[GH-ISSUE #1501] How to setup primary/secondary DNS server? #687

New issue

Open

opened 2026-03-15 23:48:30 +03:00 by kerem · 3 comments

kerem commented

2026-03-15 23:48:30 +03:00

Owner

Originally created by @baobao1270 on GitHub (Jun 2, 2021).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1501

I'm trying to use trust-dns as my personal website's DNS server. Heres steps I have done:

I build trust-dns with command cargo build --release -p trust-dns --all-features.

I setup the primary server with configuration below. The parimary runs fine.

listen_addrs_ipv4 = ["0.0.0.0"]
listen_port = 53

[[zones]]
zone = "example.com"
zone_type = "Primary"
file = "/etc/trust-dns.d/zones/example.com.zone"
allow_update = false
allow_axfr = true
enable_dnssec = true

[[zones.keys]]
key_path = "/etc/trust-dns.d/rsa_2048.zsk.pem"
algorithm = "RSASHA512"
password = ""
is_zone_signing_key = true
create_if_absent = false

Now I want to create the secondary server. I noticed there is a Secondary value option of zone_type key. But I didn't see any examples of using it, nor can I find any documation.

# secondary server of example.com
listen_addrs_ipv4 = ["0.0.0.0"]
listen_port = 53

[[zones]]
zone = "example.com"
zone_type = "Secondary"
# what should I do next?

I except there is somewhere to set the address of primary server, the the secondary server can get the zone with AXFR and store in cache. When the primary server is down, the secondary server can still provide service.

Besides, I'm looking for docs for operating a trust-dns server, other than developing with libraries. Is there any docs like this?

Originally created by @baobao1270 on GitHub (Jun 2, 2021). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1501 I'm trying to use trust-dns as my personal website's DNS server. Heres steps I have done: 1. I build trust-dns with command `cargo build --release -p trust-dns --all-features`. 2. I setup the primary server with configuration below. The parimary runs fine. ```toml listen_addrs_ipv4 = ["0.0.0.0"] listen_port = 53 [[zones]] zone = "example.com" zone_type = "Primary" file = "/etc/trust-dns.d/zones/example.com.zone" allow_update = false allow_axfr = true enable_dnssec = true [[zones.keys]] key_path = "/etc/trust-dns.d/rsa_2048.zsk.pem" algorithm = "RSASHA512" password = "" is_zone_signing_key = true create_if_absent = false ``` 3. Now I want to create the secondary server. I noticed there is a `Secondary` value option of `zone_type` key. But I didn't see any examples of using it, nor can I find any documation. ```toml # secondary server of example.com listen_addrs_ipv4 = ["0.0.0.0"] listen_port = 53 [[zones]] zone = "example.com" zone_type = "Secondary" # what should I do next? ``` I except there is somewhere to set the address of primary server, the the secondary server can get the zone with AXFR and store in cache. When the primary server is down, the secondary server can still provide service. Besides, I'm looking for docs for operating a trust-dns server, other than developing with libraries. Is there any docs like this?

kerem added the

enhance

crate:server

question

labels

2026-03-15 23:48:30 +03:00

kerem commented

2026-03-15 23:48:41 +03:00

Author

Owner

@bluejekyll commented on GitHub (Jun 5, 2021):

Thank you for the interest in the project. You're bumping into an area of unfinished work in the project. There are still a number of changes that need to happen to properly support AXFR and primary/secondary functionality in the project.

If you're interested in throwing caution to the wind, I would recommend that for now, you operate trust-dns as a primary, and for any secondaries, use some out-of-band replication method of the zone files.

This is an area that I'd like to get back to supporting, but we're not there yet...

@bluejekyll commented on GitHub (Jun 5, 2021): Thank you for the interest in the project. You're bumping into an area of unfinished work in the project. There are still a number of changes that need to happen to properly support AXFR and primary/secondary functionality in the project. If you're interested in throwing caution to the wind, I would recommend that for now, you operate trust-dns as a primary, and for any secondaries, use some out-of-band replication method of the zone files. This is an area that I'd like to get back to supporting, but we're not there yet...

kerem commented

2026-03-15 23:48:46 +03:00

Author

Owner

@darnuria commented on GitHub (Dec 10, 2022):

@bluejekyll I am not an "axfr" expert but has to play with it at work somehow is it still something that need to be digged? :)

@darnuria commented on GitHub (Dec 10, 2022): @bluejekyll I am not an "axfr" expert but has to play with it at work somehow is it still something that need to be digged? :)

kerem commented

2026-03-15 23:48:51 +03:00

Author

Owner

@b4ldr commented on GitHub (May 30, 2025):

Has there been any progress on this?

If you're interested in throwing caution to the wind, I would recommend that for now, you operate trust-dns as a primary, and for any secondaries, use some out-of-band replication method of the zone files.

I tried this with a DNSSEC signed zone but i get the following error:

# RUST_BACKTRACE=full hickory-dns -d -c /etc/hickory.toml
1748626171:INFO:hickory_dns:336:Hickory DNS 0.24.4 starting
1748626171:INFO:hickory_dns:341:loading configuration from: "/etc/hickory.toml"
1748626171:DEBUG:hickory_dns:147:loading zone with config: ZoneConfig {
    zone: ".",
    zone_type: Secondary,
    file: Some(
        "root.zone",
    ),
    allow_update: None,
    allow_axfr: None,
    enable_dnssec: None,
    keys: [],
    stores: None,
}

thread 'main' panicked at src/hickory-dns.rs:367:27:
could not load zone .: failed to parse root.zone: ParseError { kind: Message("RRSIG should be dynamically generated") }
stack backtrace:
   0:     0x5613e4ea13a9 - <unknown>
   1:     0x5613e4eb0ba3 - <unknown>
   2:     0x5613e4e93a0f - <unknown>
   3:     0x5613e4ea11f3 - <unknown>
   4:     0x5613e4e75b35 - <unknown>
   5:     0x5613e4e75928 - <unknown>
   6:     0x5613e4e7610f - <unknown>
   7:     0x5613e4ea17ba - <unknown>
   8:     0x5613e4ea15d9 - <unknown>
   9:     0x5613e4e75c7d - <unknown>
  10:     0x5613e46f2320 - <unknown>
  11:     0x5613e47ed47e - <unknown>
  12:     0x5613e47f8ff3 - <unknown>
  13:     0x5613e47e18c9 - <unknown>
  14:     0x5613e4e9334d - <unknown>
  15:     0x5613e47f374c - <unknown>
  16:     0x7fad4c66eca8 - <unknown>
  17:     0x7fad4c66ed65 - __libc_start_main
  18:     0x5613e46f2ab1 - <unknown>
  19:                0x0 - <unknown>

@b4ldr commented on GitHub (May 30, 2025): Has there been any progress on this? > If you're interested in throwing caution to the wind, I would recommend that for now, you operate trust-dns as a primary, and for any secondaries, use some out-of-band replication method of the zone files. I tried this with a DNSSEC signed zone but i get the following error: ``` # RUST_BACKTRACE=full hickory-dns -d -c /etc/hickory.toml 1748626171:INFO:hickory_dns:336:Hickory DNS 0.24.4 starting 1748626171:INFO:hickory_dns:341:loading configuration from: "/etc/hickory.toml" 1748626171:DEBUG:hickory_dns:147:loading zone with config: ZoneConfig { zone: ".", zone_type: Secondary, file: Some( "root.zone", ), allow_update: None, allow_axfr: None, enable_dnssec: None, keys: [], stores: None, } thread 'main' panicked at src/hickory-dns.rs:367:27: could not load zone .: failed to parse root.zone: ParseError { kind: Message("RRSIG should be dynamically generated") } stack backtrace: 0: 0x5613e4ea13a9 - <unknown> 1: 0x5613e4eb0ba3 - <unknown> 2: 0x5613e4e93a0f - <unknown> 3: 0x5613e4ea11f3 - <unknown> 4: 0x5613e4e75b35 - <unknown> 5: 0x5613e4e75928 - <unknown> 6: 0x5613e4e7610f - <unknown> 7: 0x5613e4ea17ba - <unknown> 8: 0x5613e4ea15d9 - <unknown> 9: 0x5613e4e75c7d - <unknown> 10: 0x5613e46f2320 - <unknown> 11: 0x5613e47ed47e - <unknown> 12: 0x5613e47f8ff3 - <unknown> 13: 0x5613e47e18c9 - <unknown> 14: 0x5613e4e9334d - <unknown> 15: 0x5613e47f374c - <unknown> 16: 0x7fad4c66eca8 - <unknown> 17: 0x7fad4c66ed65 - __libc_start_main 18: 0x5613e46f2ab1 - <unknown> 19: 0x0 - <unknown> ```

kerem referenced this issue

2026-03-16 02:17:04 +03:00

[PR #726] [MERGED] reduce log output on certain socket errors #1633