I come across link to How to Setting up Secondary DNS for Mail-in-a-Box
As I already have account with HE.net I wanted to set up the secondary nameserver with them.
(not that I have had a problems with my MIAB, but as backup - Just in case).
So I have so far tried:
[1]
I have changed in my MIAB/admin
System → Custom DNS → Using a secondary nameserver to ns3.he.net
[2]
And then in Hurricane Electric Free DNS Management → Zone Functions → Add a new domain → domain.name (without box.domain.name)
As per instructions (Please enter the domain name in the space provided. For rDNS associated with this account, please use the rDNS options located below or enter the fully qualified in-addr.arpa/ip6.arpa zone below.)
I have then clicked on “Edit zone” or the “domain.name” and deleted all other ns servers (ns1, ns2, ns4, n5) and only left ns3.
[3]
In my Gandi.net → Nameservers → External nameservers → added “ns3.he.net”
and the same for my second MIAB server running via VDSL2+ ISP but domain with OVH OVH.com → Domain → DNS servers → added ns3.he.net
But my System Status Checks page in MIAB still reports for all the domains on both MIAB servers:
“Secondary nameserver ns3.he.net is not configured to resolve this domain.”
I see the xfr:216.218.133.2 xfr:2001:470:600::2 IP addresses are for slave.dns.he.net
[2]
This is where I got it wrong…
Hurricane Electric Free DNS Management → Zone Functions → Add a new slave → Domain Name: domain.name (without box.domain.name)
Master #1: current NS1 server: ns1.box.domain.name
I guess that I will have to wait 24-72h for DNS propagation, but at the moment both MIAB servers are reporting for all domains (but that’s to be expected especially for OVH … ;):
Secondary nameserver ns1.he.net is not configured to resolve this domain.
Secondary nameserver ns2.he.net is not configured to resolve this domain.
Secondary nameserver ns3.he.net is not configured to resolve this domain.
Secondary nameserver ns4.he.net is not configured to resolve this domain.
Secondary nameserver ns5.he.net is not configured to resolve this domain.
I see, so now it works on the main MIAB domain (thanx @Mg344), but I will have to change the NS2.box.domain.name on all the other domains that are running on both MIAB servers and deleted the NS2.box.domain.name and add the 5 HE servers …so many registrars …
Has anyone managed to set up the TSIG (Transaction signatures) mechanism for secure AXFR that is Not Required for the domain working as well?
Would you like me to confirm that all is working properly? If so PM me 2 or 3 domains from each MiaB instance to check and I’d be happy to do so.
I don’t know that this would be worth the effort. MiaB refuses requests for AXFR from name servers not explicitly listed, so adding this additional level of security (complexity) may not be beneficial as it is likely an unsupported modification that will be overwritten either at daily maintenance or version upgrade.
Isn’t that what we’re discussing here? I am not sure I understand what you’re asking.
But as @alento already said these changes would most likely be overwritten during an upgrade of your box and are probably not worth the effort for the reasons he mentioned. Also your secondary nameserver provider must support this and you would have to configure it there too.
Thank you for your offer @alento but I was just trying it out.
I have done bit more reading about the TSIG (Transaction signatures) mechanism for secure AXFR and decided that it’s not beneficial to my set-up with HE so I have reverted back to ONE NS server with to of the same records.
I strongly urge you to rethink this. You are in a much better position with Secondary DNS enabled without TSIG than you are with a single point of failure.
