Some customers wish to run their own Authoritative Primary DNS server(s) and use A&A's DNS Infrastructure as their Authoritative Secondary slave server(s).

A&A are near the end of large project to change the DNS Infrastructure. During the change the DNS Infrastructure and the associated information will be in a state of flux.

This page was last updated May 2026.

The information on this page is also augmented by information contained at the page: https://support.aa.net.uk/New_Authoritive_DNS

Process for setting up A&A as your Authoritative Secondary DNS Server as at May 2026

The process for setting up A&A as your Authoritative Secondary DNS server(s).

1. Configure required ACLs on your Firewall, remember to open TCP as well as UDP
2. Configure required access ACLs on your Primary DNS for zone transfers and queries,
3. Contact support@aa.net.uk to request your domain to be configured on A&A's Secondary DNS, include the list of your Master's IPv4 and IPv6 addresses.
4. Verify that secondary-dns.co.uk provides replies when responding to queries regarding your domain,
5. Change the Authoritative DNS servers to include secondary-dns.co.uk for your domain at your Domain Registrar.

Notes:

• We will only accept notifies from IPs we have listed as Masters

What is needed to setup A&A as your Authoritative Secondary DNS

You need to configure your Authoritative Primary DNS to:

• Set your Primary DNS to send NOTIFY to secondary-dns.co.uk. This is required so that your Primary DNS will notify A&A's Secondary that you've changed or reloaded your domain files.

194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk                  **NOTIFY**

• Allow *.secondary-dns.co.uk; & *-nameless.aa.net.uk; & *.primary-dns.co.uk; to request AXFR/IXFR zone transfers from your Primary DNS. Required to allow A&A's secondary DNS to copy your domains from your Primary DNS.
• Allow *.secondary-dns.co.uk; & *-nameless.aa.net.uk; & *.primary-dns.co.uk; to send queries to your Primary DNS. Required as some of A&A's secondaries send regular SOA query requests, to check the Serial. Also helpful if Support needs to query your Primary DNS.

Updating Masters

Our side will need to know if the masters are changed.

• email support
• update via the control pages (coming soon, Summer 2026)

IP addresses required for Firewall and Primary DNS ACLs

If we are running as your Secondary DNS to your own Primary, then allow these IP addresses through your firewall to your Primary server (UDP & TCP port 53). As well as for access ACLs configuration on your Primary DNS server for both queries & zone transfers for your domain(s):

81.187.81.32;                           //secondary-dns.co.uk                  **legacy**
194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
194.4.173.3;  2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk  **NEW**
194.4.173.4;  2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk  **NEW**

194.4.172.3;  2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk    **NEW**
194.4.172.4;  2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk    **NEW**

81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
90.155.23.32; 2001:8b0:0:23::32;        //b-nameless.aa.net.uk                 **legacy**
90.155.62.60; 2001:8b0:0:62::60;        //c-nameless.aa.net.uk

Starting from March 2025, in addition to legacy secondary-dns.co.uk IP addresses we will also initiate zone transfers from the newer DNS Infrastructure:

• zonetransfers-a.secondary-dns.co.uk; zonetransfers-b.secondary-dns.co.uk;
• zonetransfers-a.primary-dns.co.uk; zonetransfers-b.primary-dns.co.uk;

Legacy secondary-dns.co.uk will still be in use until mid-2025. Therefore, please keep these in your ACLs for the moment until this advice changes.

Abridged Example Configuration for a BIND9 Authoritative DNS Server

This configuration was verified as working as at May 2025.

/etc/bind/named.conf.local

masters notify_secondary_dns_co_uk {
			194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
};

acl transfer_secondary_dns_co_uk {
			81.187.81.32;                           //secondary-dns.co.uk  **legacy**
			194.4.173.1;  2001:8b0:0:81::51bb:5120; //secondary-dns.co.uk
			194.4.173.3;  2001:8b6:2:0:194:4:173:3; //zonetransfers-a.secondary-dns.co.uk
			194.4.173.4;  2001:8b6:2:0:194:4:173:4; //zonetransfers-b.secondary-dns.co.uk
};

acl transfer_primary_dns_co_uk {
			194.4.172.3;  2001:8b6:1:0:194:4:172:3; //zonetransfers-a.primary-dns.co.uk
			194.4.172.4;  2001:8b6:1:0:194:4:172:4; //zonetransfers-b.primary-dns.co.uk
};

acl transfer_nameless_aa_net_uk {
			81.187.30.41; 2001:8b0:0:30::51bb:1e29; //a-nameless.aa.net.uk
			90.155.23.32; 2001:8b0:0:23::32;        //b-nameless.aa.net.uk  **legacy**
			90.155.62.60; 2001:8b0:0:62::60;        //c-nameless.aa.net.uk
};

zone "example.com" {
	type master;
	file "/etc/bind/zones/db.example.com";
	allow-query {
		    transfer_secondary_dns_co_uk;
		    transfer_primary_dns_co_uk;
		    transfer_nameless_aa_net_uk;
	};
	allow-transfer {
		    transfer_secondary_dns_co_uk;
		    transfer_primary_dns_co_uk;
		    transfer_nameless_aa_net_uk;
	};
	also-notify {
		    notify_secondary_dns_co_uk;
	};
};

Using secondary-dns.co.uk for Reverse DNS

At the moment (June 2026) we're advising that customers don't use secondary-dns.co.uk in the list of nameservers for reverse DNS. We need to improve our tooling on the Control Pages to make this easier.

• We allow customers to run their own nameservers for Reverse DNS - where we delegate the zones over to your servers.
• Customers may add secondary-dns.co.uk in addition to your own Nameservers, however zones will need to be created for each .arpa domain you need us to serve, along with the list of master IPs. At the moment the creation of these zones needs to be done manually.