AXFR / IXFR (Zone Transfer)

AXFR (Authoritative Zone Transfer, RFC 5936) is the protocol for transferring a complete copy of a [[zone-file|DNS zone]] from a primary to a secondary [[nameserver]]. IXFR (Incremental Zone Transfer, RFC 1995) transfers only changes since the last synchronization, reducing bandwidth. Zone transfers must be secured with [[tsig|TSIG]] or IP allowlisting, as an open AXFR exposes the full DNS record inventory to any requester — a common information-disclosure vulnerability.