Allow zone transfers - BIND.

Kevin Darcy kcd at
Wed Oct 4 00:11:50 UTC 2006

AM wrote:
> Hi guys,
> just a more detailed explanation on what the statement "allow-transfer".
> Does it prevent to anyone to get the complete list of the registered hosts for a particular zone or does it apply also 
> to machine that want to act as a server for a particular zone.
> In "DNS and BIND" they say that on slave you should deny zone transfer to anyone, but does it prevent that anyone using 
> nslookup get anyway the complete list of the hosts.
It's used for both master/slave replication and client queries like the 
"ls" command of nslookup. In more technical detail, it controls any 
usage of the AXFR or IXFR extensions to the DNS protocol.

I don't know why _DNS_and_BIND_ would say for slaves to deny zone 
transfers completely. As long as you limit them to only "trusted" 
servers it should satisfy even the most paranoid security administrators 
(offer them TSIG-based authentication if they need some icing on the 
cake). In fact, it is probably a good practice for each slave to list as 
"masters" for any given zone the primary master and at least one other 
slave -- that way if the master goes down for an extended period of 
time, at least all of the slaves will replicate the most recent changes 
that came out of the master amongst themselves, instead of perhaps 
giving inconsistent answers for the duration of the outage. Implied in 
the practice of listing mutiple "masters" on each slave, of course, is 
corresponding authority, defined on the master side, for all of those 
slaves to actually transfers the zone(s) in question.

- Kevin

More information about the bind-users mailing list