From owner-freebsd-stable@FreeBSD.ORG Tue Jul 17 08:53:08 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6471C16A407 for ; Tue, 17 Jul 2007 08:53:08 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id E912313C4B8 for ; Tue, 17 Jul 2007 08:53:07 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d8a.q.ppp-pool.de [89.53.125.138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 0F17912883F; Tue, 17 Jul 2007 10:53:01 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id EC1C63F43A; Tue, 17 Jul 2007 10:52:44 +0200 (CEST) Message-ID: <469C835B.6090304@vwsoft.com> Date: Tue, 17 Jul 2007 10:52:43 +0200 From: Volker User-Agent: Thunderbird 2.0.0.4 (X11/20070615) MIME-Version: 1.0 To: "Heiko Wundram (Beenic)" References: <200707162319.41724.lofi@freebsd.org> <200707170945.21903.wundram@beenic.net> <469C772B.2080307@vwsoft.com> <200707171005.37507.wundram@beenic.net> In-Reply-To: <200707171005.37507.wundram@beenic.net> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-stable@freebsd.org Subject: Re: Problems with named default configuration in 6-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2007 08:53:08 -0000 On 07/17/07 10:05, Heiko Wundram (Beenic) wrote: > On Tuesday 17 July 2007 10:00:43 Volker wrote: >> hmm... the root servers should not allow public AXFR. As I've verified >> using: >> > > Just like you did: > > [modelnine@phoenix ~]$ dig -t AXFR @k.root-servers.net . | head -30 > > ; <<>> DiG 9.3.4 <<>> -t AXFR @k.root-servers.net . > ; (1 server found) > ;; global options: printcmd > . 86400 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2007071601 1800 900 604800 86400 > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > ac. 172800 IN NS a.nic.ac. > ac. 172800 IN NS a.ns13.net. > ac. 172800 IN NS b.nic.ac. > ac. 172800 IN NS b.nic.io. > ac. 172800 IN NS b.nic.sh. > ac. 172800 IN NS b.ns13.net. > ac. 172800 IN NS ns1.communitydns.net. > ac. 172800 IN NS ns3.icb.co.uk. > a.nic.ac. 172800 IN A 64.251.31.177 > b.nic.ac. 172800 IN A 217.160.203.158 > ad. 172800 IN NS ad.ns.nic.es. > ad. 172800 IN NS ns3.nic.fr. > [modelnine@phoenix ~]$ > > The head is necessary, as the output is far, far longer than that. As > k.root-servers.net was one of the servers he put in as masters for the root > zone, I should presume that his setup works fine. > Not every root server seems to be happy with transfering zone files: %dig @a.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @a.root-servers.net axfr . ; (1 server found) ;; global options: printcmd ; Transfer failed. %dig @b.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @b.root-servers.net axfr . ; (1 server found) ;; global options: printcmd . 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2007071601 1800 900 604800 86400 . 518400 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 . 518400 IN NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 . 518400 IN NS C.ROOT-SERVERS.NET. b.root-servers.net transfers the zone, but a.root-servers.net refuses. I remember some years back there has been an attack against some root servers and the conclusion was to deny zone transfers for them. I thought all root servers are denying zone transfers generally but some seem to still (or again) let it pass. The following servers are refusing zone transfers: a d e h i j l m Relying on a zone transfer doesn't seem to be reliable to me as more than half of the root servers doesn't reply to AXFR requests. Volker