why axfr is for the 80s
So you have a DNS server network. How do you keep them all in sync?
Well, that question would probably have been answered with 'AXFR, of course' in the 80s and for some part of the 90s. However, there are some organisations out there who are still using AXFR to keep their servers in sync today. To me, this is a most ridiculous and expensive thing for a DNS server to do during its normal work. At the business level it means that the organisation has to ensure that the master/slave separation is maintained, at the technical level it means there is a locking question to be answered.
Lets look at what's really going on. $organisation has a bunch of name servers, all behind the same AS number and wishes to employ a third party to act as a backup DNS provider for them. Sounds sane, how do they exchange data? Well the default lazy ass option is to use AXFR in some shape or form. This is lazy and brain dead since it is not the job of the DNS server to exchange N megabytes of information in a single transaction.
It is the job of rsync, scp, or whatever you use on your platform to copy/patch data around. These tools have far superior authentication and authorization mechanisms than AXFR. Even HTTP can do a better job of this. Most DNS providers will accept BIND formatted zone files for upload, even when the underlying system isn't BIND, zone files are quite easily parsed.
Any DNS provider worth their salt will be storing DNS information in a database for concurrency, audit and transaction reasons, they'll probably prefer you using their HTTP interface than using AXFR.
At the technical level, the DNS server should not be accepting changes, its job is to serve data, not modify it, remember this.
,---------. ,' customers `. ( and ) `. partners ,' `---+-----' | dynamic | http | +-----+---------+ +-----------+ | Your database |<------>| Processor | +---------------+ +-----+-----+ | +------v-----+ | data/zones | +-----=------+ rsync __..--''/ ,---------. __..---'' / ,-' `'' / rsync ( Local servers ) / scp `-. ,-' / `---------' ,---+-----. ,-' `-. ( remote servers ) `-. ,-' `---------'
A major advantage here is that no DNS server ends up being a 'slave', all are master, none are slaves, you either hold the data or you don't. There's no 'polling' in this setup.
In the 80s and early 90s there were few ways to exchange information in a sane way, AXFR tried to solve this problem and that is how its become established. But, do you really want to rely on AXFR to import your business critical information, without validation?
There are two things primarily wrong with AXFR, the first is that it's a pretty lousy way to copy data, the second is that it is frequently implemented at the public name server (BIND, I'm looking in your direction). This means a hideous code path that is just not needed with a wealth of other methods using better protocols with better authentication and validation.
Just avoid it.
Last modified: Sun, 21 Jun 2015 09:53:36 BST