You can configure outgoing zone transfers from primary or secondary zones hosted by NS1 to secondary IPs hosted by third-party DNS providers. Typically, zone transfers occur upon changes to zone data or in response to the secondary's periodic SOA refresh request. NS1 supports outgoing zone transfers via AXFR.
When changes are made to the primary zone, NS1 will send a DNS notification (i.e., “NOTIFY”) to the secondary zone server. In response, the secondary server sends an SOA/AXFR query to NS1, requesting the new zone data. Then, NS1 transfers the new zone data to the requesting secondary. Note that the “NOTIFY” messages are optional and may be automatically disabled based on your settings. If NOTIFY is disabled, the zone transfer will not occur until the next SOA request from the secondary servers based on the refresh TTL.
It is important to understand that certain NS1 functionality — such as ALIAS records, answer metadata, and Filter Chain™ configurations — are not supported by third-party DNS providers and will not transfer to secondary DNS servers.
Note that you can also enable outgoing transfers from secondary zones hosted by NS1 to other secondary IPs (hosted externally). This type of configuration can create redundancy in public DNS by using a "hidden primary" configuration whereby the source of truth doesn't serve public traffic directly. Instead, the zone data is copied to the secondary zone hosted by NS1 which acts as a primary to the specified secondary IP(s).
This article overviews the process for enabling outgoing zone transfers on a primary or secondary zone including the option to enable DNS notifications (i.e., NOTIFYs) upon changes to the zone data and enabling TSIG authentication for the outbound NOTIFY messages. You can do this via the NS1 portal or API.
Follow the steps below to enable outgoing zone transfers on a primary or secondary zone using the NS1 portal. Alternatively, you can do this via API.
-
Log into the NS1 portal and navigate to DNS > Zones.
-
From the list of zones, locate the zone on which you want to enable outgoing zone transfers and click the name of the zone to view zone details.
-
Click the Zone transfers tab, and click the toggle next to Allow outgoing transfers.
-
Click Add another IP address.
-
Enter the Secondary IP address — that is, the IP address of the server hosting the secondary zone. Optionally, you can enter an IP subnet in this field using CIDR notation (e.g., 192.0.2.0/24) to allow NS1 to receive SOA/AXFR requests from any address within that subnet. Note that if you do this, however, “NOTIFYs” will be automatically disabled. Alternatively, you can add each secondary IP address individually to allow NOTIFYs to each.
-
Optionally, select the checkbox next to Notify on change to enable DNS notifications (i.e., NOTIFY messages) from NS1 when there are changes to the primary zone.
In response, the secondary zone will send an SOA/AXFR query to NS1 requesting the new zone data. If you leave this option disabled, the zone transfer will occur in response to the next SOA/AXFR query whose frequency is based on the defined SOA refresh TTL value.
If you enable notifications, complete the following additional fields:
-
Port - Enter the inbound port configured on the secondary IP to ensure the server can receive NOTIFY messages from NS1. The default port is 53. You might need to modify this if, for example, your security team has blocked inbound traffic to port 53 or if you’d prefer to use a different port.
-
Network - Select the network from which the DNS notification (i.e., NOTIFY) should originate. Upon changes to the NS1 zone, this network will send a NOTIFY to the secondary IP.
Note
You must select a network on which the corresponding NS1 zone is published — otherwise, NOTIFYs will be disabled. Optionally, you can select a network on which you plan to publish the zone, and then when you publish the zone to that network, the NOTIFYs will be automatically re-enabled.
-
-
If you enable notifications, you have the additional option to enable Notify with TSIG. This ensures the NOTIFY messages are sent using TSIG authentication.
If you select this option, you must also specify the following information:
-
TSIG hash - Indicates the cryptographic algorithm used to generate the TSIG key.
-
TSIG key name - Name of the TSIG key used in domain name syntax.
-
TSIG key value - The base64 string encoding the shared key secret.
Note
The "Notify with TSIG" option only enables TSIG authentication for the NOTIFY message. It does not enable TSIG authentication for the actual zone transfer from NS1.
-
-
Click Save. Repeat this process as needed by clicking + Add another IP address, specifying additional secondary IP addresses or subnets to direct zone transfers from NS1.
-
After adding all of the secondary IPs to the list, click Save zone transfers.
Execute one of the commands below to enable outgoing zone transfers on an existing zone to one or more secondary IP addresses.
Example 4. Enable outgoing zone transfers (without NOTIFYs)
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" -d '
{
"primary": {
"enabled": true,
"secondaries": [
{
"ip":"<secondary_IP>",
"notify": false
}]
}
}
' https://api.nsone.net/v1/zones/<zone_name>
Example 5. Enable outgoing zone transfers with NOTIFYs enabled
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" -d '
{
"primary": {
"enabled": true,
"secondaries": [
{
"ip":"<secondary_IP>",
"notify": true,
"port":<secondary_port>,
"network": 0
}]
}
}
' https://api.nsone.net/v1/zones/<zone_name>
Example 6. Enable outgoing zone transfers with NOTIFYs with TSIG enabled
curl -X POST -H "X-NSONE-Key: $NSONE_API_KEY" -d '
{
"primary": {
"enabled": true,
"secondaries": [
{
"ip":"<secondary_IP>",
"notify": true,
"port":<secondary_port>,
"network": 0,
"tsig": {
"enabled": true,
"hash": "<tsig_hash>",
"name": "<tsig_name>",
"key": "<tsig_key>"
}
}]
}
}
' https://api.nsone.net/v1/zones/<zone_name>
Path parameters:
|
|
string |
(Required) Unique name of the zone for which you are enabling outgoing zone transfers. In most cases, this is the same as the zone FQDN. |
Request body parameters:
|
|
object |
(Required for enabling zone transfers) An object containing all secondary IP configurations corresponding to this primary zone. |
|
> |
boolean |
(Required for enabling zone transfers) Set to true to indicate that this zone is a primary zone with one or more secondaries. |
|
> |
array of objects |
(Required for enabling zone transfers) An array of objects containing details about each secondary IP. |
|
>> |
string |
(Required for enabling zone transfers) IP address corresponding to a secondary DNS server. You can also enter an IP subnet here using CIDR notation, but doing so automatically disables NOTIFYs. |
|
>> |
boolean |
Indicates whether or not to enable DNS notifications (i.e., NOTIFYs) to the secondary IP upon changes to the primary zone data. Default is false. |
|
>> |
integer |
The unique network ID for the network from which to send the NOTIFY message. The network ID must match a network to which the primary zone is published in order for NOTIFYs to be sent. |
|
>> |
integer |
Inbound port on the secondary IP configured to receive NOTIFY messages from NS1. Default is 53. |
|
>> |
object |
An object containing TSIG authentication details. |
|
>>> |
boolean |
Indicates whether or not the NOTIFY message should be sent using TSIG authentication. Default is false. If set to true, you must also include the TSIG configuration parameters below. |
|
>>> |
string |
Indicates the cryptographic algorithm used to generate the TSIG key. NS1 supports the following hash types: hmac-md5, hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512. |
|
>>> |
string |
Name of the TSIG key used in domain name syntax. |
|
>>> |
string |
The base64 string encoding the shared key secret. |