Date: Thu, 25 Oct 2012 18:55:40 +0200 From: Damien Fleuriot <ml@my.gd> To: Warren Block <wblock@wonkity.com> Cc: freebsd-questions@freebsd.org Subject: Re: BIND - slaving the root zone and signature expired Message-ID: <CAE63ME536MqdOFC0jtf0=OwDG623G%2BoQ0=Th18pEXWAr4BwDbg@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1210250953240.48747@wonkity.com> References: <CAE63ME7w8VBXS=zU42Mr0dOWxhttDm56KG-Wbbr5x03w-B_kVg@mail.gmail.com> <alpine.BSF.2.00.1210250953240.48747@wonkity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 October 2012 18:33, Warren Block <wblock@wonkity.com> wrote: > On Thu, 25 Oct 2012, Damien Fleuriot wrote: > >> Anyone else experienced this problem today ? >> >> We slave the root zone and have received "signature expired" errors. > > > Found this: > > https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html > > which leads to this: > > http://in-addr-transition.icann.org/ Hi Warren and thanks for your reply, I've dug around some more and identified the problem we've been having. Apparently, from a given netblock, we can't AXFR the "." and "arpa" zones anymore with F.ROOT-SERVERS.NET. We can from some other boxes. I suspect we might have been firewalled or something, although we don't query them very often , but that's beyond the point. I've now transitioned all our PF boxes to slave from "xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the documentation found in /etc/namedb/named.conf What bothers me is that the commented lines from named.conf say to use the ICANN XFR servers, while the actual commented configuration uses F.ROOT-SERVERS.NET See below a freshly SVNup'd copy on 10.0: % svn info named.conf Path: named.conf Name: named.conf Working Copy Root Path: /data/freebsd/src/head URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf Repository Root: svn://svn.freebsd.org/base Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 242082 Node Kind: file Schedule: normal Last Changed Author: uqs Last Changed Rev: 229783 Last Changed Date: 2012-01-07 16:10:32 +0000 (Sat, 07 Jan 2012) Text Last Updated: 2012-09-01 11:43:31 +0000 (Sat, 01 Sep 2012) Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9 I SVNup'd it just today, and yet: === As documented at http://dns.icann.org/services/axfr/ these zones: "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET are available for AXFR from these servers on IPv4 and IPv6: xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org */ /* zone "." { type slave; file "/etc/namedb/slave/root.slave"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; notify no; }; === I'm going to file a PR with a small diff to use the ICANN's XFR servers instead of F. Thanks for your feedback regardless :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE63ME536MqdOFC0jtf0=OwDG623G%2BoQ0=Th18pEXWAr4BwDbg>