Name

axfrdns — a UCSPI-TCP general-purpose content DNS server

Synopsis

axfrdns

Description

axfrdns is a content DNS server that speaks the DNS/TCP protocol. It accepts DNS queries on its standard input, and responds with locally configured information on its standard output. It is used for the "zone transfer" mechanism and for where the response size exceeds the packet size for the DNS/UDP protocol.

Normally axfrdns is run under a UCSPI-TCP server program (tcp-socket-accept, s6-tcpserver, or tcpserver spawning a server program per connection) to handle DNS/TCP connections from hosts around the Internet. It can also be run under a UCSPI-SSL server program. When it starts it changes its root to the directory specified by the ROOT environment variable, and drops privileges to run as the user ID and group ID specified by the UID and GID environment variables. The latter can be set up with envuidgid(1).

axfrdns answers queries as specified by data.cdb, a binary file in its root directory created by tinydns-data(1). It provides "zone transfer" results from that file; and also answers normal client queries, such as the SOA queries sent via DNS/TCP that usually precede "zone transfer" requests.

axfrdns aborts if it runs out of memory, or has trouble reading data.cdb, or receives a request larger than 512 bytes, or receives a truncated request, or receives a non-Internet-class query, or receives an inverse query, or receives a query containing anything other than a single query, or receives a request not answered by data.cdb, or waits 60 seconds with nothing happening.

Zone transfer

The UCSPI-TCP or UCSPI-SSL server is responsible for rejecting connections from clients that are not authorized to perform "zone transfers", and for setting up control variables that limit authorized clients.

axfrdns allows "zone transfers" for any domain name listed in the value of the AXFR environment variable, which is a slash-separated list of domain names. If AXFR is not set axfrdns allows "zone transfers" for all domain names that exist in data.cdb. For any "zone transfer" request that is not allowed by AXFR, it aborts. Thus, in order to prevent all "zone transfers" and only support ordinary DNS/TCP queries, set AXFR to an empty string.

axfrdns provides every record that it can find inside the target domain. This may include records that are, to the client, in child zones. Some of these records (such as "glue" inside a child zone) are essential; others are not. It is up to the client to decide which out-of-zone records to keep. axfrdns does not provide glue records outside the target domain.

The "zone transfer" protocol does not support timestamps. If a record is scheduled to be created in the future, axfrdns does not send it; after the starting time, the "zone transfer" client will continue claiming that the record doesn't exist, until it contacts axfrdns again. Similarly, if a record is scheduled to die in the future, axfrdns sends it (with a 2-second TTL); after the ending time, the "zone transfer" client will continue providing the old record, until it contacts axfrdns again.

"Zone transfer" clients rely on SOA serial numbers changing for every zone modification. tinydns-data(1) uses the modification time of the data file as its serial number for all zones. So do not make more than one modification per second.

BIND's "zone transfer" client, named-xfer, converts "zone transfer" data to zone-file format. Beware: that zone-file format has no generic mechanism to express records of arbitrary types; named-xfer chokes if it does not recognize a record type used in data.cdb.

History

axfrdns was originally part of Daniel J. Bernstein's djbdns toolset in 2000.

Author

Original code and documentation by Daniel J. Bernstein. Documentation modernizations by Jonathan de Boyne Pollard.