ixfr documentation

diff --git a/docs/markdown/authoritative/domainmetadata.md b/docs/markdown/authoritative/domainmetadata.md
index 234d938b789032b60f2b793518e904fdfdb6968c..5403fd3640be55294f8f5f1153e6a97d830bf02f 100644 (file)
--- a/docs/markdown/authoritative/domainmetadata.md
+++ b/docs/markdown/authoritative/domainmetadata.md
@@ -25,7 +25,7 @@ insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM
 To dissallow all IP's, except those explicitly allowed by domainmetadata records, add `allow-axfr-ips=` to `pdns.conf`.
 
 ## AXFR-SOURCE
-The IP address to use as a source address for sending AXFR requests.
+The IP address to use as a source address for sending AXFR and IXFR requests.
 
 ## ALLOW-DNSUPDATE-FROM, TSIG-ALLOW-DNSUPDATE, FORWARD-DNSUPDATE, SOA-EDIT-DNSUPDATE
 See the documentation on [Dynamic DNS update](dnsupdate.md)
@@ -45,6 +45,9 @@ Allow this GSS principal to perform AXFR retrieval. Most commonly it is
 ## GSS-ACCEPTOR-PRINCIPAL
 Use this principal for accepting GSS context. (See [GSS-TSIG support](tsig.md#gss-tsig-support)).
 
+## IXFR
+If set to 1, attempt IXFR when retrieving zone updates. Otherwise IXFR is not attempted.
+
 ## LUA-AXFR-SCRIPT
 Script to be used to edit incoming AXFRs, see [Modifying a slave zone using a script](modes-of-operation.md#modifying-a-slave-zone-using-a-script).
 

diff --git a/docs/markdown/authoritative/modes-of-operation.md b/docs/markdown/authoritative/modes-of-operation.md
index f2d13cc2bdd8f5da9d06275e2751d6ffc5aba0db..a38fca24a31bca85441fa05a3ddaa0e0dbde1b6c 100644 (file)
--- a/docs/markdown/authoritative/modes-of-operation.md
+++ b/docs/markdown/authoritative/modes-of-operation.md
@@ -85,7 +85,26 @@ PowerDNS supports multiple masters. For the BIND backend, the native BIND
 configuration language suffices to specify multiple masters, for SQL based backends,
 list all master servers separated by commas in the 'master' field of the domains table.
 
-Since version 4.0.0, PowerDNS requires that masters sign their notifications. During transition and interoperation with other nameservers, you can use options **allow-unsigned-notify** to permit unsigned notifications. For 4.0.0 this is turned off by default, but it might be turned on permanently in future releases.
+Since version 4.0.0, PowerDNS requires that masters sign their
+notifications.  During transition and interoperation with other nameservers,
+you can use options **allow-unsigned-notify** to permit unsigned
+notifications.  For 4.0.0 this is turned off by default, but it might be
+turned on permanently in future releases.
+
+## IXFR: incremental zone transfers
+If the 'IXFR' zone metadata item is set to 1 for a zone, PowerDNS will attempt to retrieve
+zone updates via IXFR. 
+
+As of 4.0.0, if a slave zone changes from non-DNSSEC to DNSSEC, an IXFR
+update will not set the PRESIGNED flag.  In addition, a change in NSEC3 mode
+will also not be picked up.  
+
+In such cases, make sure to delete the zone contents to force a fresh retrieval. 
+
+Finally, IXFR updates that "plug" Empty Non Terminals do not yet remove ENT
+records.  A 'pdnsutil rectify-zone' may be required.
+
+PowerDNS itself is currently only able to retrieve updates via IXFR. It can not serve IXFR updates.
 
 ## Supermaster: automatic provisioning of slaves
 PowerDNS can recognize so called 'supermasters'. A supermaster is a host which is