Date: Tue, 17 Jul 2007 10:52:43 +0200 From: Volker <volker@vwsoft.com> To: "Heiko Wundram (Beenic)" <wundram@beenic.net> Cc: freebsd-stable@freebsd.org Subject: Re: Problems with named default configuration in 6-STABLE Message-ID: <469C835B.6090304@vwsoft.com> In-Reply-To: <200707171005.37507.wundram@beenic.net> References: <200707162319.41724.lofi@freebsd.org> <200707170945.21903.wundram@beenic.net> <469C772B.2080307@vwsoft.com> <200707171005.37507.wundram@beenic.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/17/07 10:05, Heiko Wundram (Beenic) wrote: > On Tuesday 17 July 2007 10:00:43 Volker wrote: >> hmm... the root servers should not allow public AXFR. As I've verified >> using: >> <snip> > > Just like you did: > > [modelnine@phoenix ~]$ dig -t AXFR @k.root-servers.net . | head -30 > > ; <<>> DiG 9.3.4 <<>> -t AXFR @k.root-servers.net . > ; (1 server found) > ;; global options: printcmd > . 86400 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2007071601 1800 900 604800 86400 > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > ac. 172800 IN NS a.nic.ac. > ac. 172800 IN NS a.ns13.net. > ac. 172800 IN NS b.nic.ac. > ac. 172800 IN NS b.nic.io. > ac. 172800 IN NS b.nic.sh. > ac. 172800 IN NS b.ns13.net. > ac. 172800 IN NS ns1.communitydns.net. > ac. 172800 IN NS ns3.icb.co.uk. > a.nic.ac. 172800 IN A 64.251.31.177 > b.nic.ac. 172800 IN A 217.160.203.158 > ad. 172800 IN NS ad.ns.nic.es. > ad. 172800 IN NS ns3.nic.fr. > [modelnine@phoenix ~]$ > > The head is necessary, as the output is far, far longer than that. As > k.root-servers.net was one of the servers he put in as masters for the root > zone, I should presume that his setup works fine. > Not every root server seems to be happy with transfering zone files: %dig @a.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @a.root-servers.net axfr . ; (1 server found) ;; global options: printcmd ; Transfer failed. %dig @b.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @b.root-servers.net axfr . ; (1 server found) ;; global options: printcmd . 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2007071601 1800 900 604800 86400 . 518400 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 . 518400 IN NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 . 518400 IN NS C.ROOT-SERVERS.NET. b.root-servers.net transfers the zone, but a.root-servers.net refuses. I remember some years back there has been an attack against some root servers and the conclusion was to deny zone transfers for them. I thought all root servers are denying zone transfers generally but some seem to still (or again) let it pass. The following servers are refusing zone transfers: a d e h i j l m Relying on a zone transfer doesn't seem to be reliable to me as more than half of the root servers doesn't reply to AXFR requests. Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?469C835B.6090304>