Support AXFR transfers to secondaries

[timkgh]

I would like to use deSEC as primary while having other secondary DNS services for redundancy.

Please consider adding AXFR support with TSIG.

Thank you.

[nils-wisiol]

Per-user AXFR could be supported by the means of a separate daemon that answers AXFR requests by first authenticating the request, then doing an AXFR internally, then replying to the request.

[timkgh]

I understand that the DNSSEC records are problematic with AXFR and secondary providers. Not sure whether disabling DNSSEC in deSEC is an option, though the goal of deSEC is to promote DNSSEC.

[nils-wisiol]

Not sure whether disabling DNSSEC in deSEC is an option

no way 🤓

[appliedprivacy]

This topic (redundancy via zone transfer) has become more relevant today due to the DDoS related outage.
Forum post:
https://talk.desec.io/t/zone-transfer-to-secondary-ns-for-availability-reasons/568

Please also consider RFC9103 Zone Transfer over TLS when implementing AXFR support.
https://www.rfc-editor.org/rfc/rfc9103

[appliedprivacy]

Looks like DDoS issues will become more frequent.

We are committing to donate 100€ if AXFR support gets implemented sometime before 2024.

[bluecmd]

Hi! Just wanting to say that I was considering moving all my domains to deSEC given the wonderful things that it seems to offer, but sadly I need to be able to do AXFR to internal DNS mirrors to be able to have high-availability when transit outages happen. E.g. offices need to be able to print on the printer without internet connectivity.