Configuring the Allow Zone Transfer deployment option - BlueCat Address Manager - 8.3.1

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.1

BIND zones and Windows standard zones use the zone transfer mechanism. By default, zones stored in Active Directory do not use zone transfers unless there is a need to transfer zone data to a DNS server that is not a domain controller.

Address Manager imports the Windows Zone Transfer setting as the Allow Zone Transfers DNS deployment option at the zone level. The following table represents the different examples of the way in which the Zone Transfers setting is configured in Windows and the way in which it is imported into Address Manager.
Windows: Zone Transfers setting Address Manager: Allow Zone Transfers deployment options
Check box clear None
Check box selected—Only to servers listed on the Name Servers tab (no additional severs listed in tab) None
Check box selected—Only to servers listed on the Name Servers tab (additional servers listed in tab) IP addresses of servers from the Name Servers tab
Check box selected—To Any Server Any
Check box selected—Only to the following servers Specified IP addresses
Note: If you do not configure the Allow Zone Transfers option on Address Manager it is disabled in Windows during deployment and zone transfers are not allowed.
The Allow Zone Transfer deployment option can be set at the following levels:
  • Configuration
  • Server Group
    Attention: Server Groups only support BlueCat DNS/DHCP Servers.
  • Server
  • View
  • Zone
  • IP block
  • IP network

To configure the Allow Zone Transfers option:

  1. Navigate to the configuration, IP block, IP network, view, or zone in which you want to allow Zone Transfers.
  2. Select the Deployment Options tab.
  3. Click New, then select DNS Option.
  4. Under General, select Allow Zone Transfer from the Option drop-down menu. The following three parameters will be populated:
    • IP Address or name—allows zone transfer based on IPv4 or IPv6 blocks or individual IP addresses. Name presents legacy support for named ACLs before full support for ACL was added.
    • Key—allows zone transfer based on a TSIG key.
    • ACL—allows zone transfer to configured ACLs.
    Note: When Key or ACL is selected, the Exclusion check box will appear. Select the Exclusion check box to add an exclusion to a DNS ACL or TSIG key.
  5. Under Server, determine the servers to which this option applies:
    • To apply the option to all servers in the configuration select All Servers.
      Attention: Server Groups only support BlueCat DNS/DHCP Servers.
    • To apply the option to a specific server select Specific Server, then select a server from the drop-down menu.
    Note: The Allow Zone Transfers deployment option should be set on the Master.
  6. Click Add to add the option and return to the Deployment Options tab, or click Add Next to add another deployment option.