Secondary Zones FAQ

NS1 allows users to employ primary/secondary zone configurations with other DNS providers. Introducing redundancy amongst providers eliminates a single point of failure situation. When setting up secondary zones in NS1 there are quite a few steps to complete in order to ensure zones are transferred successfully. For step by step instructions on setting up a secondary zone in NS1 please see In this article we will discuss common questions that arise during the configuration process.

Are my zones newly created secondary zones on the NS1 Managed DNS network?

Upon creation of a new zone you will see that the “NS1 Managed DNS network” box is automatically checked for you. This box should never be unchecked unless you have a private DNS network deployed with us at NS1. In this case, you will need to use V1 of the portal to ensure your secondary zone is connected either to a dedicated or managed DNS network

My Secondary zone status reads error: Unable to look up SOA records why is the transfer failing?

There are a few reasons as to why your secondary zones AXFR transfer may fail. One common culprit is forgetting to whitelist our XFR node ( at your primary DNS provider. Without this step, all SOA lookups from our XFR node will surely fail even if the primary IP provided is correct.

Will the intelligent routing configurations at my primary DNS provider transfer over to my NS1 secondary zone?

AXFR does not support the transferring any advanced functionality and configuration information. This includes features such as failover and GeoIP routing from your primary provider. While these features are available in NS1 for primary zones; Filter chain configurations, answer metadata, and other details will be removed when transferring between secondaries.

Can I edit records in a secondary zone in once it’s been configured?

We do not allow record level changes to be made to slave zones once created in the platform or via API. All changes must be done at the primary DNS provider, from which we will update through AXFR

How do we handle sync’s without NOTIFY enabled?

Whenever a modification is made to a zone, it’s serial number is adjusted to show that a change has been made. If NOTIFY is enabled, all whitelisted slave zones will be alerted to request the most recent zone file via AXFR. If NOTIFY is not configured, slave zones will poll the master for the most recent zone file based on the SOA Refresh interval set.

Can a secondary zone be converted to a primary zone?

If you wish to make NS1 the primary DNS provider for a zone once enabled as a secondary, a conversion can easily be done using our API. The following cURL request can be used to achieve this:

curl -X POST -H 'X-NSONE-Key: *******' -d '{"secondary":{"enabled":false}}'

Note: zones cannot be converted from primary to secondary

Are there size limitations on zone files being transferred to NS1 through AXFR?

While most zone transfers are typically done over TCP to accommodate larger zone files, protections and soft limits are still in place to prevent malicious users from importing a zone file with hundreds of thousands of records.

My newly created secondary zone is failing to sync even after whitelisting the NS1 XFR node?

Another common reason why a new secondary zone may fail to sync for smaller tier customers is record limitations. If a zone file contains enough records to surpass the total amount of records permitted in your current plan the transfer will continue to fail until either A. you contact NS1 at [email protected] to have the limit raised or B. you can delete already existing records to free up space for the secondary zone.

Does NS1 support TSIG authentication for secondary zone transfers?

Yes, After many requests for this feature NS1 now supports TSIG authentication for zone transfers (V2 exclusive). TSIG can be enabled upon creation of a secondary zone with a selection of hash algorithms to choose from (hmac-md5, hmac-sha1, sha224, etc)

Why am I getting a “superfluous name server listed at parent” error when running 3rd party zone consistency checks?

This error is most likely due to neglecting to add NS1 nameservers to the zone file at the primary DNS provider. NS1 name servers as well as the primary DNS providers name servers should included in both the zone file and at the zones registrar to ensure traffic is distributed according to your use case.

For example, your zone should contain NS records from your primary provider,,,, as well as NS records from the secondary provider.,,, Be sure to update your registrar with the full list of nameservers if applicable.

Request a Demo

Contact Us

Get Pricing