If you are using multiple DNS providers, you have the option to configure NS1 to be your secondary provider—acting as a "child" to your primary DNS server. Below are some important considerations before configuring NS1 as secondary provider.
- You must have an existing primary DNS provider or server.
- Your primary server must allow AXFR queries over TCP for NS1 server IPs.
- With NS1 configured as a secondary provider, you will not be able to use the advanced features and functionality—such as Filter Chains—for record management. You must use your primary DNS provider's tools to manage zone records.
Step 1: Create the secondary zone.
Configure your primary DNS server to allow AXFR queries over TCP (and SOA queries over UDP) from 220.127.116.11.
In the NS1 portal, navigate to the Zones section, and click Add Zone.
Select Secondary Zone.
Enter the domain name and the IPv4 address (not the hostname) of your primary DNS server. If necessary, adjust the primary port setting (if not running on port 53).
- Optionally, click the checkbox next to Enable Additional Primaries. Note that if you choose to include multiple primary services, NS1 will balance AXFR queries among all servers and retry failed queries with alternative servers.
- Optionally, click the checkbox next to Enable TSIG. See below for details.
Click Save Zone.
The secondary zone is created, but in a "pending" state. It may take a few minutes for the first synchronization against your primary server. You can monitor the status of the server under the Zone Settings tab. Note: This is also where you can also update the primary IP or port, if necessary. Once all zones are synced, all records configured on your primary server will appear in the NS1 portal.
Enabling TSIG on your DNS network*
NS1 offers authentication using TSIG (transaction signature) for instances where NS1 is configured as the secondary (not primary) DNS provider. During initial configuration, you must enter:
- Type of hash selected from the dropdown menu,
- TSIG key name (or hash) for the key being created, and
- TSIG key which as a password to authenticate communication between the two DNS servers (AXFR) to transfer changes to zone records securely.
Step 2: Point DNS traffic to the NS1 servers.
After setting up the secondary zone, you must direct DNS traffic to the NS1 servers.
In the NS1 portal, navigate to the list of zones, and double-click the secondary zone you just created.
- Click the Nameservers tab, and then record the URLs listed for the NS1 servers.
Using the configuration tools provided by your primary DNS provider, add NS records to the zone for each NS1 nameserver.
Using the configuration tools provided by your domain registrar, modify the nameserver for your domain.
The zone is re-synchronized according to the refresh interval specified in the zone's SOA record. If a zone transfer fails, the zone enters a "warning" state. NS1 will continue attempts to complete the zone transfer based on the re-try interval defined in your SOA record until it succeeds or the expiry timeout is exceeded. If the process exceeds the expiry timeout before NS1 is able to to re-synchronize your zone, the zone enters an "error" state and the NS1 server will no longer answer queries for the zone.