Full Zone Transfer
The original specifications for DNS supported only the full zone transferprocess, in which the master server transmits the entire zone database to thatzone’s secondary servers. When a new secondary DNS server is added to thenetwork, it uses AXFR to obtain a full copy of the zone’s resource records.AXFR was the only zone transfer process supported by Windows NT 4.0 DNS.
Incremental Zone Transfer
The process of incremental zone transfer, as specified in RFC 1995, replicatesonly the modified portion of each zone file. It is, therefore, more efficient anduses less bandwidth than the full zone transfer process.
The DNS servers involved in the IXFR process use the following sequentialprocedure:
1. The secondary DNS server sends an IXFR request to the primary server.This request contains a serial number for the secondary server’s currentzone database, which is found in its SOA resource record. This serial numberis incremented each time the zone information changes. The SOA recordalso contains a number called the refresh interval, which is 15 minutes bydefault and determines how often the server sends the IXFR request.
2. The master server checks the secondary server’s serial number againstthe current one.
3. If the two serial numbers are equal, the master server determines that nozone transfer is needed at the current time, and the process ends.
4. If the primary server’s serial number is higher, a zone transfer is required.
5. This server checks its history file that indicates which portions of thezone have been modified at what time. It uses this file to determine the updates that must be sent in response to the IXFR request.
6. When the secondary server receives the incremental zone transfer, it createsa new version of the zone file and replaces the updated records with thenew ones, beginning with the oldest one.
7. When the secondary server has updated all the records, it replaces the oldversion of the zone with the newest version of the zone.A full zone transfer may still take place rather than an incremental zone transferunder the following conditions:
If the master DNS server does not support incremental zone transfers. If the bandwidth required for sending an incremental zone transfer isgreater than that required for sending a full zone transfer
If the master DNS server does not possess all the data required for theincremental zone transfer, such as an accurate history fileDNS servers that load zone data from Active Directory use a similar process, inwhich they poll the directory at an interval determined by the refresh interval inthe SOA record for updating and refreshing their zone.
Secure Zone Transfers
If you are using DNS servers running BIND 9 or higher, you can specify thatzone transfers be digitally signed. This feature enables secondary DNS serversto verify that zone transfers are being received from a trusted source.