RcodeZero Anycast Secondary-DNS is an easy to use anycast name server network. The complexity of anycast and the distribution of DNS data are hidden from the customer. The customer has a single point for managing the DNS zones and the DNS zone transfer.
Once a zone is added via a RESTrequest or via the customer web interface, the control name server and all the anycast name servers behave authoritative for the respective zone. The control name server will request a zone transfer from the master name server(s) and deploy the zone data to the anycast name servers.
On zone changes, the master name server has to send DNS NOTIFYs to the control server. Then the control server fetches the SOA record from the master name server and if the serial is increased, a zone transfer is initiated and the updated zone data is distributed to the anycast name servers.
Additionally, zone transfers can be initiated via the "retrieve" command on the REST interface or via the web interface. In this case, the serial is ignored and the zone is transferred and deployed to the anycast nodes even if the serial has not increased. Note: Even if a zone was transferred, the Anycast name servers may respond a few minutes with old data due to internal caching in the name server software.
Please configure the master name server(s) to allow a zone transfer. In case the master name server is a “hidden master”, also allow the RcodeZero control name server to query your master server(s) for serial checks.
Add the zone via a SOAP request or via the admin panel.
Add another NS record(s) to the zone pointing to the RcodeZero name server. RcodeZero provides 4 IP addresses (2x IPv4 and 2x IPv6). Either use the RcodeZero host names “sec1.rcode0.net” and “sec2.rcode0.net”, or use your individual name servers. In this case please make sure that the individual name server points to the addresses as described below.
sec1.rcode0.net: This hostname provides the main anycast IP addresses. They will be announced from all locations.
sec2.rcode0.net: This hostname provides the secondary anycast IP addresses.
In case only a single NS hostname/IP addresses is required, please use sec1.rcode0.net or the respective IP addresses.
Example with RcodeZero hostnames:
example.com. IN NS sec1.rcode0.net.
example.com. IN NS sec2.rcode0.net.
Example with RcodeZero hostnames:
example.com. IN NS ns1.provider-xyz.net.
example.com. IN NS ns2.provider-xyz.net.
ns1.provider-xyz.net. IN A 18.104.22.168
ns1.provider-xyz.net. IN AAAA 2001:67c:1bc::100
ns2.provider-xyz.net. IN A 22.214.171.124
ns2.provider-xyz.net. IN AAAA 2001:67c:10b8::100
4. Add the new name server to the above zone (e.g. to the Registry via the registrar).
Instead of adding RcodeZero Secondary DNS as additional name server by adding a new NS record to the zones, you can also replace one of your existing name servers with RcodeZero. In this case, you only have to change the A/AAAA records of the existing name server hostname and let it point to our anycast IP addresses. This does not require any changes to zones and registry – as long as the hostname is outside the zone and thus glue records are not used.
Adding, deleting or querying a zone can be done either via a SOAP request, or in the admin panel. Both systems use the same username/password for authentication. The SOAP interface allows automation whereas the customer web site is ideal for adding just a few zones or checking the status.
The customer website is located at: https://my.rcodezero.at/ (Username and password are identical as for the SOAP interface.) The customer web interface allows you to add/delete/query zones, fetch a complete zone list, and to see and download DNS query statistics. When adding a zone via the web interface, multiple master servers can be configured by separating them with a comma, e. g.: 126.96.36.199,2001:db8::1234
Query statistics can be downloaded from the website, either manually using a web browser or automated. The data is provided as CSV file with semicolon (;) as delimiter. The statistics are stored only for the last 3 months, thus make sure to periodically download your statistics. Note: The download may take considerable time (30s - 5min). To download the statistics manually just logon to the web interface and follow the links.
The Web-API is based on SOAP and a Web Services Description Language (WSDL)-file describing the interface is available at https://api.rcode0.net/SecondaryDNS.wsdl. Please note, that this API is only available with the Service Provider product.
Every time the zone’s signatures need to be refreshed (re-signing of the zone), the zone’s serial will be increased. Thus, for signed zones the zone’s serial announced by the Anycast nodes will be bigger than the serial on the customer’s hidden master. But, a higher serial on the anycast node is not an indication that the zone is up2date. Therefore, every time the serial is increased on the hidden master, the new serial should be higher than the serial on the anycast node.
For zones using the DNSSEC signing service, the customer’s master name server must be a hidden master. Further, the zone must not be hosted on a name server which is a public facing name server too and is also authoritative for a parent zone.
In the web interface is a page called "Problematic Zones":
This page lists all your zones for which the control server failed to check the serial or failed to transfer the zone.
First, you should check the serial of the zone on the control server (of course this implies, that the master server always increases the serial on zone changes). This can be done either by viewing the zone details on the website or by querying the control server for the SOA record, e. g.: dig @188.8.131.52 yourdomain.com SOA
If the serial is smaller than the serial on the master server, then possible problems can be that the control server is not allowed to query and transfer the zone from the master. Make sure to allow query and zone transfer from the control server IP addresses 184.108.40.206 and 2A02:850:8::6. The control server will check the zone's SOA record every "refresh" seconds (minimum refresh value: 24 hours) or when NOTIFYs are received. Further, immediate zone transfers can be initiated by using the "retrieve" SOAP command.
If the zone on the control server is up-to-date, you can also check the zone data on an anycast name server. Due to asynchronous replication and name server internal caching the changes may be delayed up to 5 minutes.
dig @sec1.rcode0.net yourdomain.com SOA
Short answer: typically below 3 minutes.
Long answer: this depends on several facts and timers which needs to be accumulated:
DNS NOTIFY: On zone updates, the master server must send NOTIFYs with an increased serial number to our control server to initiate a zone transfer. The transfer will usually start immediately, but may take some minutes in periods of heavy workload (lots of zone updates).
Zone data distribution: The control server will distribute the new zone date to all anycast nodes. This takes usually below 1 minute.
DNS Caching: Our name servers cache DNS responses for 4 minutes. Thus, if the domain was queried just before the zone was updated, the name server will respond with the old data for 4 minutes. Note: As there are multiple name servers with load-balancing on every anycast location, it may happen that some responses still contain the old data while some responses already contain the new data.
The documentation of our REST interface can be found here: https://my.rcodezero.at/api-doc/