Allow transfer zone [DNS Service]

I'd like to know what does "Allow Transfer Zone option" means in the created zone of a DNS service?

It allows another DNS server to transfer the zone information that your DNS server is authoritative for. Normally this would be allowed only for master/slave servers within your organization. Usually the ' allow-transfer { addressmatchlist };' option is accompanied by a list of IP numbers of the master/slave servers that you wish to transfer zone information to. The ' addressmatchlist', in the option, is a comma separated list of dotted quad IP numbers for the allowed servers. Zone transfers are usually controlled with a cryptographic secret to authorize the transfer and prevent servers from 'spoofing' their identity as a trusted host. No key == no zone transfer.

Is it good or bad?

Its primary purpose is to speed up the resolution of DNS requests for other DNS servers that would be querying your zone on a regular basis for name resolution. If you have a number of internal DNS servers that need to resolve hosts in your organization you would normally allow zone transfers to those servers by adding their IP numbers to the ' addressmatchlist' portion of the option. This would reduce lookup times for hosts that query those DNS servers. So, yes, it is a good thing.

Zone transfers from your own secondary DNS servers, seeking to synchronize with the primary DNS server? Good. Zone transfers from other DNS servers outside your control or from attackers? Not so good. The former helps your DNS servers stay synchronized. The latter avoids exposing most information about your network than you might otherwise wish.

If you choose to edit the configuration files for your DNS by hand, stop the DNS service first before doing so.

Open /etc/named.conf in a plaintext editor like 'TextWrangler'. Add the line under the 'options' section like this:

options {
include "/etc/dns/options.conf.apple";
allow-transfer { 123.45.67.89,123.45.67.98 };
};

where '123.45.67.89' and '123.45.67.98' are the IP numbers of your slave or secondary DNS servers.

Okay, perfect, but ... when I add that line to /etc/named.conf file, must I disabled "Allow Zone Transfer" of a zone in the Server Admin?

Yes. you will have to uncheck that in Server Admin because SA will put that option into the file /private/etc/dns/options.conf.apple which might result in conflicting information.