Problems with named default configuration in 6-STABLE
Volker
volker at vwsoft.com
Tue Jul 17 08:53:08 UTC 2007
On 07/17/07 10:05, Heiko Wundram (Beenic) wrote:
> On Tuesday 17 July 2007 10:00:43 Volker wrote:
>> hmm... the root servers should not allow public AXFR. As I've verified
>> using:
>> <snip>
>
> Just like you did:
>
> [modelnine at phoenix ~]$ dig -t AXFR @k.root-servers.net . | head -30
>
> ; <<>> DiG 9.3.4 <<>> -t AXFR @k.root-servers.net .
> ; (1 server found)
> ;; global options: printcmd
> . 86400 IN SOA a.root-servers.net.
> nstld.verisign-grs.com. 2007071601 1800 900 604800 86400
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> ac. 172800 IN NS a.nic.ac.
> ac. 172800 IN NS a.ns13.net.
> ac. 172800 IN NS b.nic.ac.
> ac. 172800 IN NS b.nic.io.
> ac. 172800 IN NS b.nic.sh.
> ac. 172800 IN NS b.ns13.net.
> ac. 172800 IN NS ns1.communitydns.net.
> ac. 172800 IN NS ns3.icb.co.uk.
> a.nic.ac. 172800 IN A 64.251.31.177
> b.nic.ac. 172800 IN A 217.160.203.158
> ad. 172800 IN NS ad.ns.nic.es.
> ad. 172800 IN NS ns3.nic.fr.
> [modelnine at phoenix ~]$
>
> The head is necessary, as the output is far, far longer than that. As
> k.root-servers.net was one of the servers he put in as masters for the root
> zone, I should presume that his setup works fine.
>
Not every root server seems to be happy with transfering zone files:
%dig @a.root-servers.net axfr . | head
; <<>> DiG 9.3.3 <<>> @a.root-servers.net axfr .
; (1 server found)
;; global options: printcmd
; Transfer failed.
%dig @b.root-servers.net axfr . | head
; <<>> DiG 9.3.3 <<>> @b.root-servers.net axfr .
; (1 server found)
;; global options: printcmd
. 86400 IN SOA A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2007071601 1800 900 604800 86400
. 518400 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
. 518400 IN NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
. 518400 IN NS C.ROOT-SERVERS.NET.
b.root-servers.net transfers the zone, but a.root-servers.net refuses.
I remember some years back there has been an attack against some root
servers and the conclusion was to deny zone transfers for them. I
thought all root servers are denying zone transfers generally but some
seem to still (or again) let it pass.
The following servers are refusing zone transfers:
a
d
e
h
i
j
l
m
Relying on a zone transfer doesn't seem to be reliable to me as more
than half of the root servers doesn't reply to AXFR requests.
Volker
More information about the freebsd-stable
mailing list