Please read through this section before contacting us.

IIJ DNS Platform Service

FAQs about the Service Specifications

Q. What kind of service is the DNS Platform Service?

It is an integrated authoritative DNS service that emphasizes scalability and flexibility with enhanced security. Refer to "Service Overview" for more information.

Q. What is the difference between the premium plan and basic plan?

You can use basic functions with the basic plan. Some functions are enhanced in the premium plan.

Q. Do you have any cache DNS functions?

No. This service is an authoritative DNS service. It does not provide cache functionality.

Q. Can I register domains?

No. This service is an authoritative DNS service. It does not provide functions for registering, maintaining, and managing domains. Please use the "Domain Management Service."

Q. What is QPS?

QPS stands for queries per second, and represents the number of DNS queries per second.

Q. How do you count QPS?

We use the 95% rule. Of the average QPS measured at five-minute intervals, the upper-limit QPS is taken by cutting the top 5% monthly. This allows you to limit the billing amount to a certain level even there is a sudden peak, such as when you have suffered a short-term DDoS attack.

Incidentally, when you have multiple management DNS service contracts in a single DNS Platform Service contract, QPS is calculated by adding up the DNS queries for all the contracts.

Q. What will happen if QPS exceeds the limit in the plan?

IIJ will inform you accordingly. IIJ will not put restrictions on your plan immediately after the limit is exceeded.

Q. Do you have any ways to check the number of queries in my own domain?

You can check them in Statistics Information. Because the domains that have queries of more than 100 qps, which is the upper limit for the basic plan, account for less than 1% of all domains, you will hardly ever exceed the upper limit unless you operate an extremely large-scale site.

Q. What is SLA?

SLA stands for service level agreement. This service guarantees SLA only when you have signed up for the premium plan. Refer to "SLA" for more information.

Q. Is IPv6 supported?

Yes. It is supported.

FAQs about Using the Control Panel

Q. I cannot access the control panel with Internet Explorer.

This service does not support Internet Explorer. Please use a browser such as Chrome, Firefox, Edge, or Safari.

Q. I cannot access the control panel from a smartphone.

This service cannot be used from a smartphone. Please access from a PC browser.

Q. I can check the settings but cannot change them.

If you are logged in using an IIJ ID account to which reference role has been assigned but not editing role, you cannot change the settings. Ask your IIJ ID administrator to assign editing role to you.

When the zone proxy function is enabled, you cannot edit zone information on the "Record Management" screen even if you are using an account that has editing role. In this case, edit zone information on your primary name server or disable the zone proxy function.

Q. Descriptions on the screen are written in English.

The control panel will be displayed in English in any of the following cases: when you have logged in using an IIJ ID account and the set language of the IIJ ID account is English, and when you have logged in as an operations manager and a language other than Japanese is set as prioritized in the web browser’s language setting. Switch the language setting to Japanese, and then log in again.

See here for how to change the language setting for the IIJ ID account.

IIJ Managed DNS Service

FAQs about the Service Specifications

Q. Can I use domains that I have registered with other companies, with this service?

Yes. You can use such domains without migrating them if you change the name server (NS) to that specified by this service.

Q. Is DNSSEC supported?

Yes. DNSSEC signing is performed as standard.

Note, however, that to perform DNSSEC validation, you will need to register DS records through your domain registrar. For information on how to register DS records, contact your registrar (designated business operator). If your registrar (designated business operator) is IIJ (if you have signed up for the IIJ Domain Management Service), DS records will be registered automatically.

Q. Can I acquire query logs?

No. We do not provide that service.

Q. What is a Managed DNS Server?

It is a server that accepts DNS queries for this service from the Internet. If you are using the premium plan, DNS servers provided by the partnering DNS provider are also included. You can use a Managed DNS Server as the primary name server or secondary name server, whichever you prefer.

A different Managed DNS Server is assigned for each contracted zone. You can check which Managed DNS Servers are assigned to the contracted zones from the "Zone Information" column on the control panel’s "Record Management" screen. Servers that take on zone transfer and DNS NOTIFY are different to Managed DNS Servers. Note that if you use such servers by linking them to the primary or secondary name server that you have prepared, you will need to configure settings that are different to those for Managed DNS Servers.

Q. What is a zone proxy?

The function that transfers zones from your authority name server to a Managed DNS Server in this service is called zone proxy.
Using this function allows you to operate this service as a secondary name server.

Q. What is Anycast?

It is a technology for dispersing servers that have the same IP address across multiple sites. By dispersing servers around the world, not only will the round-trip delay of packets be shorter, but you will have an advantage in terms of the failure resistance because the servers that could be attacked in a DDoS are diversified and localized.

In addition to Anycast sites provided by IIJ, hundreds of sites provided by business operators with a tie-up arrangement with IIJ’s DNS are available with the premium plan for this service.

Q. What software is recommended for building a primary or secondary DNS server?

No software is recommended by this service. IIJ also cannot provide any information including the operational performance, so choose software to use depending on the intended use.

However, do not use any software or version whose provision by the distributer is no longer available.
Note that software or version which is no longer available is not eligible for support of this service.

Q. How can I add subdomains?

There are two methods as shown below. Select a method for your own convenience.

1. Register DNS records of subdomains in the zone of the parent domain.
2. Create a zone of subdomains separately from the zone of the parent domain.

To use the first method to add subdomains, register DNS records of subdomains in the zone of the parent domain.
Refer to "Registering, Updating, or Deleting DNS Records in/from a Zone of the IIJ Managed DNS Server" for more information on how to register records.
When you use this method, no additional cost is required.

To use the second method to add subdomains, create a zone of subdomains to add. Register DNS records of subdomains in the created zone to manage them.
With this method, additionally sign up for a zone of subdomains first. Then add NS records for transferring the DNS permission for subdomains to the zone of subdomains to the zone of the parent domain.

Suppose the subdomain is sub.example.jp. Register NS records under the zone of example.jp which is the parent domain. 
In the part of "ns-xxx.xxx.d-53.xxx.", specify three managed DNS server names assigned to the zone of subdomain. 
sub.example.jp.  IN NS  ns-xxx.xxx.d-53.xxx.
sub.example.jp.  IN NS  ns-xxx.xxx.d-53.xxx.
sub.example.jp.  IN NS  ns-xxx.xxx.d-53.xxx.

When you use this method to add subdomains, additional cost for a zone is required. Refer to "https://www.iij.ad.jp/biz/dns-pfm/" (Japanese Only) for more information on the cost.

To apply for addition of a zone, contact your IIJ sales representative.

FAQs about Zone Editing

Q. How many records can be registered in a zone?

Registration of up to 10,000 records in a zone is recommended.

Q. I want to make round-robin settings but cannot register multiple records that have the same name.

You cannot register more than one record with the same combination of Name and Type (create two "www.example.jp/A”s and register a value with each of them).

You can register more than one Value for each combination of Name and Type (create one "www.example.jp/A" and register two values with it). Note that there are some record types, such as SOA and CNAME, for which registration of multiple Values is restricted. Refer to "Record Management" for more information.

Q. When I attempt to set a CNAME that has the same name as the zone name, an error occurs.

The DNS specification (rule) prohibits it (which is not a restriction for this service). Please consider using "ANAME" instead.

Q. Can I write wildcard records?

Yes. Specify "*" as Name.

Q. Although I have updated zones through editing records, there are some records that have not been updated.

When more than one person is editing a single zone, clicking Zone Update button will update only the records that you personally have edited. Note that records which have been edited by persons other than you will not be updated.

Q. Even though I have uploaded the zone file, the file has not been not reflected.

Set the serial number of the SOA record to be larger than the current value. Even if it is smaller than the current value, the zone file will be uploaded successfully. However, the file will not be reflected to the server. This is a specification that automatically increments the serial value when you are using this service with the method of "Operating DNS with Managed DNS Servers Only" or "Operating a Managed DNS Server as the Primary Name Server." Note that the serial value in this service may be greater than the value in the uploaded zone file when you upload a zone file using a zone file which has been downloaded before for zone update, because of this specification. Refer to "Q. Why is the serial value of SOA records automatically and continually updated?" for more information.

Q. I manage more than one subdomain with this service. Can I register NS records to be delegated in a batch with the parent domain?

Yes. You can register NS records at once through the use of a subdomain delegation management menu from the record management function. Refer to "Batch Register Subdomain NS Records in the Higher Domain" for more information.

Q. Can I ask you to check for errors in the DNS records I have registered?

This service does not support the effectiveness of DNS records that have been registered.

Q. Is there an upper limit of the number of characters to be registered in Value in a TXT record?

When you register a TXT record, you are to enclose a value of Value in double quotes ("). Strings enclosed in double quotes (") are limited to a maximum of 255 characters.

To register 256 or more characters in Value, refer to "Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?"

Q. I cannot register a TXT record due to an error saying, "An invalid Value is included."

Check if the upper limit of the number of characters to be registered in Value is exceeded. When you register a TXT record, you are to enclose a value of Value in double quotes ("). Strings enclosed in double quotes (") are limited to a maximum of 255 characters.

To register 256 or more characters in Value, refer to "Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?"

Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?

To describe a value consisting of 256 or more characters enclosed in double quotes ("), separate the value into groups of 255 or less characters, enclose each group in double quotes ("), and insert a single-byte space between groups. In this way, it is possible to register a value consisting of 256 or more characters as combined information.

• Description example (1)
  • "255 or less characters" "255 or less characters" "255 or less characters"

Single-byte spaces outside of double quotes are not recognized as a part of the string. For this reason, if a single-byte space is required in a joint section, you need to insert a single-byte space at the end of the first character group enclosed in double quotes (") or at the beginning of the second character group enclosed in double quotes (") as shown on description example (2).

• Description example (2)
  • "Entered characters␣" "Characters to be entered next"
  • "Entered characters" "␣Characters to be entered next"

* The blank symbol (␣) represents a single-byte space.

Q. The relevant zone name is added to Name and Value arbitrarily when I attempt to register a record.

It could be an error that has occurred because there is no dot (.) at the end of the description of Name and Value. Add a dot (.) to the end of the description, and then register the record again.

According to the specification of this service, if there is no dot (.) at the end of a host name, the zone name is added to the end of the host name.

Refer to "Common Rules for Host Names" in "DNS Record Registration Rules" for more information.

Q. I cannot register a PTR record due to an error saying, "The record format is invalid."

Check whether you are attempting to register in a forward zone.

Because PTR records are to be registered in reverse zones in general, you need a reverse zone contract to register PTR record records.

For information on the contract, contact your IIJ sales representative or contact us from the following site.

• Contact Information | Internet Initiative Japan Inc.

Q. What is the maximum number of digits of the SOA record serial value?

The SOA record serial value for the IIJ Managed DNS Service goes up to "4294967295" and then goes back to "0." Then the serial value is counted again.

This behavior is based on RFC1982.

Q. Why does an error occur when I attempt to add or change records even though there is no problem with the data contents?

Add the validation record shown below to identify the cause.
* Unless the zone is reflected, it will not be referenced from an external source. When the validation is completed, delete the validation record from the relevant zone before reflecting the updated zone information.

test.Contract Zone Name.    IN TXT    "test"

If you can add the record, there is a problem with the registration content of the record you cannot add or change. Check the error displayed on the screen in "List of Error Messages," and then review the registration content.

If you cannot add the record, a record in an invalid state (for example, RFC violation) may exist in the zone. Check the content of the zone and modify or delete the problematic record.

If multiple records in an invalid state exist in the relevant DNS record, they cannot be edited individually. Obtain the zone file from "Download a Zone File," and then update the zone information in "Upload a Zone File" after taking the following action.

• Modify or delete the relevant record in the zone file.
• Increase the number of the serial value of the SOA record by 1 or more.
  • Unless the SOA record is specified as an import target in "Advanced Settings" at the time of upload, the serial value is incremented automatically.

Q. When is a check made to see if a record in a zone is in an invalid state?

It is checked when you add or change a record.

It is not checked in any other situations.

Q. Are there any ways to add or change a record even if an invalid record exists in the zone?

No, they aren't.

Modify or delete the invalid record first, and then add or change a record.

Q. Why may an invalid record be registered in a zone?

Even though a record has been registered successfully, it may be changed into an invalid state because some change was made to the host name in Value of the record after registration.

We are not able to provide detailed reasons with this service. Please contact the management source of the host name registered in Value.

Q. I do not know how to change "Name" and "Type" of an existing DNS record.

"Name" and "Type" of an existing DNS record cannot be changed in "Edit Records."

Use the following procedure to change them.

1. Click "Delete (Trash icon)" for the record to change.
2. Click "Update to Record to be Deleted" and change "Status" of the relevant record to "TBD."
   Do not perform "Zone Update" yet at this point.
3. Click "Add record" at the top of the screen, select "Name" and "Type" to change, and register the record.
4. Confirm that "Status" of the added record has been changed to "TBA," and then confirm that TBD and the settings of the registered record are correct.
5. Click "Zone Update" at the top of the screen and reflect the information of the record to add or delete to the DNS server.

FAQs about Sender Domain Authentication

Q. Can I register records for Sender Domain Authentication?

Yes, it is. You can register TXT records for setting up sender domain authentication (SPF, DKIM, and DMARC).

Q. Is there a DNS look-up limit for SPF records?

Yes, there is. Up to 10 times of DNS look-up are allowed for each SPF record. If the limitation of 10 times is exceeded, an error will be detected at the time of validation by the email receiver.

This limitation is based on the SPF specification; therefore, there is no way to avoid it. If you have conflicted with the limitation, delete unnecessary email servers (such as include) to set the DNS look-up limit to be less than 10 times.

Q. Is it possible to verify a 2048-bit electronic signature for DKIM records?

We cannot answer this question in "IIJ DNS Platform Service."

Whether 2048 bits can be used as a key length is specified by the email service or email server. In "IIJ DNS Platform Service," only operations that respond to the contents registered for DNS request to registered TXT records are taken care of.

Q. Do I need to pay an additional cost for using sender domain authentication?

When you have already made a zone contract with "IIJ Managed DNS Service" for the domain to be supported by sender domain authentication, you are to register SPF, DKIM, and DMARC records for sender domain authentication with the relevant zone. However, no additional cost for record registration will be generated.

If you have not signed up for any zones of the target domain, you will need to make a zone contract additionally in "IIJ Managed DNS Service" and therefore cost for the zone addition will be generated. Refer to "IIJ DNSプラットフォームサービス" (Japanese Only) for information on the cost.

For information on the contract, contact your IIJ sales representative or contact us from the following site.

• Contact Information | Internet Initiative Japan Inc.

Q. Can I register a 2048-bit DKIM public key?

Yes, you can. You can register a 2048-bit DKIM public key by defining multiple strings in Value when registering a TXT record.

Refer to "Q. How can I describe a value consisting of 256 or more characters to register it in Value in a TXT record?" for information on how to define multiple strings.

Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, do I need to disable the DNSSEC setting for the target zone in advance?

It depends on the TTL value registered in the NS record for the IIJ Secure MX Service to delete.

• When a value equal to or smaller than 28800 (8 hours) is set
  You do not need to disable the DNSSEC setting in advance. There is no problem with making changes of record registration with the DNSSEC setting enabled.
• When a value equal to or greater than 28801 (8 hours and 1 second) is set
  If you make any change of record registration before the time set to the relevant TTL value has elapsed, you may fail in DNSSEC validation and DKIM validation. Check the item of "Usage Method of Each Functions > Using Email Authentication" in the "Basic Functions Manual" from Manuals/Downloads of "IIJ Secure MX Service" for information on how to take action.

Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, an error saying, "DS records are registered automatically." appears.

If you edit an NS record with the DNSSEC setting enabled, the following warning message will appear.

"DS records are registered automatically. There is a possibility that name resolution can no longer be performed if NS records are updated. Stop automatic registration of DS records, and then change NS records after the elapse of a certain period of time."

To stop registering a DS record, you need to disable the DNSSEC setting. To check if you actually need to disable the setting, see "Q. When deleting an NS record for the IIJ Secure MX Service and registering a CNAME record required to set a DKIM signature for the service, do I need to disable the DNSSEC setting for the target zone in advance?"

Q. Do you have any ways to check if a record for sender domain authentication has been registered correctly?

Although IIJ does not provide any such method, the following external website provides a checking tool.

• なりすまし対策ポータル ナリタイ (Japanese Only)
  • https://www.naritai.jp/

Note that IIJ does not provide any information on the above website and any support for the use of the checking tool.

IIJ is not responsible for any content you have obtained from the above website and results you have obtained through the use of the checking tool. Use the checking tool at your own risk.

FAQs about DNSSEC

Q. What is DNSSEC?

It is a system for preventing DNS responses from being tampered by signing DNS records using public key.

Q. What does the comment "DNSSEC Operations" in Zone Application History mean?

An expiry date has been set to the DNSSEC signature (RRSIG), and you need to update it periodically. In addition, we also increase security further by periodically updating the key (DNSKEY) used for the signature. Although DNSKEY and RRSIG are not displayed on this service’s Record Management screen, they are actually included in a zone as other records. Through such periodic updating of DNSSEC-related records, we record zone update histories with the comment "DNSSEC Operations" for "system" as the operator and Zone Application History with a log type called "Update record."

Q. Is Zone Update by "DNSSEC Operations" carried out even if the DNSSEC setting is not enabled?

Unless the status of DNSSEC on the control panel is disabled*, DNSSEC-related records are updated and recorded as "DNSSEC Operations" in the Zone Update history.

*Even if the DNSSEC signature setting is disabled, as long as the status of DNSSEC is "Disabling," DNSSEC-related records are updated and Zone Update is carried out.

Q. The status of DNSSEC is always "Enabling" and never changes.

To enable DNSSEC, you need to register information called DS records with a higher name server through the domain registrar (designated business operator). If you use another company's service as a registrar (designated business operator) and use this service only for DNS, you will need to apply for registration of DS records by yourselves. The status of DNSSEC is always "Enabling" and will never change until the registration is complete. If you use the Domain Management Service, you will not have to apply for registration of DS records by yourselves and the registration procedure will be taken care of automatically. Note, however, that it may take a few days until "Enabling" is switched to "Enabled."

In addition, to prevent failure of the validation of DNSSEC signature, the status will not change to "Enabled" unless appropriate reference to DNSSEC-related records such as DNSKEY and RRSIG can be verified. When records are migrated from another company’s service to this service, in most cases the DNSSEC-related records that have been added by this service cannot be reflected onto the migration source's server. As a result, you cannot follow a procedure for migrating the records after the status has changed to "Enabled."

Refer to DNSSEC Management for more information.

Q. When using "Domain Management Service" and "IIJ Managed DNS Service" at the same time, which service should I use to manage the DNSSEC setting?

When you use "Domain Management Service" and "IIJ Managed DNS Service" together, operate the DNSSEC setting with "IIJ Managed DNS Service."

Because of the CDS function which supports both services, the status of DNSSEC may change through processing of "IIJ Managed DNS Service" even when the operation is performed by "Domain Management Service." It is recommended that you always manage the DNSSEC setting using "IIJ Managed DNS Service."

Q. Does reverse zone support DNSSEC?

DNSSEC is not available for reverse zone of IP addresses assigned by the connection service provided by IIJ. This is because the parent zone does not support DNSSEC.

DNSSEC is available for reverse zone of IP addresses managed by any other company as long as the management source of the IP address supports DNSSEC.

Q. Suppose I have contracted for both parent zone and child zone, will DNSSEC for child zones be enabled as I enable DNSSEC for the parent zone?

To apply DNSSEC to child zones (subdomains), the parent zone must be enabled. It is not possible to enable child zones only.

To enable child zones, you need to enable "DNSSEC Signature Settings" on the child zone side.

When you have signed up for both parent zone and child zone, if "DNSSEC Signature Settings" are enabled only for child zones, DS records on the child zones will be registered in the parent zone and become enabled on the screen. However, DNSSEC validation will not be possible unless "DNSSEC Signature Settings" on the parent zone side are enabled.

Q. What will happen if I register incorrect DS records?

Because the DS record registered in the higher DNS is trusted, if incorrect DS records are registered at the time of application of DS records to the registrar, name resolution will fail because it is judged that this service is returning a false response.

Q. What should I do if I have registered incorrect DS records manually?

If you have registered incorrect DS records manually, modify them to correct DS records or delete them. Even if you attempt to disable DNSSEC for zones of the IIJ Managed DNS Service, it cannot be disabled because signature validation of the CDS record for deletion will fail.

Q. When I want to cancel this service and contract for a service of another company, will I need to disable DNSSEC before I cancel this service?

Yes. You will need to disable DNSSEC. Similarly, when you cancel another company's service and sign up for this service, you need to disable it for the service in advance.

If you are using this service and the Domain Management Service, refer to "DNSSEC Management" for how to configure DNSSEC settings.

Q. What should I do if I have changed the name server without disabling DNSSEC?

If you have changed the name server for this service to another DNS server without disabling DNSSEC, name resolution will no longer be available with the cache DNS function which uses DNSSEC validation.
Therefore, use the following method to disable DNSSEC.

• If you have a contract for our Domain Management Service
  Disable the DNSSEC setting from the Domain Management Service setting screen using IIJ Service Online.
  Refer to "自社で用意したDNSサーバにDNSSECを設定する"(Japanese Only) in the ドメイン管理サービスマニュアル (Japanese Only) for the operation method.
  It takes several hours to disable the DNSSEC setting.
  * If you have already changed the DNS server, you cannot disable DNSSEC from the console screen of this service because CDS for this service can no longer be recognized.
  
• If you use another company's service to manage domains
  Delete DS records on the side of the company's service.

Q. How long does it take for the status to change after I execute DNSSEC settings?

IIJ withholds information on exactly how long it takes to enable and disable DNSSEC.

It takes several days as described in [Notes] in "DNSSEC Management."

Q. The status of DNSSEC is always "Enabling" and never changes to "Enabled."

It takes several days for the status of DNSSEC to change. If the status does not change even after several days have passed, there is a possibility that DS records have not been registered with the higher zone.

If you will change name server for domain name to the IIJ Managed DNS Service but have not changed the name server yet, change the name server.

By changing the name server to this service, DS records to be registered with the higher zone will be issued. After DS records have been issued and then registered with the higher zone, the status of DNSSEC changes to "Enabled." It takes several days for the status to change to "Enabled" after the name server has been changed.

If you use our Domain Management Service, DS records will be registered automatically with the higher zone. If you manage domain names using another designated business operator, ask the designated business operator to register DS records with the higher zone.

Q. If the "DNSSEC Status" for DNSSEC Management is enabled, can I judge that DNSSEC validation of the relevant domain is executed properly?

No, you can't.
"Enabled" as the "DNSSEC Status" for DNSSEC Management indicates that the process of DNSSEC signature of this service is in an enabled state. It does not necessarily mean that DS records signed by this service exist in the higher zone and DNSSEC validation is executed properly.
* Whether validation can be executed properly is checked when the status of DNSSEC becomes "Enabled." However, even if you change NS records or DS records in the higher zone manually after the status has become "Enabled," the status of DNSSEC will not change from "Enabled." Therefore, you cannot judge if DNSSEC validation can be executed properly based on this information.　

Q. Is DNSSEC validation executed as long as DS records exist in the higher zone even if the "DNSSEC Status" is "Enabled"?

Yes. Even if the "DNSSEC Status" for DNSSEC Management is not "Enabled," DNSSEC validation is executed.

Q. Why does it take so much time to enable or disable DNSSEC?

DNS has a cache, and cache is controlled by the TTL. It takes long because there is a need to go on to the next process after the cache used before enabling or disabling DNSSEC has disappeared completely.
Wait until the process is completed.

Q. Can I check the update of DS records before and after I execute KSK Rollover?

DS records are displayed on the DNSSEC management screen. You can check if they have been updated before and after executing KSK Rollover.

Q. Will records of execution of KSK Rollover appear on the control panel?

When you click the KSK Rollover button on the control panel, the log which looks like the following example is recorded in the operation log for the zone. However, the log that includes information on that the description of DS records and the process have been completed will not be recorded.

Log type: DNSSEC Signature Settings Operation
Operation: Start KSK Rollover / Status: Complete

FAQs about the Service Specifications

Q. I get different responses depending on the Managed DNS Server.

To prevent all the servers from entering a response impossible state due to, for example, an attack on an unknown vulnerability, this service uses multiple DNS server implementations to ensure redundancy and diversity. Because of differences in DNS server implementation, Managed DNS Servers may return different responses even if the same DNS query is sent. Such differences fall within the range allowed by the DNS specifications and therefore does not affect your use of Managed DNS Servers.

Q. I cannot get an expected response from an ANY query.

A Managed DNS Server is equipped with RFC8482. Therefore, even if you send an ANY query in anticipation of "every piece of RRset information," such a response will not be returned. Refer to the relevant RFC for more information.

Q. Why is the serial value of SOA records automatically and continually updated?

The IIJ Managed DNS Service regularly updates the DNSSEC signature (RRSIG) and the key used for signature (DNSKEY) and automatically carries out zone update by increasing the serial value. Refer to "Q. What does the comment "DNSSEC Operations" in Zone Application History mean?" for more information.

Q. Can I delete "dns-a.ij.ad.jp," "dns-b.iij.ad.jp," and "dns-c.iij.ad.jp" from the name servers registered with the higher zone?

Only for contracts which were automatically transferred from the old DNS Outsourcing Service or old DNS Secondary Service to this service, you can also use the name server host names (dns-a.iij.ad.jp, dns-b.iij.ad.jp, and dns-c.iij.ad.jp) which used to be provided by the old service. Moreover, when changing name servers registered with a higher zone and NS records in the zone to host names of the Managed DNS Server, the host names provided by the old service can be deleted without any impact.
After such host names have been deleted, name resolution should be performed by the Managed DNS Server which is registered newly with the name server.

Incidentally, when you use a host name of the name server provided by the old service, the availability of the service will stay at the same level as that of the old service.
The availability of the IIJ Managed DNS Service is higher than that of the old service. It is strongly recommended that you change the name server registered with the higher zone to the Managed DNS Server name, so that you can make the maximum use of the functions of this service.

• Refer to "Service Overview" for the availability of the IIJ Managed DNS Service.
• Refer to "IIJエンジニアブログ: https://eng-blog.iij.ad.jp/archives/5720" (Japanese Only) for differences in availability between the old and new services.

Q. Why do Health Check results change according to the presence or absence of the TSIG Key setting?

Check if the use start date of this service has passed.
You can execute a Health Check prior to the use start date, but if the TSIG Key is set, the Health Check will fail because the zone has not yet been published. Results of a Health Check with the TSIG Key set should be checked after the use start date of this service has passed.

IIJ DNS Traffic Management Service

FAQs about monitoring

Q. Is monitoring only performed on the endpoints used in the rule being applied?

No. Even if endpoints are not used for the rule, as long as monitoring details are linked to them, they will be monitored. Moreover, enabling/disabling monitoring means "Used/Not used to determine Live Status" instead of "Monitor/Not monitor." Therefore, even if it is disabled, monitoring will be performed and notifications will be sent when the monitoring status changes. To stop monitoring endpoints, cancel the link.

Q. I have trouble differentiating between Live Status and Ready Status.

Both Live Status and Ready Status represent the status of, for example, an endpoint, site, or method. While Live Status represents "whether that target is operating properly," Ready Status represents "whether that target is used for DNS response." Both of them take the same value in general because they are linked. However, there are some cases where "Live Status is Up (Operating properly) but Ready Status is Down (Not used for DNS response)," for example, when "Restore Manually" is enabled for endpoints. When "Remove Manually" is enabled, on the other hand, there are cases where "Live Status is Down (Not operating properly) but Ready Status is Up (Used for DNS response)." Also refer to "Traffic Control Statuses."

Q. I have monitoring accesses at intervals shorter than the time set as the monitoring interval.

There are multiple monitoring systems and monitoring sites for each monitoring location, and each of them carries out monitoring independently, so that monitoring can be conducted continuously even during maintenance of our facilities or in case of failure. For this reason, more than one monitoring access is observed at each monitoring interval on the monitoring target host. It therefore seems to users that you have monitoring accesses at intervals shorter than the monitoring interval. However, this is not abnormal.

Q. Please support HTTPS with a shared sorry server.

To support HTTPS, a server certificate with your host name is needed, which necessarily requires individual support of each customer. Therefore, we cannot provide a common server. You are responsible for building and operating such a server by yourselves.

Q. How much time lag do we have between the detection and the reflection of a monitoring result?

We cannot disclose the details, but we have time lag of five minutes or shorter between the detection and the reflection of a monitoring result because processes such as a Down/Up judgment are executed after the judgment result is confirmed at multiple monitoring sites.