When and How to Use Gandi’s Secondary Nameserver

For users who have their own primary nameserver, Gandi provides a secondary nameserver for no extra charge for domains registered with us.

Gandi’s secondary DNS is ns6.gandi.net. Two IPs are used:

  • 217.70.177.40 / 2001:4b98:d:1::40 are the IP addresses that your primary server must notify (i.e. IPs to which your primary server must send the NOTIFY messages), and from which zone transfers (AXFR) are initiated

  • 217.70.177.42 / 2001:4b98:d:1::4b are the IP addresses that serve the zones

Our secondary server supports pre-signed DNSSEC zones.

How Our Secondary Nameserver Works

Our secondary nameserver copies the zone from the primary DNS whenever it detects a change has been made in the primary DNS. You must first include ns6.gandi.net in your DNS records so that it can request zone transfers from the primary nameserver.

In order for the secondary nameserver to work properly with your primary nameserver you must do the following:

  • The administrator of the primary nameserver must authorize the AxFr requests from 217.70.177.40 and 2001:4b98:d:1::40. BIND statement for reference: allow-transfer { 217.70.177.40; 2001:4b98:d:1::40; }.

  • The administrator of the primary nameserver should send NOTIFY messages to 217.70.177.40 and 2001:4b98:d:1::40. BIND statement for reference: also-notify { 217.70.177.40; 2001:4b98:d:1::40; }

  • The administrator of the primary nameserver must increment the serial number of the SOA.

  • You must declare ns6.gandi.net as a NS at the apex of your zone

Note

We try to resolve the name of the first nameserver of the domain listed on Gandi’s interface. If it’s a glue record, then we don’t try to resolve it, but rather, we get the IP address from our database instead.

To find the serial number type the command:

dig SOA @ns6.gandi.net example.com

And you will see a line like this:

;; ANSWER SECTION:
example.com.         604800  IN      SOA     s1.example.com. kermit.s1.example.com. 2019012319 86400 21600 604800 60

In this line, the serial number is “2019012319”, which can be compared to the primary nameserver:

dig SOA @server1.example.com example.com

For extensions like .de that perform a zonecheck, you will not be able to use our secondary nameserver if you have not correctly authorized the zone transfer to it as described above. Also, due to the provisioning delay, please allow for at least 30 minutes to an hour for the operation to be attempted before checking on your interface to see if it was updated.

How To Add Our Secondary Nameserver

  1. After logging into your account, choose “Domain” from the left menu.

  2. Select the domain name you wish to manage by clicking on its name in the list.

  3. Click on the “Nameservers” tab.

  4. Click “Change.”

  5. Without changing your primary nameserver, enter ns6.gandi.net in your list of nameservers.

  6. Click “Save.”