Re: Unable to slave root zones

[Michael Sinatra]

On 04/07/17 09:21, Tony Finch wrote:

Mark Knight  wrote:


I've just noticed (after the slave zones expired), that the root name servers
have been refusing my zone transfer requests since the end of March.


This is because Cloudflare are now helping isc.org to host
f.root-servers.net, and the Cloudflare instances don't allow zone
transfers.

https://lists.dns-oarc.net/pipermail/dns-operations/2017-March/016150.html

I have switched to transferring the root zone from k.root-servers.net.


ICANN has "sanctioned" servers for doing root zone transfers that are 
separate from the root DNS servers.  See:


http://www.dns.icann.org/services/axfr/

It's probably better to use the servers listed there (although they do 
appear to be US-centric), to avoid having to deal with changes akin to 
f-root.



michael
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to slave root zones

[Tony Finch]

Mark Knight  wrote:

> I've just noticed (after the slave zones expired), that the root name servers
> have been refusing my zone transfer requests since the end of March.

This is because Cloudflare are now helping isc.org to host
f.root-servers.net, and the Cloudflare instances don't allow zone
transfers.

https://lists.dns-oarc.net/pipermail/dns-operations/2017-March/016150.html

I have switched to transferring the root zone from k.root-servers.net.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
South Utsire: Northwesterly 5 or 6, occasionally 7 at first in southeast,
backing westerly 4 or 5. Slight or moderate, occasionally rough at first in
southeast. Occasional drizzle, fog patches. Moderate or good, occasionally
very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to slave root zones

[Sam Wilson]

On 2017-04-07 15:26:57 +, Matus UHLAR - fantomas said:


On 07.04.17 07:36, Mark Knight wrote:
I've just noticed (after the slave zones expired), that the root name 
servers have been refusing my zone transfer requests since the end of 
March.


My confirm is per the standard named.conf example, e.g.:

zone "." {
type slave;
file "/usr/local/etc/namedb/slave/root.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
allow-query { localnets; };
notify no;
};


1. are you sure you need slaving the root? most of clients doesn't...

2. there are ~13 servers for root zone. did you check on more of them?


$ for ns in a b c d e f g h i j k l m ; do echo $ns: ; dig . axfr 
@$ns.root-servers.net | wc ; done

a:
  4  15  96
b:
  22529  169284 2231035
c:
  22529  169284 2231028
d:
  4  15  96
e:
  4  15  96
f:
  4  15  96
g:
  22529  169284 2231030
h:
  4  15  96
i:
  4  15  96
j:
  4  15  96
k:
  22529  169284 2231030
l:
  4  15  96
m:
  4  15  96

IPv4 only; 4 lines is a REFUSED.

Sam

--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to slave root zones

[Matus UHLAR - fantomas]

On 07.04.17 07:36, Mark Knight wrote:
I've just noticed (after the slave zones expired), that the root name 
servers have been refusing my zone transfer requests since the end of 
March.


My confirm is per the standard named.conf example, e.g.:

zone "." {
   type slave;
   file "/usr/local/etc/namedb/slave/root.slave";
   masters {
   192.5.5.241;// F.ROOT-SERVERS.NET.
   };
   allow-query { localnets; };
   notify no;
};


1. are you sure you need slaving the root? most of clients doesn't...

2. there are ~13 servers for root zone. did you check on more of them?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to slave root zones

[Thomas Leuxner]

* Mark Knight  2017.04.07 16:36:

> masters {
> 192.5.5.241;// F.ROOT-SERVERS.NET.
> };

Hi Mark,

I had the same issue basically. Tracing the zone transfers with dig it turned 
out they worked for IPv6, but no longer work for IPv4.
So I ended up with this:

masters { 2001:500:2f::f; }; // @f.root-servers.net

Regards
Thomas


signature.asc
Description: Digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Unable to slave root zones

[Mark Knight]

I've just noticed (after the slave zones expired), that the root name 
servers have been refusing my zone transfer requests since the end of March.


My confirm is per the standard named.conf example, e.g.:

zone "." {
type slave;
file "/usr/local/etc/namedb/slave/root.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
allow-query { localnets; };
notify no;
};

Apr  7 00:06:29 steamer named[25909]: transfer of './IN' from 
192.5.5.241#53: Transfer status: REFUSED
Apr  7 13:21:20 steamer named[550]: transfer of 'arpa/IN' from 
192.5.5.241#53: Transfer status: REFUSED


I cannot find any announcement that this is now disallowed, any ideas 
what's changed or how I should do this?


Thanks, Mark
--
Mark Knight
Mobile: +44 7753 250584.  http://www.knigma.org/
Email: ma...@knigma.org.  Skype: knigma
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users