Primary and secondary zones

NS1 Connect supports two types of DNS zones: primary and secondary. Your choice depends on your DNS provider architecture and whether you need to synchronize zone data across multiple providers.

Primary zone

A primary zone (or non-secondary zone) contains the original zone file, including all of the DNS records corresponding to the fully qualified domain name (FQDN) and any subdomains contained within the zone. When you create a primary zone inNS1 Connect, you can leverage NS1 Connect's advanced traffic steering capabilities, including the Filter Chain, and take full advantage of resource management tools, like zone versioning and monitoring.

If NS1 Connect is your only DNS provider, you will likely only need to create primary (or non-secondary) zones. If you are using multiple DNS providers, you can create a primary zone and configure outgoing zone transfers from the primary zone hosted on NS1 Connect to your secondary name server(s).

Note: Certain features that are unique to NS1 Connect — such as ALIAS and REDIRECT records, Filter Chain configurations, and versioning details — are not included in outgoing zone transfers as they are not supported by third-party providers.

Secondary zones

A secondary zone maintains a read-only copy of zone data that is synchronized from one or more primary name servers. Zone data transfers occur either at regular intervals based on the SOA refresh value or immediately when the primary server sends a notification. When you create a secondary zone in NS1 Connect, you specify the primary name servers that will transfer zone data to the Managed DNS network.

Zone transfers

NS1 Connect supports two types of incoming zone transfers from a primary name server:

  • Authoritative transfers (AXFR), which include the entire zone file.

    AXFR does not support the transfer of advanced configurations, including features such as failover and GeoIP routing from your primary provider.

  • Incremental transfers (IXFR), which include only new or modified zone data.

A secondary zone receives updates from the primary name server based on the zone's start of authority (SOA) refresh value or when the primary name server sends a NOTIFY message. The SOA refresh interval determines the amount of time between each request from secondary name servers for updated zone data. If the SOA refresh interval is set to 43200 seconds, then the secondary zone requests new data from the primary name server every 12 hours. If the serial number of the SOA record on the primary name server changed, NS1 Connect updates the secondary zone data.

If the primary name server sends NOTIFY messages to the secondary name server when the zone data changes, NS1 Connect requests new zone data immediately instead of waiting for the end of the current SOA refresh interval.

If the zone from the primary name server is signed, then NS1 Connect answers queries with the correct Domain Name System Security Extensions (DNSSEC) information.

Zone transfer alerts

To be informed of issues that might occur when DNS data is transferred from the primary name server to the secondary name server, you can create alerts for zones.

Secondary zone capabilities

Because secondary zones maintain read-only copies of primary zone data, configuration options are limited compared to primary zones. The following capabilities are available:

  • Publishing to multiple NS1 Connect DNS networks
  • Multiple primary servers for redundancy
  • TSIG authentication for secure zone transfers and message verification
  • ALIAS records at the zone apex for CNAME-like functionality
  • Outgoing zone transfers to other secondary providers for hidden primary configurations, where the authoritative source does not serve public traffic directly
  • Conversion from secondary to primary zone

Secondary zone limitations

Secondary zones have the following restrictions:

  • Record-level changes must be made at the primary DNS provider, except for ALIAS records, which can be added to the zone apex in NS1 Connect.
  • Advanced traffic steering features, such as the Filter Chain, are not available.
  • NS1 Connect-specific features, including ALIAS records, are not included in outgoing zone transfers to third-party providers.

Zone transfer considerations

Record limits: Zone transfers may fail if the incoming zone file exceeds your plan's record limit. To resolve this, either delete existing records to free up capacity or upgrade your plan to accommodate more records.

Zone file size limits: Although most zone transfers use TCP to handle large zone files, NS1 Connect enforces soft limits to protect against malicious imports of excessively large zone files.