Primary DNS and Zone Transfers

We’ve received a couple questions about zone transfer (AXFR) support for our Primary DNS service. Currently we do not have AXFR enabled on the DNS servers that answer requests for Primary DNS zones.

The AXFR limitation is not intentional; unfortunately it’s supported by the DNS server. Primary DNS is served using PowerDNS authoritative server version 2.9.22. It does not support per-zone AXFR ACLs like BIND9 does.

The only option we have would be to allow AXFR to anyone, but for security reasons we don’t want to do that. We can’t globally allow our Secondary DNS to AXFR because that creates a backdoor where anyone with an account could use it as an intermediate AXFR host. (Security aside, most of our customers don’t want AXFR open to the world or IP addresses they don’t control.)

PowerDNS authoritative 3.0 is currently in RC2 stage. This version does have per-zone AXFR capability and we will support it in the control center as soon as possible. It also has other features we’d like to add like DNSSEC and long TXT records.

We’re working on changes to the control center required to support these features but ultimately it requires the servers themselves to be upgraded to either the release candidate or the 3.0 release to support them.

3 replies on “Primary DNS and Zone Transfers”

Thanks for sharing this. I for one would not appreciate AXFR on my domains. I believe your reasons are sound and the explanation through.

I’m a recently converted free to annual paying customer. I already feel that I’ve made an excellent decision coming here for service.

Thank you.

PowerDNS 3.0 came out on the 27th of July. Any update on this?
I’m assuming you don’t want to upgrade right after release, but is there a timeline?

We experienced a setback during testing since our test server causes PowerDNS to segfault for an unknown reason, but it works on other servers similar to the production DNS servers. Based on the documentation there shouldn’t be any issues with how we’re currently running since we won’t be enabling DNSSEC yet (which requires significant changes).

We’ll probably schedule the upgrade to PowerDNS 3.0 for next weekend.

Comments are closed.