Date: Thu, 25 Oct 2012 19:23:17 +0200 From: Damien Fleuriot <ml@my.gd> To: freebsd-questions@freebsd.org Subject: Re: BIND - slaving the root zone and signature expired Message-ID: <CAE63ME6pKWvs6ctWZP7xQ6KoU=cVxBw%2BQtt9jHzo4Fh5ocrbOg@mail.gmail.com> In-Reply-To: <CAE63ME536MqdOFC0jtf0=OwDG623G%2BoQ0=Th18pEXWAr4BwDbg@mail.gmail.com> References: <CAE63ME7w8VBXS=zU42Mr0dOWxhttDm56KG-Wbbr5x03w-B_kVg@mail.gmail.com> <alpine.BSF.2.00.1210250953240.48747@wonkity.com> <CAE63ME536MqdOFC0jtf0=OwDG623G%2BoQ0=Th18pEXWAr4BwDbg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25 October 2012 18:55, Damien Fleuriot <ml@my.gd> wrote: > On 25 October 2012 18:33, Warren Block <wblock@wonkity.com> wrote: >> On Thu, 25 Oct 2012, Damien Fleuriot wrote: >> >>> Anyone else experienced this problem today ? >>> >>> We slave the root zone and have received "signature expired" errors. >> >> >> Found this: >> >> https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html >> >> which leads to this: >> >> http://in-addr-transition.icann.org/ > > > > Hi Warren and thanks for your reply, > > > I've dug around some more and identified the problem we've been having. > > > > Apparently, from a given netblock, we can't AXFR the "." and "arpa" > zones anymore with F.ROOT-SERVERS.NET. > We can from some other boxes. > I suspect we might have been firewalled or something, although we > don't query them very often , but that's beyond the point. > > > I've now transitioned all our PF boxes to slave from > "xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the > documentation found in /etc/namedb/named.conf > > What bothers me is that the commented lines from named.conf say to use > the ICANN XFR servers, while the actual commented configuration uses > F.ROOT-SERVERS.NET > > > > > See below a freshly SVNup'd copy on 10.0: > > % svn info named.conf > Path: named.conf > Name: named.conf > Working Copy Root Path: /data/freebsd/src/head > URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf > Repository Root: svn://svn.freebsd.org/base > Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f > Revision: 242082 > Node Kind: file > Schedule: normal > Last Changed Author: uqs > Last Changed Rev: 229783 > Last Changed Date: 2012-01-07 16:10:32 +0000 (Sat, 07 Jan 2012) > Text Last Updated: 2012-09-01 11:43:31 +0000 (Sat, 01 Sep 2012) > Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9 > > > I SVNup'd it just today, and yet: > > === > As documented at http://dns.icann.org/services/axfr/ these zones: > "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET > are available for AXFR from these servers on IPv4 and IPv6: > xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org > */ > /* > zone "." { > type slave; > file "/etc/namedb/slave/root.slave"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > === > > > > > I'm going to file a PR with a small diff to use the ICANN's XFR > servers instead of F. > > > > Thanks for your feedback regardless :) If anyone cares to take it, filed as conf/173077
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE63ME6pKWvs6ctWZP7xQ6KoU=cVxBw%2BQtt9jHzo4Fh5ocrbOg>