|I l@ve RuBoard|
10.12 Transferring a Zone Using dig
Run dig as described in Section 10.10, specifying the domain name of the zone you want to transfer, the domain name or IP address of a name server authoritative for that zone, and the type axfr. For example:
$ dig @ns1.foo.example axfr foo.example
dig will print the results of the zone transfer:
; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr foo.example ;; global options: printcmd foo.example. 86400 IN SOA ns1.foo.example. root.foo.example. 2002062502 3600 900 2592000 3600 foo.example. 86400 IN NS ns1.foo.example. foo.example. 3600 IN MX 0 mail.foo.example. mail.foo.example. 3600 IN A 192.168.0.2 ns1.foo.example. 86400 IN A 192.168.0.1 foo.example. 86400 IN SOA ns1.foo.example. root.foo.example. 2002062502 3600 900 2592000 3600 ;; Query time: 183 msec ;; SERVER: 192.168.0.1#53(ns1.foo.example) ;; WHEN: Fri Jun 28 11:05:20 2002 ;; XFR size: 7 records
You'll only be able to transfer zones from name servers that are authoritative for those zones, of course, and that allow zone transfers from the address of the host you're running dig on. If you try to transfer a zone from a name server that won't allow zone transfers from your address, you'll see output like this:
$ dig @ns1.foo.example axfr bar.example ; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr bar.example ;; global options: printcmd ; Transfer failed.
Finally, if the name server you're trying to transfer the zone from uses TSIG to secure transfers, you can use dig's -k command-line option to sign the query. With a BIND 9 version of dig, you can use the -k or -y command-line options. See Section 5.23 for how to use -k and -y; it's exactly the same for BIND 8 and 9 versions of dig as it is for the corresponding versions of nsupdate.
10.12.4 See Also
|I l@ve RuBoard|