Skip to content

AXFR out of HexDNS

HexDNS allows you to setup a secondary server (sometimes called a slave server) to AXFR (zone transfer) from HexDNS as the primary.

Point your secondary server at to receive the zone transfer.

You'll need to setup either a TSIG key or an IP based ACL within HexDNS to allow this.


If you're using a TSIG key you don't also need to setup an IP ACL. HexDNS will accept AXFR requests from any IP if the TSIG key is valid.


We don't support IXFR (incremental zone transfers), only AXFR.

TSIG key algorithms

We support the following TSIG key algorithms:

  • HMAC SHA-224
  • HMAC SHA-256
  • HMAC SHA-384
  • HMAC SHA-512
  • HMAC SHA-512/256


At the moment HexDNS won't sign NOTIFY messages with a TSIG key.

NOTIFY messages will come from one of the following addresses:

  • 2001:678:fc8:2::10/125


If your servers support IPv6 we won't make any attempt to connect over IPv4. You'll therefore only need to allow the small /125 IPv6 range through your ACL.

Last update: July 5, 2023