DNS BIND Zone Transfers and Updates

This chapter describes all the statements available in BIND 9.3.x relating to zone transfers and Updates. Full list of statements.

allow-notify

 allow-notify { address_match_list };

allow-notify applies to slave zones only and defines a match list e.g. IP address(es) that are allowed to NOTIFY this host and implicitly update the zone in addition to those hosts defined in the masters option for the zone. The default behaviour is to allow zone updates only from the masters IP(s). This statement may be used in a zone, view or global options clause.

// allows notify from the defined IPs 
 allow-notify (192.168.0.15; 192.168.0.16; 10.0.0.1;);
 // allows no notifies 
 allow-notify (none;);

allow-transfer

 allow-transfer { address_match_list };
 allow-transfer {192.168.0.3;};

allow-transfer defines a match list e.g. IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). The default behaviour is to allow zone transfers to any host. While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy.

options {
   ....
   // ban everyone by default
   allow-transfer {"none";};
};
...
zone "example.com" in{
  ....
  // explicity allow the slave(s) in each zone
  allow-transfer (192.168.0.3;);
};

This statement may be used in a zone, view or global options clause.

allow-update

 allow-update { address_match_list };

allow-update defines a match list e.g. IP address(es) that are allowed to submit dynamic updates for 'master' zones i.e it enables Dynamic DNS (DDNS). The default in BIND 9 is to disallow updates from all hosts. Mutually exclusive with update-policy and applies to master zones only. This statement may be used in a zone, view or global options clause.

allow-update-forwarding

 allow-update-forwarding { address_match_list };

allow-update-forwarding defines a match list e.g. IP address(es) that are allowed to submit dynamic updates to a 'slave' sever for onward transmission to a 'master'. This statement may be used in normal zone, view or a global options clause.

also-notify

 also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] };

also-notify is applicable to 'type master' only and defines a list of IP address(es) (and optional port numbers) that will be sent a NOTIFY when a zone changes (or the specific zone if the option is specified in a zone statement). These IP(s)s are in addition to those listed in the NS records for the zone. The also-notify in a zone is not cumulative with any global also-notify statements. If a global notify option is 'no' this option may be used to override it for a specific zone, and conversely if the global <>options contain a also-notify list, setting notify 'no' in the zone will override the global option. This statement may be used in normal zone, view or a global options clause.

options {
....
    also-notify {10.1.0.15; 172.28.32.7;}; // all zones
....
};
....
zone "example.com in{
....
    also-notify {10.0.1.2;}; // only this host
....
};
zone "example.net in{
....
    notify no; // no NOTIFY for zone
....
};

alt-transfer-source[-v6]

 alt-transfer-source, alt-transfer-source-v6
 alt-transfer-source ( ipv4_address | * ) [ port ( integer | * )];

Applies to slave zones only. Defines an alternative local IP address to be used for inbound zone transfers by the server if that defined by transfer-source (transfer-source-v6) fails and use-alt-transfer-source is enabled. This address must appear in the remote end's allow-transfer statement for the zone being transferred. This statement may be used in a zone, view or global options clause.

ixfr-from-differences

 ixfr-from-differences (yes | no);
 ixfr-from-differences yes;

Defines how the server calculates incremental zone changes. Normally incremental zone transfers are only possible when used in conjunction with Dynamic DNS (DDNS). ixfr-from-diffrences allows the slave server to create incremental zone transfers for non-dynamic zones. If set to yes when the server receives a new version of a slave file by a non-incremental zone transfer it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file (.jnl appended to zone file name) such that the changes can be transmitted to downstream slaves as an incremental zone transfer. This statement saves bandwidth at the expense of increased CPU and memory consumption. This statement may be used in a zone, view or global options clause.

max-journal-size

 max-journal-size size_in_bytes;
 max-journal-size 50k;

Sets a maximum size in bytes (may take the case insensitive k or m shortforms) for each journal file. When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is unlimited. Journal files are used by Dynamic DNS (DDNS) when modifying the master and when receiving IXFR changes on slave zones. The journal file is in binary format and its name is formed by appending the extension .jnl to the name of the corresponding zone file.

All changes made to a zone using dynamic update are written to the zone's journal file. The server will periodically flush the complete contents of the updated zone to its zone file this happens approximately every 15 minutes. When a server is restarted after a shutdown or crash, it will replay the journal file to incorporate into the zone any updates that took place after the last zone file update.

If changes have to be made manually to a dynamic zone then use the following sequence:

  1. Disable dynamic updates to the zone using rndc freeze zone which causes the zone file to be updated.
  2. Edit the zone file
  3. Run rndc unfreeze zone to reload the changed zone and re-enable dynamic updates

This statement may be specified in a zone, view or global options clause.

max-refresh-time, min-refresh-time

 max-refresh-time seconds ;
 min-refresh-time seconds ;

Only valid for slave or stub zones. The refresh time is normally defined by the SOA RR refresh parameter. This allows the slave server administrator to override the definition and substitute the values defined. The values may take the normal time short-cuts. This statement may be specified in a zone, view or global options clause.

max-retry-time, min-retry-time

 max-retry-time seconds ;
 min-retry-time seconds ;

Only valid for slave and stub zones. The retry time is normally defined by the SOA RR retry parameter. This allows the slave server administrator to override the definition and substitute the values defined. The values may take the normal time short-cuts. This statement may be specified in normal zone or view clauses or in a global options clause.

max-transfer-idle-in

 max-transfer-idle-in minutes ;

Only valid for slave zones. Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). This statement may be specified in normal zone or view clauses or in a global options clause.

max-transfer-idle-out

 max-transfer-idle-out minutes ;

Only valid for master zones. Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). This statement may be specified in normal zone or view clauses or in a global options clause.

max-transfer-time-in

 max-transfer-time-in minutes ;

Only valid for slave zones. Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). This statement may be specified in normal zone or view clauses or in a global options clause.

max-transfer-time-out

 max-transfer-time-out minutes ;

Only valid for 'type master' zones. Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). This statement may be specified in normal zone or view clauses or in a global options clause.

multi-master

 multi-master yes | no ;

Relevant only when multiple masters are defined for a slave zone. Controls whether a log entry will be generated each time the serial number is less than that currently maintained by the slave (no) or not (yes). This situation can occur when the zone masters are out of sync with each other. Default is no. This statement may be specified in normal zone or view clauses or in a global options clause.

notify

 notify yes | no | explicit;

notify behaviour is only applicable to master zones with 'type master' and if set to 'yes' then, when zone information changes, NOTIFY messages are sent from zone masters to the slaves defined in the NS records for the zone (with the exception of the 'Primary Master' name server defined in the SOA record) and to any IPs listed in also-notify options.

If set to 'no' NOTIFY messages are not sent.

If set to 'explicit' NOTIFY is only sent to those IP(s) listed in a also-notify option.

If a global notify option is 'no' an also-notify option may be used to override it for a specific zone, and conversely if the global options contain an also-notify list, setting notify 'no' in the zone will override the global option. This statement may be specified in normal zone or view clauses or in a global options clause.

options {
....
    also-notify {10.1.0.15; 172.28.32.7;}; // all zones
....
};
....
zone "example.com in{
....
    // NS RR and global also-notify
    notify yes; 
....
};
zone "example.net in{
....
    // no NOTIFY to NS RRs
    // NOTIFY to also-notify IPs above
    notify explicit; 
....
};

notify-source

 notify-source (ip4_addr | *) [port ip_port] ;

Only valid for master zones. notify-source defines the IPv4 address (and optionally port) to be used for outgoing NOTIFY operations. The value '*' means the IP of this server (default). This IPv4 address must appear in the masters or allow-notify statement for the receiving slave name servers. Since neither the masters nor allow-notify statements take a port parameter if the optional port value is used a listen-on or listen-on-v6 statement would be required on the slave. Typically only used on multi-homed servers. This statement may be specified in normal zone or view clauses or in a global options clause.

notify-source-v6

 notify-source-v6 (ip6_addr | *) [port ip_port] ;

Only used by master zones. notify-source-v6 defines the IPv6 address (and optionally port) to be used for outgoing NOTIFY operations. The value '*' means the IP of this server (default). This IPv6 address must appear in the masters or allow-notify option for the receiving slave name servers. Typically only used on multi-homed servers. This statement may be specified in normal zone or view clauses or in a global options clause.

provide-ixfr

 provide-ixfr yes|no ;

The provide-ixfr option defines whether a master will respond to an incremental zone transfer request(IXFR) (option = yes) or will respond with a full zone transfer (AXFR) (option = no). The default is yes. This statement may be specified in normal server or view clauses or in a global options clause.

request-ixfr

 request-ixfr yes|no ;

Applies to slave zones only. The request-ixfr option defines whether a server will request an incremental zone transfer (IXFR) (option = yes) or will request a full zone transfer (AXFR) (option = no). The default is yes. This statement may be specified in normal server or view clauses or in a global options clause.

serial-query-rate

 serial-query-rate number;
 serial-query-rate 5;

Applies to slave zones only and limits the number of simultaneous SOA queries to the number per second. The default is 20. This statement may only be used in a global options clause.

transfer-format

 transfer-format ( one-answer | many-answers );

Only used by master zones. transfer-format determines the format the server uses to transfer zones. 'one-answer' places a single record in each message, 'many-answers' packs as many records as possible into a maximum sized message. The default is 'many-answers' which is ONLY KNOWN TO BE SUPPORTED BY BIND 9, BIND 8 and later BIND 4 releases so if tranferring to other servers e.g. Windows this statement may be required. This statement may be specified in server, zone or view clauses or in a global options clause.

transfer-source

 transfer-source (ip4_addr | *) [port ip_port] ; ]

Only valid for 'type slave' zones. transfer-source determines which local IPv4 address will be bound to TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a BIND controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement may be specified in normal zone or view clauses or in a global options clause.

transfer-source-v6

 transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]

Only valid for 'type slave' zones. transfer-source determines which local IPv6 address will be bound to TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a BIND controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement may be specified in normal zone or view clauses or in a global options clause.

transfers-in

 transfers-in number ;

Only used by slave zones. transfer-in determines the number of concurrent inbound zone transfers. Default is 10. This statement may only be defined in a global options clause.

transfers-out

 transfers-out number ;

Only used by master zones. transfers-out determines the number of concurrent outbound zone transfers. Default is 10. Zone transfer requests in excess of this limit will be REFUSED. This statement may only be defined in a global options clause.

transfers-per-ns

 transfer-per-ns number ;

Only used by slave zones. transfer-per-ns determines the number of concurrent inbound zone transfers for any zone. Default is 2. This statement may only be defined in a global options clause.

update-policy

 update-policy { update_policy_rule; [...] };

Applies to master zones only. update-policy defines the conditions (rules) by which Dynamic Zone Updates may be carried out. This statement may only be used with a key (DNSSEC- TSIG/SIG). Any number of rules may be defined - the first match, either grant or deny will terminate processing. Mutually exclusive with allow-update. This statement may only be defined in a zone clause.

update_policy_rule takes the following format:

 grant | deny identity matchtype name [rr]

Where:

Parameter Description
identity A fully qualified name that refers to a RR in the zone file. While this will typically be a KEY or SIG RR it can be an A or AAAA RR type.
matchtype
Value Meaning
name Matches the name field exactly i.e. if name is joe.example.com. then can only update the record joe.example.com.
subdomain Matches anything containing the name field i.e. if the name is example.com. will match bill.example.com and sheila.example.com etc..
self The record being updated matches the identity field exactly - in this case identity will typically be set to wildcard ("*")
wildcard Indicates that the record being updated can be a valid DNS RR wildcard exapnsion.
name A FQDN (ends with a dot) of the target or part of the target record (depending on the value of matchtype above. Can take a DNS wildcard value ("*").
[rr] Optional. Defines the Resource Record types that may be updated and may take the value TXT, A, PTR, NS, SOA, A6, CNAME, MX, ANY (any of TXT, A, PTR, NS, SOA, MX). If omitted default allows TXT, PTR, A, A6, MX, CNAME. Multiple entries may be defined using a space separated entries e.g. A MX PTR

Examples:


use-alt-transfer-source

 use-alt-transfer-source yes | no;

Use alt-transfer-source[-v6] (yes) statements or not (no). If views are specified this defaults to no otherwise it defaults to yes (for BIND 8 compatibility). This statement may be specified in normal zone or view clauses or in a global options clause.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log