D. J. Bernstein
Internet publication
djbdns
Frequently asked questions

Outgoing DNS zone transfers


What are zone transfers?

Answer: When you edit the host information on one of your DNS servers (the ``master'' or ``primary''), you have to copy it to the other DNS servers (the ``slaves'' or ``secondaries'').

There are several easy-to-use standard tools that copy files. The scp program, part of OpenSSH [www.openssh.com], provides secure, compressed file transfers. You can use rsync [rsync.samba.org] to perform incremental copies, which transmit only a small amount of data through the network for a small change to a large file.

Zone transfers are an archaic alternative mechanism for copying DNS information. Instead of immediately sending new data to the slaves, you run a zone-transfer service that accepts periodic connections from the slaves; your users complain while they're waiting for the slaves to check for new data. The zone-transfer protocol isn't a modular file-transfer system; it is an ad-hoc system tied to the details of DNS. The protocol has terrible compression and no security. Every new zone on the master requires manual reconfiguration of the slaves.

Zone transfers have one redeeming feature: zone-transfer software is very widespread. You may be forced to use zone transfers if your slaves don't support anything better. (On the other hand, you could choose better slaves.)

There has been some work on improving the zone-transfer protocol: a NOTIFY mechanism that wakes up the slaves (after a delay, and without a failure notice when something goes wrong); an experimental IXFR mechanism for incremental zone transfers; and several proposed security mechanisms. By combining all these tools, you can finally approach the functionality of a trivial rsync script. Wow.


How do I configure a zone-transfer service? I'd like to run axfrdns on IP address 1.2.3.5. to allow zone transfers to IP address 9.8.7.6 for the zones heaven.af.mil and 3.2.1.in-addr.arpa.

Answer: This answer assumes that your boot scripts are already running svscan in a /service directory. axfrdns relies on svscan to start it and to restart it at boot time.

You will have to make four decisions:

Create the axfrdns service directory by running the axfrdns-conf program, with your IP address at the end of the line:
     axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns 1.2.3.5
Change directory to /etc/axfrdns, and add a line to tcp allowing zone transfers from 9.8.7.6:
     9.8.7.6:allow,AXFR="heaven.af.mil/3.2.1.in-addr.arpa"
Compile tcp into a binary format for tcpserver:
     make
Tell svscan about the new service:
     ln -s /etc/axfrdns /service
svscan will start the service within five seconds.
Can I run tinydns and axfrdns on the same IP address?

Answer: Yes. tinydns listens for packets on UDP port 53. axfrdns listens for connections on TCP port 53.