Background

IBM Cloud DNS Services provides private DNS to Virtual Private Cloud (VPC) users. Private DNS zones are resolvable only on IBM Cloud, and only from explicitly permitted networks. A special kind of zone that DNS services supports is a secondary zone. These zones are read-only copies of a primary zone stored on a different server. These zones provide fault tolerance by replicating zone data to multiple resolvers.

IXFR vs. AXFR

Secondary zone data is transferred (XFR) between the primary DNS resolver and any secondary DNS resolvers using either full zone transfer (AXFR) or incremental zone transfer (IXFR) during initial configuration of the zone and for any subsequent updates that are made. A given set of zone data should be tied to a particular serial number in the SOA record for the zone. This means that when any updates are made to the zone, the serial number will be incremented. In this way, it is possible to trace when updates are made and what data was changed in between differing serial numbers. Under AXFR, when any update is made to the zone data, the full set of zone information is sent to the secondary DNS resolver. In contrast, under IXFR, only the set of data that has been changed is sent. Zone transfers are completed through the following steps:

1. Zone data on the primary DNS resolver is updated.
2. Primary DNS resolver sends a notify message to any configured secondary zones indicating that there is new zone data. 
3. Upon receiving the notify message, the secondary DNS resolver makes a request to the primary DNS resolver for the zone that has been updated and indicates whether the transfer should be either AXFR or IXFR. 
4. Primary DNS resolver receives the zone transfer request and attempts to send the updated zone data using the requested transfer method. 
5. Secondary DNS resolver receives the new zone data and processes it to be available when a relevant DNS query is received. 

A zone transfer that is requested to be made via IXFR may fallback to AXFR for a couple of reasons: 

• The primary DNS resolver is not properly configured to support IXFR. 
• The secondary DNS resolver made a request for a SOA serial that the primary DNS resolver does not have stored. 
• The number of changes that would be sent via IXFR exceeds the configured ratio of changed-to-unchanged zone data.

Benefits of IXFR

The primary benefit of enabling IXFR for secondary zones is more efficient use of network bandwidth. Consider the use case of a zone configured with 1 million records. If zone transfers for such a zone are processed using AXFR, then even if a single record is modified all 1 million records, it will be transferred to the secondary DNS resolvers to process. This problem is compounded further if you consider a use case where multiple zones are configured and are all making changes to their data frequently. This is why we implemented IXFR for IBM Cloud DNS Services. We provide the ability to configure secondary zones using our Custom Resolvers, which are implemented using appliance VSIs. Implementing IXFR allows us to maximize the performance of our existing VSI profile sizes in terms of bandwidth, CPU, and memory without impacting any existing configurations. This improvement enables our customers to configure secondary zones with much higher limits on the number of records per zone.