DNS Auth Zone (Zone Transfer)

Overview

The zWAN CPE supports authoritative DNS zones and allows for zone transfers. Zone transfers ensure fault tolerance by synchronizing the zone file between a primary DNS server and a secondary DNS server. The zWAN CPE acts as a secondary DNS server, requiring permission from the primary DNS server to access and replicate its zone file.

The zWAN CPE can perform full zone transfers (AXFR) or incremental zone transfers (IXFR), depending on the primary DNS server’s capabilities.

Process Overview

Zone transfers ensure DNS data remains accurate and up-to-date in the event of an unreachable DNS zone. The process varies depending on whether a zone has been replicated before. Below is an outline of the steps involved:

1. The secondary server sends an AXFR request to the primary DNS server for a full DNS zone file.
2. The primary DNS server responds with the zone file, including a serial number indicating the version.
3. The secondary server checks the Start of Authority (SOA) record to determine the refresh interval (usually 15 minutes).
4. After the refresh interval, the secondary server queries the primary DNS server for updates.
5. If updates exist (serial numbers do not match), the secondary server requests an incremental transfer (IXFR).

If the primary server does not support IXFR, a full zone transfer is performed instead.

Functionality

The Add Auth Zone functionality allows configuring authoritative zones in the zWAN CPE. Each authority zone must have a unique name. Multiple authority zones can be configured for different namespaces.

• For-downstream: If enabled, the zWAN CPE responds as an authoritative server.
• For-upstream: If enabled, the zWAN CPE stores a local copy of the zone data to speed up lookups.

Configuration Parameters

1. IP Address or Hostname

Defines the primary DNS server from which the zone file will be downloaded. Multiple primary servers can be specified for redundancy.

2. Fallback Enabled

Default: False. If enabled, the zWAN CPE will query the internet for DNS lookups if zone transfer fails.

3. For Downstream

Default: True. If enabled, the CPE provides authoritative responses to downstream clients.

4. For Upstream

Default: True. If enabled, the CPE uses the zone data for recursive queries.

API Functions

Add Auth Zone

Configures the CPE as a secondary DNS server for a specified zone.

Edit Auth Zone

Modifies existing auth zone configurations, including temporary disabling.

Delete Auth Zone

Removes an existing auth zone configuration.

List Auth Zones

Displays all configured auth zones.

Troubleshooting

1. After configuring an auth zone, a zone file will be created in /etc/unbound/zwan/authzone.
2. Increase the log verbosity to diagnose connection failures.
3. Use dig commands to verify successful zone transfers.