[dns-operations] AXFR support for custom DNS features (Was: Recommended zone serial number format for over 100 changes / day)

Warren Kumari warren at kumari.net
Sat Apr 2 20:35:53 UTC 2016

On Sat, Apr 2, 2016 at 2:59 PM Robert <robert at longwinters.org> wrote:

> On 1 April 2016 at 10:26, Andrew Sullivan <ajs at anvilwalrusden.com> wrote:
> > On Fri, Apr 01, 2016 at 10:13:08AM -0700, Robert wrote:
> >> So then the preference would be dropped?
> >
> > Anything that _isn't_ an RR would be dropped, yes.  So, …
> That's the crux of my confusion.  I've read numerous posts on this
> mailing list and others where people want AXFR support from commercial
> DNS providers that support features which aren't supported by AXR -
> with the consensus being those unsupported records must be dropped.
> It doesn't sound like a usable feature if only parts of a zone are
> transferred.
> I mostly get the AXFR into a commercial DNS provider because you you
> can set the constraints on your DNS system to only support those
> supported by AXFR, though not all commercial DNS providers even
> support all of the RRTypes supported by AXFR so you'd still have to be
> careful there.
> For those who want AXFR out from a commercial DNS provider, why do you
> want it if it isn't expected to work?

A (somewhat) common pattern is to use AXFR to backup the zone.
If you make changes through a GUI it is nice to be able to backup the zone
into a file every now and then to:
A: use other DNS tools / grep through the file for things ("what was that
machine called again? erm, something spooler something?!")
B: keep offline copies for analysis over time ("Wow, we now have 5 times as
many names as we did 3 months ago", "Doh, someone just deleted www.exmaple -
what what the IP for it again!?")
C: transfer the zone to some other provider, who may or may not support all
of the same features the current one.

> Would you want the commercial
> DNS provider to restrict the use of those unsupported by AXFR
> pseudo-RRTypes within a zone you've enabled AXFR for or would you
> trust yourself to not use them?

I'd trust myself not to use them. Then again, if I end up with
foo IN 300 TYPE3456 0x34e21b19a
and I load it, whats the real harm?

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs
> <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
> mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160402/19b36e40/attachment.html>

More information about the dns-operations mailing list