Date: Tue, 17 Jul 2007 10:52:43 +0200 From: Volker <volker@vwsoft.com> To: "Heiko Wundram (Beenic)" <wundram@beenic.net> Cc: freebsd-stable@freebsd.org Subject: Re: Problems with named default configuration in 6-STABLE Message-ID: <469C835B.6090304@vwsoft.com> In-Reply-To: <200707171005.37507.wundram@beenic.net> References: <200707162319.41724.lofi@freebsd.org> <200707170945.21903.wundram@beenic.net> <469C772B.2080307@vwsoft.com> <200707171005.37507.wundram@beenic.net>
index | next in thread | previous in thread | raw e-mail
On 07/17/07 10:05, Heiko Wundram (Beenic) wrote: > On Tuesday 17 July 2007 10:00:43 Volker wrote: >> hmm... the root servers should not allow public AXFR. As I've verified >> using: >> <snip> > > Just like you did: > > [modelnine@phoenix ~]$ dig -t AXFR @k.root-servers.net . | head -30 > > ; <<>> DiG 9.3.4 <<>> -t AXFR @k.root-servers.net . > ; (1 server found) > ;; global options: printcmd > . 86400 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2007071601 1800 900 604800 86400 > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > ac. 172800 IN NS a.nic.ac. > ac. 172800 IN NS a.ns13.net. > ac. 172800 IN NS b.nic.ac. > ac. 172800 IN NS b.nic.io. > ac. 172800 IN NS b.nic.sh. > ac. 172800 IN NS b.ns13.net. > ac. 172800 IN NS ns1.communitydns.net. > ac. 172800 IN NS ns3.icb.co.uk. > a.nic.ac. 172800 IN A 64.251.31.177 > b.nic.ac. 172800 IN A 217.160.203.158 > ad. 172800 IN NS ad.ns.nic.es. > ad. 172800 IN NS ns3.nic.fr. > [modelnine@phoenix ~]$ > > The head is necessary, as the output is far, far longer than that. As > k.root-servers.net was one of the servers he put in as masters for the root > zone, I should presume that his setup works fine. > Not every root server seems to be happy with transfering zone files: %dig @a.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @a.root-servers.net axfr . ; (1 server found) ;; global options: printcmd ; Transfer failed. %dig @b.root-servers.net axfr . | head ; <<>> DiG 9.3.3 <<>> @b.root-servers.net axfr . ; (1 server found) ;; global options: printcmd . 86400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2007071601 1800 900 604800 86400 . 518400 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 . 518400 IN NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201 . 518400 IN NS C.ROOT-SERVERS.NET. b.root-servers.net transfers the zone, but a.root-servers.net refuses. I remember some years back there has been an attack against some root servers and the conclusion was to deny zone transfers for them. I thought all root servers are denying zone transfers generally but some seem to still (or again) let it pass. The following servers are refusing zone transfers: a d e h i j l m Relying on a zone transfer doesn't seem to be reliable to me as more than half of the root servers doesn't reply to AXFR requests. Volkerhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?469C835B.6090304>