Page tree


A secondary zone is a read-only copy of the primary zone that is stored on a different server. The secondary zone cannot process updates and can only retrieve updates from the primary zone. Secondary zones are organized within DNS views. For more information on DNS Zones, see Configuring DNS Zones

To create a secondary zone, complete the following:

  1. From the Cloud Services Portal, click Manage -> DNS ->Zones.
  2. Create a DNS view or click an existing DNS view. For more information about creating a DNS view, see Configuring DNS Views.
  3. On the Zones page, click Create and choose Secondary Zone from the drop-down list.
  4. On the Create Secondary Zone page, specify the following:
    • Name: Enter the domain name for the zone. If you want to create an IPv4 reverse mapping zone, you need to specify as the top-level reverse-mapping zone while specifying a name for the zone.


      The subdomains starting with ns.b1ddi and b1ddi are reserved and cannot be used as a prefix for the names of zones and resource records.

    • Description: Enter additional details about the zone.
    • Disable for DNS Protocol: Click this check box to temporarily disable this zone. For information, see Enabling and Disabling Zones.
    • Tags: Click Add to associate keys with values. Specify the following details:
      • KEY: Enter a meaningful name for the key, such as a location or a department.  
      • VALUE: Enter a value for the key such as San Jose (for location), or Accounts (for department).  
  5. Define DNS server groups for the zone. Choose either DNS Server Group, External Primary, or Internal Secondary from the list. For information on specifying authoritative DNS server groups, see Configuring DNS Server Groups.
  6. Configure the Primary (Master) DNS servers. Configure the following settings for the External Primary DNS server:   
    • Name: Specify the name of the server.

    • Address: Specify an IPv4 address.

    • Use TSIG: Select this check box to use the standards-based TSIG key that uses the one-way hash function to secure transfers between name servers. For more information, see Configuring TSIG Keys.
      • New TSIG: Choose this option to create a new TSIG key. Configure the following for a new TSIG key:
        • Key Name: Specify a name for the key.
        • Algorithm: Choose one of the following algorithm from the drop-down: HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512.
        • Secret: Specify a value for the secret. The value must be a Base64 encoded string. Alternatively, click Generate to automatically generate a unique value.
        • Description: Specify a description for the key.
      • Existing TSIG: Select an existing TSIG Key from the drop-down. For more information, see Configuring TSIG Keys
  7. Configure the Zone transfers. The queries are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties. Alternatively, toggle Inherit to Off and configure the values in the ACCEPT ZONE TRANSFER REQUESTS FROM section. Click Add to add or Remove to remove the entries. Choose one of the following from the TYPE drop-down list:   
    • Any Address/Network: Choose this option to allow or deny the application to send zone transfers to any IP address or networkThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this, the application allows servers permission to send and receive DNS zone transfer data. You can click Clear to remove the selected named ACL.

    • TSIGSelect an existing TSIG Key. For more information, see Configuring TSIG KeysThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  8. Click Save & Close to save.


    An authoritative reverse-mapping zone is an area of network space for which one or more name servers—primary and secondary—have the responsibility to respond to address-to-name queries. Infoblox supports reverse-mapping zones for IPv4 addresses. You can add as the top-level reverse-mapping zone. Note that you cannot add these zones using their IP addresses or netmasks, however, you can add them by name "" respectively.

    RFC 2317, Classless IN-ADDR.ARPA delegation is an IETF (Internet Engineering Task Force) document that describes a method of delegating parts of the DNS IPv4 reverse-mapping tree that corresponds to subnets smaller than a /24 (from a /25 to a /31). The DNS IPv4 reverse-mapping tree has nodes broken at octet boundaries of IP addresses, which correspond to the old classful network masks. So, IPv4 reverse-mapping zones usually fall on /8, /16, or /24 boundaries.

    To create a secondary authoritative reverse mapping zone, add as the top-level reverse mapping zone and specify the domain in the Name field.

  • No labels

This page has no comments.