Introducing redundancy to your infrastructure — leveraging multiple DNS providers — prevents a situation in which you have a single point of failure. You can deploy primary or secondary zone configurations to NS1 networks in conjunction with other DNS providers. This article answers common FAQs related to the creation and management of secondary zones.
For step-by-step instructions on how to set up a secondary zone in NS1, refer to the following article: Configuring NS1 as a secondary provider.
By default, when creating a secondary zone, the NS1 Managed DNS network option is enabled.
There are a few reasons why your secondary zones transfer (AXFR) may fail:
A common reason is forgetting to add our XFR node (192.135.223.10) to your primary DNS provider's allow list (i.e., whitelist). If you do not do this, all SOA lookups from our XFR node will fail, even if the primary IP provided is correct.
Another reason is due to the record limitations defined in your subscription plan. The transfer will fail if the number of records a zone file contains surpasses the total number of records permitted in your current plan. You can delete existing records to create space for the secondary zone or contact support@ns1.com to request a limit increase.
Will intelligent routing configurations at my primary DNS provider transfer over to my NS1 secondary zone?
AXFR does not support the transfer of advanced configurations — including features such as failover and GeoIP routing from your primary provider. While these features are available for primary zone configuration, any Filter Chain configurations, answer metadata, and other details are removed when transferring between secondary zones.
Once configured, you cannot make record-level changes to secondary zones except for ALIAS records which can be added to the apex of a secondary zone hosted by NS1. ALIAS records provide CNAME-like functionality at the zone apex. All other changes must be made through the primary DNS provider after which the zone data is transferred to the NS1 platform via AXFR.
Note
Refer to this article to learn more about ALIAS records on the NS1 platform.
The zone's serial number is updated with any changes made to the zone. When NOTIFY is enabled, all "allowed" (i.e., whitelisted) secondary zones are notified and request the most recent zone file via AXFR. If NOTIFY is not configured, secondary zones will poll the primary zone for the most recent zone file based on the defined SOA refresh interval setting.
Yes. You can convert a secondary zone to a primary zone via the NS1 portal or API. Refer to this article for instructions to do so in the NS1 portal.
To convert a secondary zone to a primary zone via API, run the following cURL request, replacing example.com with your domain:
curl -X POST -H 'X-NSONE-Key: $NSONE_API_KEY' https://api.nsone.net/v1/zones/example.com -d '{"secondary":{"enabled":false}}'
Note
To complete the conversion, you must also update the delegation at the domain registrar.
Note
You cannot convert a zone from primary to secondary.
While most zone transfers are done over TCP (to accommodate larger zone files), protections and soft limits are still in place to prevent malicious users from importing a zone file with hundreds of thousands of records.
For outgoing zone transfers, NS1 supports TSIG-signed notifications (NOTIFYs), not TSIG authentication on the actual zone transfer.
Why am I getting a “superfluous name server listed at parent” error when running third-party zone consistency checks?
Verify that you have correctly added the NS1 nameservers to the zone file at the primary DNS provider. The primary and secondary nameservers should be included in the zone file and at the zone's registrar to ensure traffic is distributed according to your use case. For example, your zone should contain
-
NS records for your primary provider, dns1.exmpl.prim.net, dns2.exmpl.prim.net, dns3.exmpl.prim.net, dns4.expl.prim.net,
-
as well as NS records from the secondary provider, dns1.pxx.nsone.net, dns2.pxx.nsone.net, dns3.pxx.nsone.net, dns4.pxx.nsone.net.
Update your registrar with the full list of nameservers, if applicable.