Secondary Zones

Secondary Zones

The Designate v2 API introduced functionality that allows Designate to act as a DNS slave, rather than a master for a zone. This is accomplished by completing a zone transfer (AXFR) from a DNS server managed outside of Designate.

RecordSets / Records

Changes to secondary zones are managed outside of Designate. Users must make the changes they wish, and prompt a fresh zone transfer (AXFR) into Designate to make those changes live on any DNS servers Designate manages.


To add a secondary zone to Designate, there must be a DNS master for the zone, to which Designate can act as a slave. For this guide, we assume that you have already set this up.

The remaining Designate set up will be similar to a non-secondary zone setup. You’ll need a primary DNS server for Designate to manage and transfer secondary zones to.

In our examples we’ll use the following values:

Name -

Masters -

Setup - example NSD4

Skip this section if you have a master already to use.


For this it is assumed that you are running on Ubuntu.


For some reason there’s a bug with the nsd package so it doesn’t create the user that it needs for the installation. So we’ll create that before installing the package.

$ sudo apt-get install nsd


$ sudo zcat /usr/share/doc/nsd/examples/nsd.conf.sample.gz >/tmp/nsd.conf
$ sudo mv /tmp/nsd.conf /etc/nsd/nsd.conf

Add the following to /etc/nsd/nsd.conf


If you’re wondering why we set notify to it’s because MDNS runs on 5354 by default.

$ sudo vi /etc/nsd/nsd.conf

Add the contents:

    name: "mdns"
    zonefile: ""
    notify: NOKEY
    provide-xfr: NOKEY
    allow-axfr-fallback: yes

Add a zone file

Create a new Zone in NSD called


$ sudo vi /etc/nsd/

And add the contents:

$TTL 1800 ;minimum ttl         IN      SOA (
                        2014111301      ;serial
                        3600            ;refresh
                        600             ;retry
                        180000          ;expire
                        600             ;negative ttl

                TXT             "v=spf1 +a +mx ~all"
                SPF             "v=spf1 +a +mx ~all"


                MX      0
                MX      5
                MX      10


ns1             A     
ns2             A     
ns3             A     

mail1             A     
mail2             A     
mail3             A     

google          CNAME 

Restart NSD

$ sudo service nsd restart

Check that it’s working

$ sudo nsd-control status

Activate the zone in NSD

$ sudo nsd-control addzone mdns

Creating the Zone

When you create a domain in Designate there are two possible initial actions:

  • Domain is created but transfer fails if it’s not available yet in master, then typically the initial transfer will be done once the master sends first NOTIFY.
  • Domain is created and transfers straight away.

In both cases the interaction between your master and Designate is handled by the MDNS instance at the Designate side.

Definition of values:

  • email set to the value of the managed_resource_email option in the central section of the Designate configuration.
  • transferred_at is null and version is 1 since the zone has not transferred yet.
$ openstack zone create --type secondary --masters
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.