From owner-freebsd-questions@FreeBSD.ORG  Thu Oct 25 17:23:18 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 28F3A160
 for <freebsd-questions@freebsd.org>; Thu, 25 Oct 2012 17:23:18 +0000 (UTC)
 (envelope-from ml@my.gd)
Received: from mail-ia0-f182.google.com (mail-ia0-f182.google.com
 [209.85.210.182])
 by mx1.freebsd.org (Postfix) with ESMTP id D6D688FC0A
 for <freebsd-questions@freebsd.org>; Thu, 25 Oct 2012 17:23:17 +0000 (UTC)
Received: by mail-ia0-f182.google.com with SMTP id k10so1939222iag.13
 for <freebsd-questions@freebsd.org>; Thu, 25 Oct 2012 10:23:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type:x-gm-message-state;
 bh=XZs1qoTHM4SyPbUEgTee8AIvDLcEs+72nZWyUcTbl8I=;
 b=Z04/zJOHlO5Rkf2cpxrhA72j5qtpMky6p5ASc0IKItsdJxwrrnvaAIb2CkHiw+DW5C
 JIr/wDJ+nC6/r624QLwL2qMiYreg1yc9WVLNOVUkQo2obc1tqWMS3ncPiN6lAy10H7Ip
 kpws+b4XB4y6vNXD/c3RHkkmts4PV737J9T5ArwqSvM3CVFhsjbIJJCL5Yx5fAQzWD6b
 T7AanqeI732H+D8Fuyj3acB35fOVP2jy59mBRFUausL82fTiSPT7ObmJmWGp6QdNsKIJ
 lhbE2OGBUL1TuVLCsoc0S2zKkIblf65Y91mpM41Wc0vy/+67E0YpP/tJWNk8pyWhEa3G
 HjVA==
MIME-Version: 1.0
Received: by 10.50.190.137 with SMTP id gq9mr6880884igc.27.1351185797132; Thu,
 25 Oct 2012 10:23:17 -0700 (PDT)
Received: by 10.64.26.7 with HTTP; Thu, 25 Oct 2012 10:23:17 -0700 (PDT)
In-Reply-To: <CAE63ME536MqdOFC0jtf0=OwDG623G+oQ0=Th18pEXWAr4BwDbg@mail.gmail.com>
References: <CAE63ME7w8VBXS=zU42Mr0dOWxhttDm56KG-Wbbr5x03w-B_kVg@mail.gmail.com>
 <alpine.BSF.2.00.1210250953240.48747@wonkity.com>
 <CAE63ME536MqdOFC0jtf0=OwDG623G+oQ0=Th18pEXWAr4BwDbg@mail.gmail.com>
Date: Thu, 25 Oct 2012 19:23:17 +0200
Message-ID: <CAE63ME6pKWvs6ctWZP7xQ6KoU=cVxBw+Qtt9jHzo4Fh5ocrbOg@mail.gmail.com>
Subject: Re: BIND - slaving the root zone and signature expired
From: Damien Fleuriot <ml@my.gd>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQmSMavKZT2qlQxF22bvDl1oYZjvL+hUtuF42M//bOxQ1a3NmFwfeAlbj6T2ECIJRjAgzefl
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2012 17:23:18 -0000

On 25 October 2012 18:55, Damien Fleuriot <ml@my.gd> wrote:
> On 25 October 2012 18:33, Warren Block <wblock@wonkity.com> wrote:
>> On Thu, 25 Oct 2012, Damien Fleuriot wrote:
>>
>>> Anyone else experienced this problem today ?
>>>
>>> We slave the root zone and have received "signature expired" errors.
>>
>>
>> Found this:
>>
>> https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
>>
>> which leads to this:
>>
>> http://in-addr-transition.icann.org/
>
>
>
> Hi Warren and thanks for your reply,
>
>
> I've dug around some more and identified the problem we've been having.
>
>
>
> Apparently, from a given netblock, we can't AXFR the "." and "arpa"
> zones anymore with F.ROOT-SERVERS.NET.
> We can from some other boxes.
> I suspect we might have been firewalled or something, although we
> don't query them very often , but that's beyond the point.
>
>
> I've now transitioned all our PF boxes to slave from
> "xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the
> documentation found in /etc/namedb/named.conf
>
> What bothers me is that the commented lines from named.conf say to use
> the ICANN XFR servers, while the actual commented configuration uses
> F.ROOT-SERVERS.NET
>
>
>
>
> See below a freshly SVNup'd copy on 10.0:
>
> % svn info named.conf
> Path: named.conf
> Name: named.conf
> Working Copy Root Path: /data/freebsd/src/head
> URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
> Repository Root: svn://svn.freebsd.org/base
> Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
> Revision: 242082
> Node Kind: file
> Schedule: normal
> Last Changed Author: uqs
> Last Changed Rev: 229783
> Last Changed Date: 2012-01-07 16:10:32 +0000 (Sat, 07 Jan 2012)
> Text Last Updated: 2012-09-01 11:43:31 +0000 (Sat, 01 Sep 2012)
> Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9
>
>
> I SVNup'd it just today, and yet:
>
> ===
>         As documented at http://dns.icann.org/services/axfr/ these zones:
>         "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
>         are available for AXFR from these servers on IPv4 and IPv6:
>         xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
> */
> /*
> zone "." {
>         type slave;
>         file "/etc/namedb/slave/root.slave";
>         masters {
>                 192.5.5.241;    // F.ROOT-SERVERS.NET.
>         };
>         notify no;
> };
> ===
>
>
>
>
> I'm going to file a PR with a small diff to use the ICANN's XFR
> servers instead of F.
>
>
>
> Thanks for your feedback regardless :)


If anyone cares to take it, filed as conf/173077