We’ve received a couple questions about zone transfer (AXFR) support for our Primary DNS service. Currently we do not have AXFR enabled on the DNS servers that answer requests for Primary DNS zones.
The AXFR limitation is not intentional; unfortunately it’s supported by the DNS server. Primary DNS is served using PowerDNS authoritative server version 2.9.22. It does not support per-zone AXFR ACLs like BIND9 does.
The only option we have would be to allow AXFR to anyone, but for security reasons we don’t want to do that. We can’t globally allow our Secondary DNS to AXFR because that creates a backdoor where anyone with an account could use it as an intermediate AXFR host. (Security aside, most of our customers don’t want AXFR open to the world or IP addresses they don’t control.)
PowerDNS authoritative 3.0 is currently in RC2 stage. This version does have per-zone AXFR capability and we will support it in the control center as soon as possible. It also has other features we’d like to add like DNSSEC and long TXT records.
We’re working on changes to the control center required to support these features but ultimately it requires the servers themselves to be upgraded to either the release candidate or the 3.0 release to support them.