Introduction

DNS AXFR/IXFR zone transfer denied when ACL or TSIG misconfigured. This guide provides step-by-step diagnosis and resolution.

Symptoms

Typical error output:

bash
Transfer failed: not authorized
AXFR from 10.0.0.1 denied
TSIG signature mismatch

Common Causes

  1. 1.DNSSEC chain of trust broken
  2. 2.Signature or key expired
  3. 3.Zone misconfiguration
  4. 4.Network or firewall issue

Step-by-Step Fix

Step 1: Check Current State

bash
dig @8.8.8.8 example.com +dnssec
dig @server example.com AXFR
named-checkzone example.com zonefile

Step 2: Identify Root Cause

bash
dig @localhost domain.com +dnssec
named-checkzone domain.com zonefile
named-checkconf

Step 3: Apply Primary Fix

bash
# Primary fix: Update zone configuration
named-checkzone example.com /etc/bind/db.example
rndc reload example.com
dig @localhost example.com +dnssec

Step 4: Apply Alternative Fix

bash
# Alternative fix: Check logs
tail -f /var/log/named/named.log
named-checkconf
rndc status

Step 5: Verify the Fix

bash
dig @localhost example.com +dnssec
dig @localhost example.com +trace
# Response should be NOERROR with DNSSEC records

Common Pitfalls

  • Not waiting for DNS propagation after changes
  • Forgetting to increment SOA serial
  • Using incorrect TTL values
  • Not testing DNSSEC before publishing

Best Practices

  • Use DNSSEC monitoring for chain validation
  • Implement proper key roll procedures
  • Test zone transfers regularly
  • Monitor DNS query rates and errors
  • DNS Resolution Failed
  • DNS Server Not Responding
  • DNS Cache Poisoning
  • DNS DDoS Attack