D. J. Bernstein
Internet publication
djbdns

The axfr-get program

axfr-get is a DNS zone-transfer client. It sends a zone-transfer request in DNS-over-TCP format to descriptor 7, reads the results from descriptor 6, and saves the results in a file.

Normally axfr-get is run under tcpclient, which sets up descriptors 6 and 7 as a TCP connection to a remote host.

Interface

     axfr-get z fn fn.tmp
axfr-get performs a zone transfer for domain z. It writes the results to fn.tmp in a format that can be used as input to tinydns-data. If the zone transfer completes successfully, axfr-get atomically renames fn.tmp as fn. fn.tmp and fn must be on the same filesystem.

axfr-get writes the zone serial number as a comment at the top of fn.tmp. It skips the zone transfer, leaving fn alone, if fn already exists, fn has a serial number matching the zone serial number, and both serial numbers are nonzero.

Zone transfers often include duplicate records. You should feed the axfr-get results through sort -u.

axfr-get discards all records outside the domain z. It accepts records in child zones, but it marks all child zones as non-authoritative, so tinydns will not report those records except as glue. If you plan to merge the axfr-get results for a domain and a child of the same domain, creating a file authoritative for both zones, make sure to eliminate records in the first output that are within the child zone.

axfr-get will accept arbitrarily large zone transfers. To limit the maximum file size to 1 megabyte, run axfr-get under softlimit -f 1048576.

Compatibility notes

axfr-get handles BIND's RFC-1034-violating multiple-answers zone-transfer format.

axfr-get does not precisely simulate BIND's handling of *.dom. Under BIND, records for *.dom do not apply to y.dom or anything.y.dom if there is a normal record for x.y.dom. With axfr-get and tinydns, the records apply to y.dom and anything.y.dom except x.y.dom.

axfr-get does not precisely simulate BIND's handling of multiple IP addresses for a single name. When there are more than 8 addresses, tinydns selects a random set of 8 for each query.