Transferring a Zone Using dig

.12.1 Problem

You want to transfer a zone using dig.

.12.2 Solution

Run dig as described in Section 10.10, specifying the domain name of the zone you want to transfer, the domain name or IP address of a name server authoritative for that zone, and the type axfr. For example:

$ dig @ns1.foo.example axfr foo.example

dig will print the results of the zone transfer:

; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr foo.example ;; global options: printcmd foo.example. 86400 IN SOA ns1.foo.example. root.foo.example. 2002062502 3600 900 2592000 3600 foo.example. 86400 IN NS ns1.foo.example. foo.example. 3600 IN MX 0 mail.foo.example. mail.foo.example. 3600 IN A 192.168.0.2 ns1.foo.example. 86400 IN A 192.168.0.1 foo.example. 86400 IN SOA ns1.foo.example. root.foo.example. 2002062502 3600 900 2592000 3600 ;; Query time: 183 msec ;; SERVER: 192.168.0.1#53(ns1.foo.example) ;; WHEN: Fri Jun 28 11:05:20 2002 ;; XFR size: 7 records

.12.3 Discussion

The SOA record appears twice in the output because name servers use a zones SOA record to delimit the beginning and the end of the transfer.

Youll only be able to transfer zones from name servers that are authoritative for those zones, of course, and that allow zone transfers from the address of the host you e running dig on. If you try to transfer a zone from a name server that won allow zone transfers from your address, youll see output like this:

$ dig @ns1.foo.example axfr bar.example ; <<>> DiG 9.2.1 <<>> @ns1.foo.example axfr bar.example ;; global options: printcmd ; Transfer failed.

Finally, if the name server you e trying to transfer the zone from uses TSIG to secure transfers, you can use digs -k command-line option to sign the query. With a BIND 9 version of dig, you can use the -k or -y command-line options. See Section 5.23 for how to use -k and -y; its exactly the same for BIND 8 and 9 versions of dig as it is for the corresponding versions of nsupdate.

.12.4 See Also

dig(1); Section 5.23, for specifying a TSIG key with -k or -y; Section 7.11, for securing zone transfers; and "Zone Transfers with dig" in Chapter 12 of DNS and BIND.

Категории