Using a secondary nameserver with dns.he.net | nsX.he.net

Reading recent post

I come across link to How to Setting up Secondary DNS for Mail-in-a-Box

As I already have account with HE.net I wanted to set up the secondary nameserver with them.
(not that I have had a problems with my MIAB, but as backup - Just in case).

So I have so far tried:

[1]
I have changed in my MIAB/admin
System → Custom DNS → Using a secondary nameserver to ns3.he.net

[2]
And then in Hurricane Electric Free DNS Management → Zone Functions → Add a new domain → domain.name (without box.domain.name)

As per instructions (Please enter the domain name in the space provided. For rDNS associated with this account, please use the rDNS options located below or enter the fully qualified in-addr.arpa/ip6.arpa zone below.)

I have then clicked on “Edit zone” or the “domain.name” and deleted all other ns servers (ns1, ns2, ns4, n5) and only left ns3.

[3]
In my Gandi.net → Nameservers → External nameservers → added “ns3.he.net
and the same for my second MIAB server running via VDSL2+ ISP but domain with OVH
OVH.com → Domain → DNS servers → added ns3.he.net

But my System Status Checks page in MIAB still reports for all the domains on both MIAB servers:

"Secondary nameserver ns3.he.net is not configured to resolve this domain."

Anyone any idea where I have gone wrong?

I had started that thread, so some feedback. I used nether and this Secondary NS on Hurricane Electric - #6 by davness at the time

I added all listed HE servers in that post to MIAB.

I did not change anything at Gandi. I only have the name servers setup in the way as in the MIAB guide. ns1.box.etc ns2.box.etc

That worked for me. It took about ten minutes to show in the status page.

I hope this helps.

I see, thanx for reply.
I have missed your post while searching for an answer :frowning:

so [1] should have been on MIAB server:
ns1.he.net ns2.he.net ns3.he.net ns4.he.net ns5.he.net xfr:216.218.133.2 xfr:2001:470:600::2

I see the xfr:216.218.133.2 xfr:2001:470:600::2 IP addresses are for slave.dns.he.net :slight_smile:

[2]
This is where I got it wrong…
Hurricane Electric Free DNS Management → Zone Functions → Add a new slave → Domain Name: domain.name (without box.domain.name)
Master #1: current NS1 server: ns1.box.domain.name

[3]
In my Gandi.net → Nameservers → External nameservers → added all 5 NS servers:
ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net

and the same for my second MIAB server running via VDSL2+ ISP but domain with OVH
→ Domain → DNS servers → added:
ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net

I guess that I will have to wait 24-72h for DNS propagation, but at the moment both MIAB servers are reporting for all domains (but that’s to be expected especially for OVH … ;):
Secondary nameserver ns1.he.net is not configured to resolve this domain.
:heavy_multiplication_x:

Secondary nameserver ns2.he.net is not configured to resolve this domain.
:heavy_multiplication_x:

Secondary nameserver ns3.he.net is not configured to resolve this domain.
:heavy_multiplication_x:

Secondary nameserver ns4.he.net is not configured to resolve this domain.
:heavy_multiplication_x:

Secondary nameserver ns5.he.net is not configured to resolve this domain.

I see, so now it works on the main MIAB domain (thanx @Mg344), but I will have to change the NS2.box.domain.name on all the other domains that are running on both MIAB servers and deleted the NS2.box.domain.name and add the 5 HE servers …so many registrars … :frowning:

Has anyone managed to set up the TSIG (Transaction signatures) mechanism for secure AXFR that is Not Required for the domain working as well?

Does MIAB support full zone transfer (AXFR)?

Would you like me to confirm that all is working properly? If so PM me 2 or 3 domains from each MiaB instance to check and I’d be happy to do so.

I don’t know that this would be worth the effort. MiaB refuses requests for AXFR from name servers not explicitly listed, so adding this additional level of security (complexity) may not be beneficial as it is likely an unsupported modification that will be overwritten either at daily maintenance or version upgrade.

Isn’t that what we’re discussing here? I am not sure I understand what you’re asking.

1 Like

You could manually configure Transaction Signature (TSIG) Using Transaction Signature (TSIG) — NSD 4.3.9 documentation

But as @alento already said these changes would most likely be overwritten during an upgrade of your box and are probably not worth the effort for the reasons he mentioned. Also your secondary nameserver provider must support this and you would have to configure it there too.

2 Likes

Thank you for your offer @alento but I was just trying it out.

I have done bit more reading about the TSIG (Transaction signatures) mechanism for secure AXFR and decided that it’s not beneficial to my set-up with HE so I have reverted back to ONE NS server with to of the same records.

I strongly urge you to rethink this. You are in a much better position with Secondary DNS enabled without TSIG than you are with a single point of failure.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.