A Secondary Server is highly recommended in order to maintain the availability of the domain should the Primary become unavailable.
IMPORTANT: On the Primary server, the zone transfer needs to be allowed.
Add the allow-transfer option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:
zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.168.1.11; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer { 192.168.1.11; }; };
NOTE: Replace 192.168.1.11 with the IP Address of your Secondary nameserver.
Restart BIND9 on the Primary server:
sudo systemctl restart bind9.service
On the Secondary server.
Edit the /etc/bind/named.conf.local and add the following declarations for the Forward and Reverse zones:
zone "example.com" { type slave; file "db.example.com"; masters { 192.168.1.10; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "db.192"; masters { 192.168.1.10; }; };
NOTE: Replace 192.168.1.10 with the IP Address of your Primary nameserver.
Restart BIND9 on the Secondary server:
sudo systemctl restart bind9.service
NOTE: In /var/log/syslog you should see something similar to the following:
client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa' zone 1.168.192.in-addr.arpa/IN: Transfer started. transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53: connected using 192.168.1.11#37531 zone 1.168.192.in-addr.arpa/IN: transferred serial 5 transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53: Transfer completed: 1 messages, 6 records, 212 bytes, 0.002 secs (106000 bytes/sec) zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5) client 192.168.1.10#20329: received notify for zone 'example.com' zone example.com/IN: Transfer started. transfer of 'example.com/IN' from 192.168.1.10#53: connected using 192.168.1.11#38577 zone example.com/IN: transferred serial 5 transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1 messages, 8 records, 225 bytes, 0.002 secs (112500 bytes/sec)
NOTE: A zone is only transferred if the Serial Number on the Primary is larger than the one on the Secondary.
If you want to have your Primary DNS notifying other Secondary DNS Servers of zone changes, you can add also-notify { ipaddress; }; to /etc/bind/named.conf.local as shown in the example below:
zone "example.com" { type master; file "/etc/bind/db.example.com"; allow-transfer { 192.168.1.11; }; also-notify { 192.168.1.11; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.192"; allow-transfer { 192.168.1.11; }; also-notify { 192.168.1.11; }; };
NOTE: The default directory for non-authoritative zone files is /var/cache/bind/.
This directory is also configured in AppArmor to allow the named daemon to write to it.