Zone transfers are operations that are typically performed between authoritative name servers of a particular zone. A zone transfer occurs when all or part of the contents of a zone is sent from the name server to the requester. ADNR requests zone transfers from the primary master name server of the zones it manages. Name servers can be configured to allow zone transfers only from specific entities. If the name servers that ADNR is to update are configured to restrict which entities can perform zone transfers, ADNR must be specifically permitted to perform them. Name servers typically permit zone transfers from a predetermined set of source IP addresses, sometimes referred to as an access control list (ACL), or they can require authentication using digital signatures, sometimes referred to as transaction signatures (TSIG). Authentication using digital signatures is much more secure than authenticating by source IP address, because the latter is subject to address spoofing. Furthermore, the source IP address that ADNR uses might not be entirely predictable, unless deliberate steps are taken in the TCP/IP profile to make it predictable through mechanisms like job-specific source IP address specification or other forms of SOURCEVIPA configuration.
For the BIND 9 name server, zone transfers are allowed by ACL or by digital signatures, both by using the allow-transfer statement.
You must define the TSIG key to ADNR using the key configuration statement, and then reference the key from the transfer_key keyword of the zone keyword of the dns statement. The key file should be protected from unauthorized access. ADNR must have read access to the file. Both the .key and the .private key files generated by the dnssec-keygen utility must be present for ADNR to properly communicate with the name server, even though only the .key key file name is actually specified on the transfer_key keyword.