]> RIPE NCC

NL mpels@ripe.net

RIPE NCC

NL fobser@ripe.net

This document defines a new AXFR message type for DNS NOTIFY messages. The message instructs a secondary server to perform an AXFR zone transfer of a zone.

DNS NOTFY describes a method to inform secondary name servers that a zone has changed. Upon receipt of a NOTIFY(SOA) message, a secondary will query the primary server for the SOA of the zone, and perform an IXFR or AXFR zone transfer if the SOA SERIAL has been incremented since the last time the zone was fetched. There are cases when it is desirable to force a secondary server to perform an AXFR zone transfer. Example scenarios are an incorrectly synchronized database on a secondary server due to a software bug, or an operator incidentally wanting to propagate changes to a zone without updating the SOA SERIAL. Most authoritative DNS server software supports performing a forced AXFR zone transfer. However, this can only be initiated by the operator of the DNS server, and secondary servers for a zone may not be managed by the same operator as the primary server(s). This document defines a new NOTIFY(AXFR) message type, used to initiate forced AXFR transfers by secondary servers from a primary server of a zone.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

When a primary server wants its secondary servers to perform an AXFR zone transfer, it sends a NOTIFY message with the following characteristics to each secondary server: query ID: (new) op: NOTIFY (4) resp: NOERROR flags: AA qcount: 1 qname: (zone name) qclass: (zone class) qtype: T_AXFR

When a secondary server receives a NOTIFY(AXFR) request from one of its locally designated primaries for the zone enclosing the given QNAME, with QTYPE=AXFR and QR=0, it SHOULD perform an AXFR zone transfer from one of its configured primary servers. It will also send a NOTIFY response back to the NOTIFY request's source, with the following characteristics: query ID: (same) op: NOTIFY (4) resp: NOERROR flags: QR AA qcount: 1 qname: (zone name) qclass: (zone class) qtype: T_AXFR If the secondary server, for the zone enclosing the given QNAME, is configured as a primary server for other secondary servers, it MUST also send a NOTIFY(AXFR) request to each of its configured secondaries. This ensures that an entire chain of secondary servers is synchronized in concert.

This document has no IANA actions.

A NOTIFY(AXFR) request with a forged IP/UDP source address can cause a secondary to send spurious AXFR requests to its primary servers, leading to a denial of service attack if the forged requests are sent very often. To counter this, secondary servers MUST rate-limit how often they will request an AXFR from their primaries. If a primary server has many secondaries, requesting all of them to perform an AXFR simultaneously may cause the primary to become overloaded. The sending out of NOTIFY(AXFR) requests to secondary servers SHOULD be splayed to reduce this thundering herd effect.

&RFC1995; &RFC1996; &RFC5936; &RFC2119; &RFC8174;

The authors would like to thank Anand Buddhdev for contributing ideas and feedback to this document.