Overview Zone transfers replicate zone data from the Xloud DNS service to secondary nameservers
or other projects. Administrators control which destinations are permitted to perform
zone transfers. Transfer requests use a one-time key mechanism — the requesting admin
generates the request and shares the key with the recipient through a secure channel.
Administrator Access Required — This operation requires the admin role. Contact your
Xloud administrator if you do not have sufficient permissions.
Zone Transfer Workflow Create a Transfer Request
Create transfer request as admin Create zone transfer request
openstack zone transfer request create \ --target-project-id < project-i d > \ --description "Transfer to DR nameserver" \ example.com.
This generates a key that the recipient uses to accept the transfer.
Share the transfer key Share the id and key from the output with the recipient project administrator
through a secure channel (e.g., encrypted email, secrets manager). Never share transfer keys over unencrypted channels. A compromised key allows
unauthorized zone transfer.
Recipient accepts the transfer The recipient project accepts the transfer using the provided credentials: openstack zone transfer accept request \ --transfer-id < transfer-i d > \ --key < transfer-ke y >
Zone becomes available in the recipient project.
List pending transfer requests
Show transfer request detail
Delete a transfer request
List accepted transfers
openstack zone transfer request list
Delete stale transfer requests that were not accepted within 24 hours to prevent
unauthorized zone transfers if keys are later compromised.
Security Best Practices Practice Description Target-specific requests Always specify --target-project-id — never create open transfers Short expiration Set 24-hour expiration windows on all transfer requests Secure key delivery Deliver transfer keys via encrypted channel only Regular audit Review accepted transfers monthly and revoke unnecessary ones
Audit all accepted zone transfers (admin)
openstack zone transfer accept list --all-projects
Next Steps Pool Management Manage nameserver pools that receive transferred zone data
Security Full DNS security hardening guidelines
Backend Configuration Configure also_notifies for AXFR consumer nameservers
Admin Troubleshooting Diagnose zone transfer failures and key errors
