> ## Documentation Index > Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt > Use this file to discover all available pages before exploring further. # DNS Zone Transfers > Manage AXFR and IXFR zone transfer requests in Xloud DNS. Create, accept, and revoke transfer requests between projects and secondary nameservers. ## Overview Zone transfers replicate zone data from the Xloud DNS service to secondary nameservers or other projects. Administrators control which destinations are permitted to perform zone transfers. Transfer requests use a one-time key mechanism — the requesting admin generates the request and shares the key with the recipient through a secure channel. **Administrator Access Required** — This operation requires the `admin` role. Contact your Xloud administrator if you do not have sufficient permissions. *** ## Zone Transfer Workflow ```mermaid theme={null} sequenceDiagram participant Admin as Source Admin participant API as DNS API participant Recipient as Recipient Project Admin Admin->>API: Create transfer request for example.com. API-->>Admin: transfer_id + key Admin->>Recipient: Share transfer_id and key (secure channel) Recipient->>API: Accept transfer with transfer_id + key API-->>Recipient: Zone available in recipient project ``` *** ## Create a Transfer Request ```bash title="Create zone transfer request" theme={null} openstack zone transfer request create \ --target-project-id \ --description "Transfer to DR nameserver" \ example.com. ``` This generates a `key` that the recipient uses to accept the transfer. Share the `id` and `key` from the output with the recipient project administrator through a secure channel (e.g., encrypted email, secrets manager). Never share transfer keys over unencrypted channels. A compromised key allows unauthorized zone transfer. The recipient project accepts the transfer using the provided credentials: ```bash title="Accept zone transfer" theme={null} openstack zone transfer accept request \ --transfer-id \ --key ``` Zone becomes available in the recipient project. ```bash title="List pending transfer requests" theme={null} openstack zone transfer request list ``` ```bash title="Show transfer request detail" theme={null} openstack zone transfer request show ``` ```bash title="Delete a transfer request" theme={null} openstack zone transfer request delete ``` ```bash title="List accepted transfers" theme={null} openstack zone transfer accept list ``` Delete stale transfer requests that were not accepted within 24 hours to prevent unauthorized zone transfers if keys are later compromised. *** ## Security Best Practices | Practice | Description | | ---------------------------- | ------------------------------------------------------------------ | | **Target-specific requests** | Always specify `--target-project-id` — never create open transfers | | **Short expiration** | Set 24-hour expiration windows on all transfer requests | | **Secure key delivery** | Deliver transfer keys via encrypted channel only | | **Regular audit** | Review accepted transfers monthly and revoke unnecessary ones | ```bash title="Audit all accepted zone transfers (admin)" theme={null} openstack zone transfer accept list --all-projects ``` *** ## Next Steps Manage nameserver pools that receive transferred zone data Full DNS security hardening guidelines Configure `also_notifies` for AXFR consumer nameservers Diagnose zone transfer failures and key errors