Re: [DNSOP] Best Practice document on local copy of the root zone?

[bmanning]

 Joe Abley, then Peter Koch say:

> > I also don't know of any formal undertaking by any of the current  
> > "real" root nameserver operators to leave un-authenticated [AI]XFR  
> > access to their servers for the root zone open, so there's the  
> > operational issue of needing to verify regularly that transfers to  
> > the stealth slave are succeeding.
> 
> Quote from RFC 2780:
> 
>    2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
>        queries from clients other than other root servers.  This
>        restriction is intended to, among other things, prevent
>        unnecessary load on the root servers as advice has been heard
>        such as "To avoid having a corruptible cache, make your server a
>        stealth secondary for the root zone."  The root servers MAY put
>        the root zone up for ftp or other access on one or more less
>        critical servers.

singing...

$ dig . axfr @f.root-servers.net

; <<>> DiG 9.2.2 <<>> . axfr @f.root-servers.net
;; global options:  printcmd
.                       86400   IN      SOA     A.ROOT-SERVERS.NET. 
NSTLD.VERISIGN-GRS.COM. 2007021000 1800 900 604800 86400
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
AC.                     172800  IN      NS      A.NIC.AC.
AC.                     172800  IN      NS      B.NIC.AC.
AC.                     172800  IN      NS      B.NIC.IO.
AC.                     172800  IN      NS      B.NIC.SH.
AC.                     172800  IN      NS      NS2.JP.IO.
AC.                     172800  IN      NS      NS2.UUCP.NE.JP.
AC.                     172800  IN      NS      NS3.ICB.CO.UK.
A.NIC.AC.               172800  IN      A       64.251.31.177
B.NIC.AC.               172800  IN      A       217.160.203.158
AD.                     172800  IN      NS      NS3.NIC.FR.
AD.                     172800  IN      NS      DNS2.AD.
...
ZW.                     172800  IN      NS      NS-ZW.RIPE.NET.
ZW.                     172800  IN      NS      NEWS-TOKYO.GIP.NET.
NS1.TELONE.CO.ZW.       172800  IN      A       194.133.122.47
NS2.TELONE.CO.ZW.       172800  IN      A       194.133.122.42
.                       86400   IN      SOA     A.ROOT-SERVERS.NET. 
NSTLD.VERISIGN-GRS.COM. 2007021000 1800 900 604800 86400
;; Query time: 2179 msec
;; SERVER: 192.5.5.241#53(f.root-servers.net)
;; WHEN: Sat Feb 10 10:52:37 2007
;; XFR size: 2481 records


for example.

--bill

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop