AXFR (Authoritative Zone Transfer) is the standard DNS protocol for copying an entire zone from one DNS server to another. It is essential for migrating DNS between providers, setting up secondary DNS servers, and backing up zone data. This guide covers performing zone transfers, configuring AXFR on both source and destination servers, and handling common migration scenarios.
Understanding Zone Transfers
- AXFR — full zone transfer; copies the entire zone
- IXFR — incremental transfer; copies only changes since last transfer
- TSIG — transaction signature; authenticates zone transfers
Performing a Zone Transfer
# Basic AXFR request
dig @source-ns.example.com example.com AXFR
# Save to a zone file
dig @source-ns.example.com example.com AXFR > example.com.zone
# With TSIG authentication
dig @source-ns.example.com example.com AXFR -y hmac-sha256:transfer-key:base64secret==
# Using kdig for cleaner output
kdig @source-ns.example.com example.com AXFRConfiguring AXFR on Source (BIND)
# /etc/bind/named.conf
# Generate TSIG key
key "transfer-key" {
algorithm hmac-sha256;
secret "base64-encoded-secret-here";
};
zone "example.com" {
type master;
file "/etc/bind/zones/example.com.zone";
allow-transfer { key "transfer-key"; 10.0.0.2; }; # Restrict transfers
also-notify { 10.0.0.2; }; # Notify secondary on changes
};Generate TSIG Key
tsig-keygen -a hmac-sha256 transfer-key
# Output:
# key "transfer-key" {
# algorithm hmac-sha256;
# secret "Wg=...base64...==";
# };Configuring Secondary Server (BIND)
key "transfer-key" {
algorithm hmac-sha256;
secret "same-secret-as-source";
};
server 10.0.0.1 {
keys { "transfer-key"; };
};
zone "example.com" {
type slave;
file "/var/cache/bind/example.com.zone";
masters { 10.0.0.1; };
allow-transfer { none; }; # Don't allow transfers from secondary
};PowerDNS AXFR
# Source (PowerDNS authoritative)
# pdns.conf
allow-axfr-ips=10.0.0.2/32
also-notify=10.0.0.2
# Destination (PowerDNS as secondary)
# Using PowerDNS superslave mode
pdns.conf:
slave=yes
superslave=yes
autosecondary=yesMigration Between DNS Providers
# Step 1: Export zone from current provider
dig @current-ns.provider.com example.com AXFR > example.com.zone
# If AXFR is blocked, use dns-axfr alternatives:
# Export from provider's web interface (most support BIND format export)
# Step 2: Clean up the zone file
# Remove SOA serial duplicates, NS records pointing to old provider
# Step 3: Import to new provider
# Most providers accept BIND-format zone file imports
# Or use CLI tools:
# Cloudflare: cloudflare-cli import-zone example.com < example.com.zone
# AWS Route 53: cli53 import example.com --file example.com.zone
# Step 4: Update NS records at registrar
# Point to new provider's nameservers
# Step 5: Wait for propagation (24-48 hours)
# Monitor with: dig NS example.com +traceVerifying Zone Transfer
# Compare records between old and new servers
dig @old-ns.example.com example.com ANY +noall +answer > old_records.txt
dig @new-ns.example.com example.com ANY +noall +answer > new_records.txt
diff old_records.txt new_records.txt
# Check specific record types
for type in A AAAA MX TXT CNAME NS SRV; do
echo "=== $type ==="
dig @new-ns.example.com example.com $type +short
doneSecurity Considerations
- Never allow unrestricted AXFR — it exposes your entire zone to anyone
- Always use TSIG authentication for zone transfers between servers
- Restrict
allow-transferto specific IP addresses of your secondary servers - Monitor for unauthorized AXFR attempts in your DNS server logs
Best Practices
- Use TSIG keys for authenticated zone transfers instead of IP-based ACLs alone
- Test zone transfer before migration by setting up a secondary and verifying all records
- Lower TTL values 24-48 hours before migration to speed up propagation
- Keep the old DNS server running for at least 48 hours after switching NS records
- Verify all record types (A, AAAA, MX, TXT, CNAME, SRV) on the new server before cutover