Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Set up AXFR zone file transfer

Author: Government Digital Service

Set up AXFR zone file transfer

This guide explains the technical steps to allow you to share your organisation’s domains and subdomains with the Government Digital Service (GDS) using the AXFR service.

Connecting GDS to AXFR

AXFR is a protocol used to synchronise zones between name servers. We can also use it to share zones with a third party for backup and resilience, or in this case, to ensure we have a current copy of your zone and can monitor all your active domains.

We support TSIG for secure zone transfers. If your name server does not support TSIG, we can use IP address allowlisting.

Once configured we will contact your name server at 1am each day and fetch a copy of your current zone.

How to set up your AXFR configuration

Check your existing configuration and name server documentation to ensure you can support AXFR to allow us access.

Configuration will vary for different DNS server software.

Step 1

If using TSIG, create a public and private key.

There are several tools available to do this, including most common DNS hosting or management tools, OpenSSL, or built-in tools in Unix-like systems.

Follow the guidance for your tool to generate the keys, making sure you specify HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512 or use a more secure algorithm if it is available.

Follow your DNS software’s instructions for adding the private key to your servers. You will share the public key by email after completing the next steps.

Step 2

Update your systems to allow AXFR from the following IP address:

18.133.129.6

Make sure you allow inbound and outbound connections on TCP port 53. You may need to do this in more than one place, for example:

  • for the name server as a whole
  • for each zone hosted by your name server
  • on your firewall or other network boundary

Step 3

Reload or restart the name servers that will be completing the AXFR transfers to activate the new configuration.

Share your AXFR details with GDS

Send an email to support@domains.gov.uk including:

  • the hostname of the name server, for example, ns1.example.gov.uk
  • the list of zones are enabling for zone transfer

If you are using TSIG you should also include:

  • the TSIG algorithm used, for example HMAC-SHA256
  • the private TSIG key

We will add your configuration, request a test AXFR transfer, and contact you with the result.

Send all details, and any question you may have to support@domains.gov.uk

Contact us

If you need more information, email support@domains.gov.uk

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now