1.7.3 - root zone transfer and resolving SLD of delegated TLD

[A. Schulze via Unbound-users]

Am 28.10.18 um 15:58 schrieb Anand Buddhdev:

> However, one should not rely on zone transfers being available all the
> time, and in the case of your configuration, with just one server for
> in-addr.arpa and ip6.arpa, it's fragile.

You are right.

https://mailarchive.ietf.org/arch/msg/dnsop/MbsFCR_nZPUvAutn0C5ouwz_M7c mention 
ICANN as alternative.

(at least for me) it's possible to fetch in-addr.arpa and ip6.arpa
from both servers lax.xfr.dns.icann.org and iad.xfr.dns.icann.org
via IPv4 and IPv6.
As Paul Vixie pointed out, it's wise to separate production an AXFR service.

an updated unbound configuration file may now look like this:

auth-zone:
        name: "."
        for-downstream: no
        for-upstream: yes
        fallback-enabled: yes
        master: lax.xfr.dns.icann.org.
        master: iad.xfr.dns.icann.org.
        zonefile: "auth-zones/root"

auth-zone:
        name: "arpa."
        for-downstream: no
        for-upstream: yes
        fallback-enabled: yes
        master: lax.xfr.dns.icann.org.
        master: iad.xfr.dns.icann.org.
        zonefile: "auth-zones/arpa"

# https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html
# and https://www.dns.icann.org/services/axfr/
auth-zone:
        name: "in-addr.arpa."
        for-downstream: no
        for-upstream: yes
        fallback-enabled: yes
        master: lax.xfr.dns.icann.org.
        master: iad.xfr.dns.icann.org.
        zonefile: "auth-zones/in-addr.arpa"

auth-zone:
        name: "ip6.arpa."
        for-downstream: no
        for-upstream: yes
        fallback-enabled: yes
        master: lax.xfr.dns.icann.org.
        master: iad.xfr.dns.icann.org.
        zonefile: "auth-zones/ip6.arpa"

Andreas