DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction. The client requesting a zone transfer may be a secondary server requesting data from a primary server. The portion of the database that is replicated is a zone.

Operation

Zone transfer consists of a preamble, followed by the actual data transfer. The preamble comprises a lookup of the Start of Authority (SOA) resource record for the "zone apex", the node of the DNS namespace that is at the top of the "zone". The fields of this SOA resource record, in particular the "serial number", determine whether the actual data transfer need to occur at all. The client compares the serial number of the SOA resource record with the serial number in the last copy of that resource record that it has. If the serial number of the record being transferred is greater, the data in the zone are deemed to have "changed" (in some fashion) and the secondary proceeds to request the actual zone data transfer. If the serial numbers are identical, the data in the zone are deemed not to have "changed", and the client may continue to use the copy of the database that it already has, if it has one.

The actual data transfer process begins by the client sending a query (opcode 0) with the special query type AXFR (value 252) over the TCP connection to the server. Although DNS technically supports AXFR over User Datagram Protocol (UDP), it is considered not acceptable due to the risk of lost, or spoofed packets.

In 2008 a court in North Dakota, USA, ruled that performing a zone transfer as an unauthorized outsider to obtain information that was not publicly accessible constitutes a violation of North Dakota law.

See also

  • List of DNS record types

References

Security standards information

  • CAPEC-291 DNS Zone Transfers
  • CVE-1999-0532 A DNS server allows zone transfers.
  • CWE-16 Configuration
  • CWE-276 Incorrect Default permissions
  • DNS Zone Transfer Protocol (defines AXFR, updates RFC 1034 Domain Names - Concepts and Facilities, and RFC 1035 Domain Names - Implementation and Specification)
  • Incremental Zone Transfer in DNS
  • A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
  • draft-ietf-dnsext-axfr-clarify DNS Zone Transfer Protocol (AXFR) Internet Draft