I l@ve RuBoard Previous Section Next Section

10.12 Transferring a Zone Using dig

10.12.1 Problem

You want to transfer a zone using dig.

10.12.2 Solution

Run dig as described in Section 10.10, specifying the domain name of the zone you want to transfer, the domain name or IP address of a name server authoritative for that zone, and the type axfr. For example:

$ dig @ns1.foo.example axfr foo.example

dig will print the results of the zone transfer:

; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr foo.example
;; global options:  printcmd
foo.example.            86400   IN      SOA     ns1.foo.example. root.foo.example. 
2002062502 3600 900 2592000 3600
foo.example.            86400   IN      NS      ns1.foo.example.
foo.example.            3600    IN      MX      0 mail.foo.example.
mail.foo.example.       3600    IN      A       192.168.0.2
ns1.foo.example.        86400   IN      A       192.168.0.1
foo.example.            86400   IN      SOA     ns1.foo.example. root.foo.example. 
2002062502 3600 900 2592000 3600
;; Query time: 183 msec
;; SERVER: 192.168.0.1#53(ns1.foo.example)
;; WHEN: Fri Jun 28 11:05:20 2002
;; XFR size: 7 records

10.12.3 Discussion

The SOA record appears twice in the output because name servers use a zone's SOA record to delimit the beginning and the end of the transfer.

You'll only be able to transfer zones from name servers that are authoritative for those zones, of course, and that allow zone transfers from the address of the host you're running dig on. If you try to transfer a zone from a name server that won't allow zone transfers from your address, you'll see output like this:

$ dig @ns1.foo.example axfr bar.example
 
; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr bar.example
;; global options:  printcmd
; Transfer failed.

Finally, if the name server you're trying to transfer the zone from uses TSIG to secure transfers, you can use dig's -k command-line option to sign the query. With a BIND 9 version of dig, you can use the -k or -y command-line options. See Section 5.23 for how to use -k and -y; it's exactly the same for BIND 8 and 9 versions of dig as it is for the corresponding versions of nsupdate.

10.12.4 See Also

dig(1); Section 5.23, for specifying a TSIG key with -k or -y; Section 7.11, for securing zone transfers; and "Zone Transfers with dig" in Chapter 12 of DNS and BIND.

    I l@ve RuBoard Previous Section Next Section