body parameters
zone string |
(Required) Fully-qualified domain name (FQDN) for the zone you are converting. |
networks array of integers |
One or more network IDs corresponding to the NS1 DNS networks on which you want to publish the zone. For example, NS1’s Managed DNS network ID is 0. To view a list of networks available to you and their associated IDs, run a GET request against /v1/networks. To publish the new (primary) zone to the same networks as the old (secondary) zone, omit the networks parameter from the request body completely. To publish to different networks, include the network parameter and specify the new network IDs in the array. WarningIf you include the networks parameter with an empty array, you will unpublish the zone. If you publish the zone to a new network and want to use different nameservers, then you must run a second API request after zone conversion to update the NS record manually. |
secondary object |
(Required for zone conversion) An object containing secondary zone configuration details. You must edit this object to convert the zone to primary. |
enabled boolean |
(Required for zone conversion) Indicates whether or not the zone is secondary. To convert a zone to primary, you must set this value to false. |
During zone conversion, if you published the primary zone a new DNS network and would like to assign new nameservers, you must run a second API request (after zone conversion) to update the NS records manually. Each answer (object) within an NS record specifies a nameserver to which the zone is delegated. For example, if the zone is delegated at the registrar to Managed DNS, then the NS records should point to Managed DNS nameservers.
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" https://api.nsone.net/v1/zones/{zoneName}/{domain}/NS -d '{ "answers": [ { "answer": [ "ns1.sub.example.com" ] }, { "answer": [ "ns2.sub.example.com" ] } ] }'
Table 5. Path parameters
{zoneName} string |
(Required) Unique name of the zone. Typically, this is the same as the zone FQDN unless a custom name was applied or the zone was associated with a DNS view during zone creation. |
{domain} string |
(Required) Domain corresponding to this NS record. In this case, this is the domain for the new primary zone you just converted from secondary. |
Table 6. Request body parameters
answers array of objects |
An array containing one or more answers (objects) corresponding to this record. |
answer object |
An object representing a single answer configuration. Configuration format varies depending on the type of record you are creating. When configuring an NS record, the configuration format is a single string specifying the hostname of the DNS nameserver to serve this domain. To specify multiple nameservers, you must include multiple "answer" objects. |