Configure secondary zones

Use ​Akamai Control Center​ or the Edge DNS Zone Management API to perform the initial configuration of your Edge DNS service.

Add a secondary DNS zone

  1. Log in to ​Control Center​.

  2. Go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

  3. On the Zone list page, click Add zone.

    📘

    If the Add Zones link doesn't appear, you've reached your maximum zone allotment. To change your limit, contact your service representative.

  4. Enter the settings for your secondary zone.

    • Contract. Contract for this zone configuration.

    • Zone type. Select Secondary.

    • Zone names. Required. A zone name is required, using this format: zone.example.com.

    • DNSSEC Sign and Serve. When this option is selected, ​Akamai​ automatically sets up DNSSEC for the zone. If you leave this option deselected, you can manually configure your own DNSSEC records for the zone.

    • DNSSEC algorithm. If you enable DNS Sign and Serve, also select the algorithm to use.

    • Zone transfer mode. When Edge DNS is configured as a secondary zone, you enable zone transfers from your own master name servers to ​Akamai​.

      Edge DNS zone transfer agents (ZTAs) use the DNS query type authoritative transfer (AXFR) to perform DNS zone transfers. However, if you configured your own master name servers to support incremental zone transfers (IXFRs), the Edge DNS ZTAs will automatically perform incremental zone transfers for secondary zones.

    • Customer master name servers. Enter one or more IP addresses, separating each address with a comma, whitespace, or semicolon.

    • Customer ID. Optional. Enter a descriptive name for the customer. For example, you could enter your organization's billing reference for the customer.

    • Comments. Describe the new zone.

    • TSIG key. Transfer signature key. Provides secure DNS messaging, typically for zone transfers and dynamic updates.

      If you select Create a new TSIG key, you need to enter a unique key name in domain name format, select an algorithm, and enter a secret string in Base64 format.

    📘

    Enabling DNSSEC Sign and Serve requires that the TSIG key is fully configured for the zone.

  5. To enable outbound zone transfers, see Enable outbound zone transfers.

  6. To submit the zone information, click Create zone.
    The Active Zones Summary page opens with a list of ​Akamai​ authoritative name servers and the zone transfer agent IP addresses.

Restrict zone transfers to the ZTAs

You might want to restrict zone transfer access from your primary name servers to only allow the Edge DNS zone transfer agents (ZTAs).

To obtain a list of ZTAs, subscribe to ​Control Center​'s firewall rules notification service. This service allows you to view all ZTA IP addresses and proactively notifies you of any changes to the ZTA infrastructure. Use the following procedures to subscribe to this service.

  1. Log in to ​Control Center​.

  2. Go to > COMMON SERVICES > Firewall change notifications. The Firewall Rules Notification page opens.

  3. Click Manage Subscriptions.

  4. Click Subscribe Users.
    The Subscribe New Users page opens.

  5. Enter your email information and select Edge DNS Zone Transfer Agents.

    The list of Akamai IP addresses that can contact your servers is listed on the CIDR Blocks tab. A notification containing this list is also sent to your email address.

  6. Ensure that zone transfers are allowed from your primary name servers from the IP addresses and ports included in the list, over both UDP and TCP.

Bind 9 and later: Zone transfer syntax examples

Restrict zone transfers using the allow-transfer directive in the options stanza in the named.conf file. The zone transfer agents (ZTAs) in this example are 192.0.2.1, 192.0.2.2, and 192.0.2.3.

options {
    .....
    allow-transfer {192.0.2.1;192.0.2.2;192.0.2.3;};
    .....
};

You can also specify allow-transfer in the zone statement, which overrides the options allow-transfer statement:

zone "example.com" {
    .....
    allow-transfer {192.0.2.1;192.0.2.2;192.0.2.3;};
};

If not specified, the default is to allow transfers from all hosts.

Windows NS: Configure zone transfer settings

To configure zone transfer settings, use the Windows DNS Management console to complete the following steps.

  1. Under Windows Administrative Tools, open the DNS management console.

  2. Right-click the name of the DNS zone and select Properties.

  3. In the Properties window, click the Zone Transfers tab.

  4. Select Allow zone transfers.

  5. Select Only to the following servers.

  6. In the IP addresses of the secondary servers field, enter the IP addresses of the zone transfer agents. Then click OK.

Enable NOTIFY to the ZTAs

For best results, use DNS NOTIFY on your primary name servers. This notification alerts Edge DNS when your zone changes and initiates a zone transfer. Edge DNS accepts DNS NOTIFY by default.

To use NOTIFY requests, you must first configure your primary name servers to send these requests to the zone transfer agents (ZTAs).

If you do not use NOTIFY requests, the ZTAs check with your primary name server at the refresh interval listed in your start of authority (SOA) record.

This section describes the syntax for NOTIFY configuration on BIND and Windows name servers.

BIND 9 and later: NOTIFY syntax examples

In the next examples, the zone transfer agents are 192.0.2.1, 192.0.2.2, and 192.0.2.3. For BIND versions 9 and later, NOTIFY is enabled with the notify and also-notify directives.

options {
    .....
    notify yes;
    also-notify {192.0.2.1;192.0.2.2;192.0.2.3;};
    .....
};

Additionally, starting with BIND 9, there is the option of explicit notification:

options {
    .....
    NOTIFY EXPLICIT;
    also-notify {192.0.2.1;192.0.2.2;192.0.2.3;};
    .....
};

If the notify directive is set to yes (the default), DNS NOTIFY messages are sent when a zone for which the server is authoritative changes. The messages are sent to the servers listed in the zone's name server records (except for the master server identified in the start of authority MNAME field), and to any servers listed in the also-notify directive.

If notify is explicit, notifies are sent only to servers explicitly listed using the also-notify directive.

If you are using only ​Akamai​ name servers with BIND 9, it is a best practice to use the NOTIFY EXPLICIT directive. If you are running a few of your own authoritative name servers in addition to ​Akamai​ name servers, you might choose to set notify to yes depending on your current mechanism for propagating zone files to the name servers.

This information can also be specified in the zone stanza:

zone "example.com" {
    .....
    notify yes;
    also-notify {192.0.2.1;192.0.2.2;192.0.2.3;};
};
zone "example.com" {
    NOTIFY EXPLICIT;
    also-notify {192.0.2.1;192.0.2.2;192.0.2.3;};
    .....
};

Windows NS: NOTIFY configuration

In the Windows DNS management console located under Administrative tools, complete the following steps.

  1. Right-click the appropriate zone and click Properties.

  2. In the Properties window, click the Zone Transfers tab.

  3. Click Notify in the lower-right corner.

  4. Select Automatically notify.

  5. Select The following servers.

  6. In the IP addresses of the secondary servers field, enter the IP addresses of the zone transfer agents. Then click OK.

Enable TSIG authentication

RFC-2845 describes a secret-key mechanism known as transaction signatures (TSIGs) for authenticating DNS. Most common name servers support some version of this mechanism. Zone transfer agents (ZTAs) currently support the use of TSIGs. Windows name server does not currently support TSIGs.

BIND 9 and later: TSIG example

In the next example, the name server is instructed to sign all responses, including zone transfers, to the name server at 192.0.2.1 with a key called example-company-shared.secret., and to expect responses from 192.0.2.1 be signed by the same key.

key example-company-sharedsecret. {
    algorithm hmac-md5;
        secret "mZiMNOUYQPMNwsDzrX2ENw==";
    };
    server 192.0.2.1 {
        transfer-format many-answers;
        keys { example-company-sharedsecret.; };
    };
    zone "example.com" {
        ...
        allow-transfer { 192.0.2.1; };
        ...
    };

There are two important points to remember when using TSIGs:

  • Time synchronization. TSIGs require time synchronization between the name servers involved. ZTAs are set to GMT. The clock skew between the customer primary and the ZTAs must be less than 5 minutes.
  • TSIG key name and secret. The name of the TSIG key, not just the secret, must match on the name servers.

Enable TSIGs and IP ACLs simultaneously

You can configure BIND 9 and later to allow zone transfers to a restricted set of IP addresses only if they possess the shared secret key.

The following example works because access control lists (ACLs) in the allow-transfer stanza are processed in order. The ! notslaves statement denies any requests other than those from slaves, which have to prove possession of the shared secret key to succeed.

acl slaves {
    192.0.2.1;
    192.0.2.2;
    192.0.2.3;
};
key example-company-sharedsecret. {
    algorithm hmac-md5;
    secret "mZiMNOUYQPMNwsDzrX2ENw==";
};
acl notslaves { ! slaves; any; };
options {
    ...
    allow-transfer { ! notslaves; key example-company-sharedsecret.; };
    ...
};

View zone transfer status

📘

Primary name server must allow zone transfers

Be sure that you have configured your primary name server to allow zone transfers by all agents. See Restrict zone transfers to the ZTAs.

  1. Log in to ​Control Center​.

  2. Go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.

  3. In the Zone Transfer column, view the following color-coded status symbols associated with each secondary zone to quick see the zone transfer status.

    • . Green SUCCESS symbol indicates that the secondary zone transferred successfully.
    • . Orange WARNING symbol indicates that the secondary zone was transferred, but there were some problems. The WARNING status might also appear if a zone transfer agent (ZTA) has not performed a successful zone transfer, even though SOA queries by the ZTA might succeed.
    • . Red FAILURE symbol indicates that the secondary zone was not transferred due to a failure.
    • . Blue PENDING symbol indicates that the secondary zone transfer status is pending.
  4. To get detailed transfer status information for a secondary zone, complete one of the following actions:

    • On the Zone list page, in the zones table, if a zone's Zone Transfer column displays a status icon, click it.
    • On the Zone list page, from the zone’s Actions menu, select View zone transfer status.
    • On the Edit zone page, top toolbar, click Transfer status.

    The Zone transfer status dialog opens.

    As long as at least one ZTA has received the zone data, you can be certain that Edge DNS has the current zone information. You can disregard older errors.

Verify zone information

After configuration is complete, zone transfer agents can begin zone transfers from your primary name servers.

If your primary name servers are behind a firewall, or if you have a name server access control list (ACL), remember to include the IP addresses of the zone transfer agents (ZTAs) in these lists to allow the transfer to occur.

You can verify that ​Akamai​ name servers have the most current zone information by using the dig or nslookup commands to query the name servers for the SOA record, and by checking the zone serial number against that of your primary name server.

Zone transfer status information is also available on the main Zone list page on ​Control Center​.

Troubleshoot zone transfer status issues

See Troubleshoot zone transfer status issues.

Reset SOA serial numbers

Start of authority (SOA) serial numbers need to increase monotonically. This is important so that secondary name servers can detect and receive zone updates using zone transfer from the masters.

If you make a mistake and need to revert to smaller numbers, contact technical support.