Operating a Managed DNS Server as a Secondary Name Server
To use a DNS server prepared by you as the primary name server, and to use a Managed DNS Server as a secondary name server, configure the settings as follows.
- Creating a TSIG key
Using a TSIG key enables you to prevent falsification of data in the zone transfer route. Refer to "TSIG Key Management" for how to create a TSIG key.- We recommend that you create a TSIG key.
- Whether or not you create a TSIG key does not affect the operation of the server.
- If you already have a TSIG key, you can use the existing one.
- Checking your primary name server settings
- Confirm that zone transfer can be performed from this service’s server.
- Unless zone transfer is permitted, no operation will be performed.
- Refer to "IP Addresses Used by This Service" for information on the IP address range for access permission.
- Confirm that the settings to send NOTIFY to the server of this service have been configured.
- Although operations will be performed even if the settings to send NOTIFY have not been configured, a time lag will be generated between a zone change on the primary name server and reflection of the change to the Managed DNS Server.
- Refer to "IP Addresses Used by This Service" for information on the IP addresses to which to send NOTIFY.
[ Note ]
Regarding IP addresses for zone transfer and NOTIFY, set a server that is different to the Managed DNS Server.
- Confirm that zone transfer can be performed from this service’s server.
- Editing common settings
Register the IP address of your server and the TSIG key in the primary name server settings, and then enable them.
Refer to "Primary Name Server Settings" for how to configure the settings.Disable the primary name server settings, and then save the settings. Open the settings screen again to edit and enable the settings, and then save your changes.
* You cannot enable the primary name server settings at the time of registration. Create settings while in the disabled state, and save them. Then open the settings screen again to edit and enable them.
Changing zone settings
Disable the DNSSEC signature. Refer to "DNSSEC Signature Settings" for how to configure the settings.
If the system is in the "Hidden Master Configuration" which will be described later, you do not have to disable the DNSSEC signature.Apply the common settings edited in procedure (3) to the zones. Refer to "Change Common Settings" for how to configure the settings.
Enable the zone proxy. Refer to "Zone Proxy Management" for how to configure the settings.
Make sure to confirm that the health check has been completed successfully.
Editing zones with your primary name server
Add three host names of the Managed DNS Server to the NS record.
The Managed DNS Server is described in the Zone Information column on the "Zone Proxy Management" screen.When the hidden master configuration is not used, register your primary name server and three Managed DNS Servers with the NS record.
When the hidden master configuration is used, register only three Managed DNS Servers with the NS record.
Once the rewrite of the NS record is complete, the transfer direction of some queries from outside changes to this service.
Registering the name server
Register the name server that was set to the NS record in step 5. Refer to "Registering and Changing Name Servers" for how to register it.When you have signed up for the Domain Management Service, you can register the name server by clicking "Name Server Registration" on the Name Server Management screen.
If you have not signed up for the Domain Management Service, apply this registration to your registrar (designated business operator).
Registering DS records
You can register DS records only when the DNSSEC signature is enabled in the hidden master configuration.
Refer to "Updating DS Records" for more information on DS records.
Hidden Master Configuration
The hidden master is a primary name server that cannot be accessed from the outside. It is also called "shadow master" or "hidden primary."
In the hidden master configuration, access from the outside is accepted only by the secondary name server. Compared to the regular configuration, in which access from the outside is accepted by both the primary and secondary name servers, the hidden master configuration has the following advantages.
- Clarification of the division of the roles played by different servers
- The primary name server specializes only in zone management.
- The secondary name server specializes only in responding to inquiries from the outside.
- Higher security
- Because the primary name server accepts access only from secondary name servers, there is little danger from outside intrusion and little risk of zone falsification.