If using multiple DNS providers, you can configure NS1 as your secondary provider. When configuring NS1 as your secondary DNS provider, consider the following:
- You must have an existing primary DNS provider or server.
- The primary server must allow AXFR queries over TCP for NS1 server IP addresses.
- With NS1 configured as a secondary provider, you cannot use NS1's advanced functionality, such as Filter Chains, for record management. You must use your primary DNS provider's tools to manage zone records.
The NS1 Connect platform supports DNSSEC-signed secondary zones over XFR. If you have not yet been migrated to the NS1 Connect platform and wish to utilize this feature, please contact NS1 support.
Step 1: Create the secondary zone.
- Configure your primary DNS server to allow AXFR queries over TCP (and SOA queries over UDP) from 220.127.116.11.
- Log in to the NS1 portal (via https://my.nsone.net).
- Click DNS in the main navigation to view a list of all DNS zones associated with your account.
- To add a new zone, click the "+" button on the right side of the screen.
- Select Secondary Zone.
- Enter the domain name and the IPv4 address (not the hostname) of your primary DNS server. If necessary, adjust the primary port setting (if not running on port 53).
- Optionally, click the checkbox next to Enable Additional Primaries. If you choose to include multiple primary services, note that NS1 will balance AXFR queries among all servers and retry failed queries with alternative servers.
- Optionally, click the checkbox next to Enable TSIG. See below for details.
- Click Save Zone.
The secondary zone is created in a "pending" state. It may take a few minutes for the first synchronization against your primary server. You can monitor the status of the server under the Zone Settings tab. Note: This is also where you can also update the primary IP or port, if necessary. Once all zones are synced, all records configured on your primary server will appear in the NS1 portal.
Enabling TSIG on your DNS network*
NS1 offers authentication using TSIG (transaction signature) for instances where NS1 is configured as the secondary (not primary) DNS provider. During initial configuration, you must enter:
- Type of hash selected from the dropdown menu,
- TSIG key name (or hash)
- TSIG key
Note: This is a password used to authenticate communication between DNS servers (AXFR) to transfer changes to zone records securely.
Step 2: Point DNS traffic to the NS1 servers.
After setting up the secondary zone, you must direct DNS traffic to the NS1 servers.
- In the NS1 portal, navigate to the list of zones, and double-click the secondary zone you just created.
- Click the Nameservers tab, and then record the URLs listed for the NS1 servers.
- Using the configuration tools provided by your primary DNS provider, add NS records to the zone for each NS1 nameserver.
- Using the configuration tools provided by your domain registrar, modify the nameserver for your domain.
The zone is re-synchronized according to the refresh interval specified in the zone's SOA record. If a zone transfer fails, the zone enters a "warning" state. NS1 will attempt to complete the zone transfer based on the retry interval specified in the SOA record until it succeeds or the expiry timeout is exceeded. If the process exceeds the expiry timeout before NS1 can re-synchronize your zone, the zone enters an "error" state, and the NS1 server will no longer answer queries for the zone.