Secondary DNS enables a DNS server or service to pull records from another DNS server and keep them up-to-date using the DNS zone transfer protocol. Typically, this transaction occurs via one of the following industry-standard mechanisms:
- Authoritative transfer (AXFR), which copies the full zone
- Incremental transfer (IXFR), which copies only the parts that have changed
DNSSEC is supported on zone transfers from the primary zone (hosted elsewhere) to the secondary zone (hosted by NS1) in which an NSEC or NSEC3 record is used for proof of non-existence.
Changes to DNS records (such as changing the IP for a domain name) can only be done on a primary server, which can then update secondary DNS servers. See our FAQ for more information on secondary zones.
If using multiple DNS providers, you can configure NS1 as your secondary provider. Before doing so, consider the following:
- You must have an existing primary DNS provider or server.
- The primary server must allow AXFR queries over TCP for NS1 AXFR server IP addresses.
- With NS1 configured as a secondary provider, you cannot use NS1's advanced functionality, such as Filter Chain, for record management.
- Any changes to the zone must be done at your primary DNS provider/server.
- DNS zone transfer protocol (AXFR/IXFR) only supports standard zone configuration and record types. Any non-standard functionality provided by the primary DNS provider cannot be transferred to secondary servers.
Follow the instructions below to create a secondary zone.
Step 1: Create the secondary zone.
- Configure your primary DNS server to allow AXFR queries over TCP (and SOA queries over UDP) from 22.214.171.124.
- Log in to the NS1 portal (via https://my.nsone.net), click DNS in the main navigation, and select the Zones sub-menu to view a list of all DNS zones associated with your account.
- Click the "+" button on the right side of the screen to reveal the Add Zone menu and create a new zone.
- Enter a valid domain name (FQDN).
- Optionally, you can associate this zone with an existing DNS view to define which client can query this zone based on the access control list (ACL).
- Select the network(s) with which you want to associate this secondary zone.
- Under Zone Settings, select Secondary Zone. Available zone settings fields differ based on the checkbox you select.
Ensure your primary DNS server is set to allow AXFR queries from NS1’s AXFR server. For Managed DNS networks, this is 126.96.36.199.
- Enter the Primary IP associated with this secondary zone and adjust the Primary Port if not 53.
- Optionally, select the Enable Additional Primaries checkbox and enter any additional IP and ports you would like to associate with this secondary zone.
If you list additional primary servers, NS1 will balance zone transfers among all servers and retry failed queries with another server.
- Optionally, select the Enable TSIG checkbox. If enabled, you must select the TSIG hash, enter the name of the TSIG key, and enter the TSIG key. The key is a shared secret used to authenticate communication between primary and secondary servers using AXFR/IXFR protocols.
The key name and value must be the same on the primary and secondary nameservers for TSIG-authenticated zone transfers to occur.
- Click the Save Zone button when finished.
The secondary zone is created in a "pending" state. It may take a few minutes for the first synchronization against your primary server. You can monitor the status of the server under the Zone Settings tab, where you can also edit settings such as update a secondary zone’s primary IP or port. Once all zones are synced, all records configured on your primary server will appear in the NS1 portal.
Step 2: Point DNS traffic to the NS1 servers.
After setting up the secondary zone, you can direct DNS queries for that zone to the NS1 servers.
- In the NS1 portal, navigate to the list of zones, and double-click the secondary zone you just created.
- Click the Nameservers tab, and then record the URLs listed for the NS1 servers.
- Using the configuration tools provided by your primary DNS provider, add NS records to the zone for each NS1 nameserver.
- Using the configuration tools provided by your domain registrar, modify the nameserver for your domain.
The zone is re-synchronized according to the refresh interval specified in the zone's SOA record. If a zone transfer fails, the zone enters a "warning" state. NS1 will attempt to complete the zone transfer based on the retry interval specified in the SOA record until it succeeds or the expiry timeout is exceeded. If the process exceeds the expiry timeout before NS1 can re-synchronize your zone, the zone enters an "error" state, and the NS1 server will respond with zone data related to the last successful transfer.