Creating a secondary zone

If you have multiple DNS providers and want to configure IBM® NS1 Connect® authoritative name servers as secondary, you can create a secondary zone in NS1 Connect.

Before you begin

These instructions assume that you have created the primary zone on your primary DNS provider, and that the primary name servers are configured to receive incoming authoritative transfers (AXFR) requests from NS1 Connect. Refer to Configuring NS1 Connect as a secondary DNS provider for details on the full configuration process when using multiple DNS providers with NS1 Connect as the secondary.

About this task

Secondary zones contain a read-only copy of the zone data that is kept updated by recurring zone transfers from the primary name servers to NS1 Connect. When a secondary zone receives updates depends on the start of authority (SOA) interval set for the primary zone or when the primary server sends a NOTIFY message. Primary servers typically transfer any changes to the zone data to the secondary name server when the SOA refresh interval expires. For example, if the SOA refresh interval is set to 43200 seconds, the secondary zone requests new data from the primary name server every 12 hours. If there is a need to update the zone data more quickly, the primary name server sends a NOTIFY message to the secondary name server when a change is made to the primary zone. In this way, the zone transfer can occur immediately, without waiting for the SOA refresh time.

In some cases, primary name servers are configured to only send NOTIFY messages and do not transfer zone data. In those cases, when you create a secondary zone in NS1 Connect, you must identify that the primary name server sends NOTIFY messages only. As a result, NS1 Connect doesn't request a zone transfer from those primary name servers when they send a NOTIFY message. Instead, NS1 Connect requests a zone transfer from the other primary name servers.

Primary name servers can send NOTIFY-only messages through a block of IPv4 addresses using Classless Inter-Domain Routing (CIDR). For example, the primary DNS provider might use network address translation (NAT) where outbound traffic is assigned a temporary IPv4 address. When you create the secondary zone in NS1 Connect, you must enter the CIDR prefix to represent the range of IPv4 addresses. In this way, NS1 Connect doesn't request a zone transfer from the primary name servers when they send a NOTIFY message from any of the IPv4 addresses in the CIDR block.

To enhance security in the secondary zone transfer, you can set the transaction signature (TSIG) to authenticate incoming zone transfers. You can further set TSIG to verify messages and responses from primary name servers.

Procedure

  1. Click DNS > Zones.
  2. Click Add zone.
  3. Under Domain name, enter the fully qualified domain name (FQDN) for the zone.
  4. To enter a custom, unique name for this zone, click the Override zone name checkbox.
    This can be helpful if you plan to create multiple zones that point to the same FQDN. Otherwise, the zone name defaults to match the zone FQDN. Any DNS views you associate with the zone during zone creation are included as a suffix to the FQDN to make up the unique zone name (for example, <zoneFQDN>-<view_name>.
  5. Under DNS networks, select the networks to publish the zone to.
    NS1 Connect answers DNS queries for the secondary zone on this network.
    You might not want to publish the zone yet, for example, if you don't want to expose the zone to the public; in that case, you can clear the checkboxes and select the network when you are ready to publish the zone.
  6. Under Zone settings, select Secondary zone.
  7. Under Primary DNS servers, enter the details of the primary name server that transfers zone data to NS1 Connect.
    1. In IPv4 address, enter the IPv4 address of the primary name server.
    2. In Port, enter the port of the primary name server that NS1 Connect sends AXFR queries to.
      The network must be one of the DNS networks to which the zone is published; in other words, one of the networks selected in Step 5.
  8. Optional: To balance AXFR queries among multiple primary name servers, click Add primary server and enter the IPv4 address, port, and network of each additional name server.
    If an AXFR query fails, NS1 Connect attempts to query one of these primary name servers.
  9. Optional: To indicate that a primary name server sends NOTIFY messages only, under Notify-only primary servers, click Add notify-only server and enter the name server information as follows:
    1. In IPv4 address or CIDR block, enter the IPv4 address or CIDR prefix of the primary name server.
    2. From the Network drop-down list, select the NS1 Connect network that receives the NOTIFY messages.
      When NS1 Connect receives a NOTIFY message from the primary name server on this network, NS1 Connect doesn't initiate AXFR or IXFR requests to this primary name server.
  10. Optional: To authenticate and verify the identity of a client or name server on incoming zone transfers, toggle the Enable TSIG switch to on and enter the following components:
    TSIG hash
    The cryptographic algorithm used to generate the TSIG key.
    TSIG key name
    Name of the TSIG key used in the domain name syntax. This must match what is configured on the primary name server.
    TSIG key value
    The Base64 string encoding the shared key secret. This must match what is configured on the primary name server.
  11. Optional: If Enable TSIG is turned on and you want to verify the authenticity of the messages and responses from the primary name server, select the Verify TSIG on NOTIFY checkbox.
  12. Click Save zone.
    The secondary zone that you created is added to the list of zones in alphabetical order.

Results

The secondary zone remains in a pending state until the first zone synchronization with the primary name server is complete. You can monitor the status on the Zone settings page. When the synchronization is complete, all records configured on your primary name server appear in NS1 Connect.

What to do next

If you did not publish the secondary zone, when you are ready to do so, edit the zone settings and select the networks to publish the zone to.

To complete the primary/secondary configuration, add NS records to the primary zone specifying the hostnames of each NS1 Connect name server assigned to the secondary zone.