Secondary DNS
Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s).
A&A are in the middle of a large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux.
The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS
As the DNS Infrastructure is in a state of flux the information below will change in the future and will be updated when appropriate. After completion of the DNS Infrastructure change A&A will eventually have a new system for control & configuration in place for managing customer's Authoritative Secondary DNS.
Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2025
The process for setting up A&A as your Authoritative Secondary DNS server(s).
- Configure required ACLs on your Firewall, remember to open TCP as well as UDP
- Configure required access ACLs on your Primary DNS for zone transfers and queries,
- Contact
support@aa.net.ukto request your domain to be configured on A&A's Secondary DNS, - Verify that
secondary-dns.co.ukprovides replies when responding to queries regarding your domain, - Change the Authoritative DNS servers to include
secondary-dns.co.ukfor your domain at your Domain Registrar.
What is needed to setup A&A as your Authoritative Secondary DNS
You need to configure your Authoritative Primary DNS to:
- Set your Primary DNS to send NOTIFY to
secondary-dns.co.uk. Required for your Primary DNS to notify A&A's Secondary that you've changed or reloaded your domain files.
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk **NOTIFY**
- Allow
*.secondary-dns.co.uk; &*-nameless.aa.net.uk; &*.primary-dns.co.uk; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS. - Allow
*.secondary-dns.co.uk; &*-nameless.aa.net.uk; &*.primary-dns.co.uk; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS.
IP addresses required for Firewall and Primary DNS ACLs
If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s):
81.187.81.32; //secondary-dns.co.uk **legacy** 194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk 194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk **NEW** 194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk **NEW** 194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk **NEW** 194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk **NEW** 81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk 90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy** 90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk
Starting from March 2025, in addition to legacy
secondary-dns.co.ukIP addresses we will also initiate zone transfers from the newer DNS Infrastructure:
zonetransfers-a.secondary-dns.co.uk;zonetransfers-b.secondary-dns.co.uk;zonetransfers-a.primary-dns.co.uk;zonetransfers-b.primary-dns.co.uk;Legacy
secondary-dns.co.ukwill still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.
Abridged Example Configuration for a BIND9 Authoritative DNS Server
This configuration was verified as working as at May 2025.
/etc/bind/named.conf.local
masters notify_secondary_dns_co_uk {
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
};
acl transfer_secondary_dns_co_uk {
81.187.81.32; //secondary-dns.co.uk **legacy**
194.4.173.1; 2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
194.4.173.3; 2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk
194.4.173.4; 2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk
};
acl transfer_primary_dns_co_uk {
194.4.172.3; 2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk
194.4.172.4; 2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk
};
acl transfer_nameless_aa_net_uk {
81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
90.155.23.32; 2001:8b0:0:23::32; //b-nameless.aa.net.uk **legacy**
90.155.62.60; 2001:8b0:0:62::60; //c-nameless.aa.net.uk
};
zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
allow-query {
transfer_secondary_dns_co_uk;
transfer_primary_dns_co_uk;
transfer_nameless_aa_net_uk;
};
allow-transfer {
transfer_secondary_dns_co_uk;
transfer_primary_dns_co_uk;
transfer_nameless_aa_net_uk;
};
also-notify {
notify_secondary_dns_co_uk;
};
};
No longer Valid
If you are running your own DNS, you will need a secondary. You can use secondary-dns.co.uk which is configured to try and automatically secondary any new domain from an AAISP allocated IP address that a customer uses.
Using our secondary name server is normally automatic if you are using BIND-8/9. To make it pick up a domain automatically you have to change the top level delegation to list your name server and secondary-dns.co.uk, and then have bind send a notify from your primary. Our name server checks the delegation first and then adds the zone, loading from your primary servers IP. If you later change the IP of your primary, then the old IP must return that it is not authoritative in order to clear the zone allowing it to reload from the new primary. If you encounter any difficulties, please contact technical support, who can make changes manually if necessary.