-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: > Joe Abley, then Peter Koch say: > >>> I also don't know of any formal undertaking by any of the current >>> "real" root nameserver operators to leave un-authenticated [AI]XFR >>> access to their servers for the root zone open, so there's the >>> operational issue of needing to verify regularly that transfers to >>> the stealth slave are succeeding. >> Quote from RFC 2780: >> >> 2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer, >> queries from clients other than other root servers. This >> restriction is intended to, among other things, prevent >> unnecessary load on the root servers as advice has been heard >> such as "To avoid having a corruptible cache, make your server a >> stealth secondary for the root zone." The root servers MAY put >> the root zone up for ftp or other access on one or more less >> critical servers. > > singing... > > $ dig . axfr @f.root-servers.net
<snip/> > for example. I think this recommendation in RFC 2780 is a bad one. B, C, F, G, and K all allow AXFR and have not had problems with it AFAIK. - -- Shane -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFziNmMsfZxBO4kbQRAnXVAKC2hbeoFXs1WGmKLUtbM62HZbhUXwCgr9Xw ZvcofBP9Z5t69ogjaCLkvgA= =yMLw -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dnsop
