Zone Proxy Management

Zone Proxy provides a function for synchronizing (zone transfer) zones of the primary name server to the Managed DNS Server when you use a DNS server that you have prepared as the primary name server and a Managed DNS Server as a secondary server.

Zone Proxy

You can switch the zone proxy function between Enabled and Disabled. Configure the necessary settings on the primary name server to which to perform zone transfer in "Common Settings" in advance.

ItemDescription
EnabledObtains the zone information through zone transfer from the primary name server.

You can no longer use the control panel to perform record edits of the relevant zone.

DisabledUses the zone information edited on the control panel.
Enable
[ Reference ]

  • You cannot enable the Zone Proxy function when there are any records that have not been updated after zone editing. You need to either update the zone or cancel the edit. Refer to "Record Management" for more information.
  • You can enable the function even in a state where zone transfer fails. Enable the function after using the health check function shown below to confirm that zone transfer will succeed. Incidentally, even if you enable the function in a state where zone transfer will fail, the zone will be retained in the state it was in prior to being enabled.

  1. Set Zone Proxy to "Enabled."
  2. Click "Enable."
Disable
  1. Set Zone Proxy to "Disabled."
  2. Click "Disable."
Health Check

You can check whether zone transfer with the primary name server will be performed normally.

  • The health check is done when you access the Zone Proxy Management screen regardless of whether the Zone Proxy function is enabled or disabled.
  • Only whether zone transfer will be performed successfully or not is checked. The serial value is not checked.

If the health check ends in failure, reference the following section to modify the settings of the primary name server you have prepared.

Your Primary Name Server Settings

To enable this function, the values shown below need to be set to the primary name server.

Zone File

Confirm that various parameters of the SOA record are as shown in the following table. If a value smaller than the lower limit value is set, the system may not operate properly.


Lower limit valueRecommended valueNotes
serial(Current serial value) + 1-3rd parameter of the SOA record
refresh60036004th parameter of the SOA record
retry600refresh or smaller5th parameter of the SOA record
expire3600-

6th parameter of the SOA record
Even if the period during which zone transfer cannot be performed exceeds the "expire" time, the zone information will not be discarded for this service.

Access Control for Zone Transfer

Set the primary name server to permit the access from this service's zone transfer client. Refer to "IP Addresses Used by This Service" for the information required for the settings. If you have configured the setting such that you use a TSIG key in "Common Settings", the TSIG authentication setting will also be required.

Refer to "Examples" for representative DNS server implementation examples.

NOTIFY Notification Settings

Zone information to which DNS NOTIFY is set is updated immediately.
Even when DNS NOTIFY is not set, zone transfer can be used. However, a time lag will occur until the zone information is updated on the Managed DNS Server after zone information has been changed by the primary name server.

Refer to "IP Addresses Used by This Service" for the information required for the settings. Refer to "Examples" for representative DNS server implementation examples.

[ Reference ]

The DNS NOTIFY system is as follows.

  1. As you update zone information on the primary name server, a NOTIFY request is sent to a secondary name server.
  2. The secondary name server that has received the NOTIFY request requests zone transfer to the primary name server without waiting for the time specified in the SOA record refresh intervals.
  3. The zone is transferred from the primary name server that received the zone transfer request to the secondary name server.

DNSSEC

When "DNSSEC Signature Settings" is enabled, DNSSEC signing is carried out with respect to the zones transferred from your primary name server by this service. Therefore, you can easily use DNSSEC while managing zones with your server. On the other hand, note that the following phenomena may occur.

  • When DNSSEC signing is performed on your primary name server, it is not reflected to the Managed DNS Server.
    • DNSSEC signing cannot be performed on both this service and your primary name server.
    • Choose to either disable the DNSSEC signature setting (signed by you) or not perform DNSSEC signing on your primary name server (signed by this service).
  • DNSSEC signing is not performed for zones of the primary name server, but the signature is provided to this service, so the zone information is inconsistent.
    • Adopt the hidden master configuration (which publishes only Managed DNS Servers externally and hides your primary name server).
    • If you cannot adopt the hidden master configuration, make sure to disable the DNSSEC signature setting.
    • Also refer to "Operating a Managed DNS Server as a Secondary Name Server."
  • The SOA serial is incremented (+1) when DNSSEC signing is performed on this service.
    • The SOA serial value of the Managed DNS Server is always greater than that of your primary name server. To make zone transfer a success by changing zones on your primary name server in this state, you need to set an SOA serial value that is even greater than that. Make sure to check the current SOA serial value of the Managed DNS Server and set a value greater than that.
      To avoid this problem, convert the SOA serial value into unixtime (total seconds from January 1, 1970) format.
    • You can check the current SOA serial value in the SOA Record column on the "Record Management" screen.