All Products
Document Center

Enable Secondary DNS

Last Updated: May 12, 2022

Currently, when you enable Secondary DNS, Alibaba Cloud DNS is set as the secondary DNS and your existing DNS service is set as the primary DNS by default. To use Secondary DNS, you need to configure the primary DNS first and then enable Secondary DNS through Alibaba Cloud DNS.


If you host your DNS internally, make sure your DNS server supports the standard XFR and NOTIFY protocols. If you use a hosted DNS service, make sure your DNS provider allows you to configure the Secondary DNS service. The following section takes an on-premise DNS system as an example. You can find relevant information from your DNS provider if you use a hosted DNS service.

As the secondary DNS, Alibaba Cloud DNS needs to synchronize resource records from the primary DNS. Therefore, you need to set up data forwarding rules on the primary DNS and use encryption mechanisms to secure the communication between the primary and secondary DNS services. The following section takes a BIND DNS server (version 9.9.4 or later) as an example and describes how to configure a primary DNS in order to enable Secondary DNS.

Configure a BIND DNS server

Add the following configuration information to the configuration file /etc/named.conf.

zone "Domain (for example," IN {
type master;
allow-update {; };
allow-transfer {key test_key;};
notify explicit;
also-notify { port 53; port 53;};
file "zone_file";

The parameters are as follows:

  • zone specifies the domain.

  • allow-transfer specifies the key file. Currently, Alibaba Cloud DNS only supports Transaction Signatures (TSIG). TSIG enables communication between the primary and secondary DNS servers. You need to specify the KEY for TSIG based server communication.


    Note: We recommend that you use TSIG to secure DNS communication. TSIG uses shared secret keys and one-way hashing to authenticate DNS messages and secure the synchronization between the primary and secondary DNS servers. You can generate a TSIG key for a hash function such as MD5, SHA256, and SHA1, and configure TSIG on your primary and secondary DNS servers. For more information, see Generate a TSIG key.

  • also-notify specifies the IP addresses of secondary DNS servers that need to be notified when resource records change on the primary DNS server. You can specify multiple IP addresses. Specify the following Alibaba Cloud DNS servers:, The corresponding IP addresses are and

Generate a TSIG key

You can use the dnssec-keygen tool to generate a TSIG key. The commands are as follows:

[root@www ~]# dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST test_key
Generating key pair
test_key. +157+64252

The parameters are as follows:

  • -a represents the hash function. Select one of our supported functions: HMAC-MD5, HMAC-SHA1, or HMAC-SHA256.

  • -b represents the number of bytes in the key. The key size is dependent on the hash algorithm you have selected. For an HMAC key, the size is between 1 to 512 bytes.

  • -n represents the owner type of the key file, such as ZONE, HOST, ENTITY, and USER. HOST or ZONE is commonly used.

  • test_key represents the name of the key file. This name is used in allow-transfer when you configure the primary DNS, and in TSIG Key Name when you configure the secondary DNS in step 8-i.

After these commands are executed, a .key and .private file are generated in the current directory. For example, Ktest_key. +157+64252.key and Ktest_key. +157+64252.private. The .key file contains the DNS KEY record, which is used in TSIG Key Value when you configure the secondary DNS in step 8-i. The .private file contains the fields that are specified by the algorithm.


Enable Secondary DNS for your domain by following these steps:

  1. Log on to the Alibaba Cloud DNS console.

  2. Go to the Secondary DNS page, and click Add Secondary DNS.

secondary dns

3 .Select the domain that you want to enable Secondary DNS .


4 .On the Add Secondary DNS page, complete the following configurations to enable Secondary DNS.


5 .After the configuration is completed, Secondary DNS is enabled for your domain. You can view the running status of the secondary DNS, such as Enabled, as shown in the following figure.


6 .Add NS records that delegate to name servers and to the resource records on your primary DNS. Record type: NS; Host record: @; Record value: and (in two separate resource records).

7 .Add Alibaba Cloud DNS servers and to the DNS records of your domain name registrar. For more information, see Change DNS records of different domain name registrars.

After Secondary DNS is enabled, you are not allowed to manually change the resource records in Manage DNS. All records are synchronized from the primary DNS.

  • If you want to synchronize the configuration changes on your primary DNS to the secondary DNS, see Modify parameters.

  • If you want to disable Secondary DNS, see Disable Secondary DNS.

  • If an error occurred during the synchronization between the primary and secondary DNS servers, see Synchronization errors.