Document toolboxDocument toolbox

Creating a Secondary Zone

Owned by Sri Raghu
Last updated: Sept 06, 2024
4 min read

A secondary zone is a read-only copy of the primary zone that is stored on a different server. The secondary zone cannot process updates and can only retrieve updates from the primary zone. Secondary zones are organized within DNS views. For more information on DNS Zones, see Configuring DNS Zones

To create a secondary zone, complete the following:

  1. From the Cloud Services Portal, click Configure > NetworkingDNS Zones.
  2. Create a DNS view or click an existing DNS view. For more information about creating a DNS view, see Configuring DNS Views.
  3. On the Zones page, click Create and choose Secondary Zone from the drop-down list.
  4. On the Create Secondary Zone page, specify the following:

    • Name: Enter the domain name for the zone. 

      • To create an IPv4 reverse-mapping zone, specify in-addr.arpa as the top-level reverse-mapping zone while specifying a name for the zone.

      • To create an IPv6 reverse-mapping zone, specify ip6.arpa as the top-level reverse-mapping zone while specifying a name for the zone.

        Warning

        The subdomains starting with ns.b1ddi and b1ddi are reserved and cannot be used as a prefix for the names of zones and resource records.

    • Description: Enter additional details about the zone.
    • Disable for DNS Protocol: Click this check box to temporarily disable this zone. For information, see Enabling and Disabling Zones.
    • Notify External Secondary DNS Servers: Select this check box to notify external secondary DNS servers that a secondary zone has been created. 
    • Tags: Click Add to associate keys with values. Specify the following details:
      • KEY: Enter a meaningful name for the key, such as a location or a department.  
      • VALUE: Enter a value for the key such as San Jose (for location), or Accounts (for department).  
  5. Define DNS server groups for the zone. Choose either DNS Server Group, External Primary, or Internal Secondary from the list. For information on specifying authoritative DNS server groups, see Configuring DNS Server Groups.
  6. Configure the Primary (Master) DNS servers. Configure the following settings for the External Primary DNS server:   

    • Name: Specify the name of the server.

    • Address: Specify an IPv4 address.

    • Use TSIG: Select this check box to use the standards-based TSIG key that uses the one-way hash function to secure transfers between name servers. For more information, see Configuring TSIG Keys.
      • New TSIG: Choose this option to create a new TSIG key. Configure the following for a new TSIG key:
        • Key Name: Specify a name for the key.
        • Algorithm: Choose one of the following algorithm from the drop-down: HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512.
        • Secret: Specify a value for the secret. The value must be a Base64 encoded string. Alternatively, click Generate to automatically generate a unique value.
        • Description: Specify a description for the key.
      • Existing TSIG: Select an existing TSIG Key from the drop-down. For more information, see Configuring TSIG Keys
  7. Configure the Zone transfers. The queries are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties. Alternatively, toggle Inherit to Off and configure the values in the ACCEPT ZONE TRANSFER REQUESTS FROM section. Click Add to add or Remove to remove the entries. Choose one of the following from the TYPE drop-down list:   
    • Any Address/Network: Choose this option to allow or deny the application to send zone transfers to any IP address or networkThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this, the application allows servers permission to send and receive DNS zone transfer data. You can click Clear to remove the selected named ACL.

    • TSIGSelect an existing TSIG Key. For more information, see Configuring TSIG KeysThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  8. An rdatatype (short for resource record type) refers to the specific type of resource record (RR) in the DNS. Each resource record in DNS has an associated type that indicates the kind of data it holds for example type A, the IPv4 address of a NIOS-X Server, or type MX , how to route mail. An rdataset refers to a set of resource records (RRs) of the same type for a specific domain name in the Domain Name System (DNS). Excessively large rdatasets or large numbers of rrtypes can slow down query processing, therefore limits can be set on a per-zone basis. The value, “0”, removes any upper limit. However, this may result in reduced performance. Configure the following settings:
    • Max Records per Type: Specify a numeric value for maximum records per type. The default value is 2000.
    • Max Types per Name: Specify a numeric value for maximum types per name. The default value is 100.

  9. Click Save & Close to save.

    Note

    An authoritative reverse-mapping zone is an area of network space for which one or more name servers—primary and secondary—have the responsibility to respond to address-to-name queries. Infoblox supports reverse-mapping zones for IPv4 addresses. You can add in-addr.arpa as the top-level reverse-mapping zone. Note that you cannot add these zones using their IP addresses or netmasks, however, you can add them by name "in-addr.arpa" respectively.

    RFC 2317, Classless IN-ADDR.ARPA delegation is an IETF (Internet Engineering Task Force) document that describes a method of delegating parts of the DNS IPv4 reverse-mapping tree that corresponds to subnets smaller than a /24 (from a /25 to a /31). The DNS IPv4 reverse-mapping tree has nodes broken at octet boundaries of IP addresses, which correspond to the old classful network masks. So, IPv4 reverse-mapping zones usually fall on /8, /16, or /24 boundaries.

    To create a secondary authoritative reverse mapping zone, add in-addr.arpa as the top-level reverse mapping zone and specify the domain in the Name field.