Problems with named default configuration in 6-STABLE

Tue Jul 17 08:53:08 UTC 2007

On 07/17/07 10:05, Heiko Wundram (Beenic) wrote:
> On Tuesday 17 July 2007 10:00:43 Volker wrote:
>> hmm... the root servers should not allow public AXFR. As I've verified
>> using:
>> <snip>
> 
> Just like you did:
> 
> [modelnine at phoenix ~]$ dig -t AXFR @k.root-servers.net . | head -30
> 
> ; <<>> DiG 9.3.4 <<>> -t AXFR @k.root-servers.net .
> ; (1 server found)
> ;; global options:  printcmd
> .                       86400   IN      SOA     a.root-servers.net. 
> nstld.verisign-grs.com. 2007071601 1800 900 604800 86400
> .                       518400  IN      NS      a.root-servers.net.
> .                       518400  IN      NS      b.root-servers.net.
> .                       518400  IN      NS      c.root-servers.net.
> .                       518400  IN      NS      d.root-servers.net.
> .                       518400  IN      NS      e.root-servers.net.
> .                       518400  IN      NS      f.root-servers.net.
> .                       518400  IN      NS      g.root-servers.net.
> .                       518400  IN      NS      h.root-servers.net.
> .                       518400  IN      NS      i.root-servers.net.
> .                       518400  IN      NS      j.root-servers.net.
> .                       518400  IN      NS      k.root-servers.net.
> .                       518400  IN      NS      l.root-servers.net.
> .                       518400  IN      NS      m.root-servers.net.
> ac.                     172800  IN      NS      a.nic.ac.
> ac.                     172800  IN      NS      a.ns13.net.
> ac.                     172800  IN      NS      b.nic.ac.
> ac.                     172800  IN      NS      b.nic.io.
> ac.                     172800  IN      NS      b.nic.sh.
> ac.                     172800  IN      NS      b.ns13.net.
> ac.                     172800  IN      NS      ns1.communitydns.net.
> ac.                     172800  IN      NS      ns3.icb.co.uk.
> a.nic.ac.               172800  IN      A       64.251.31.177
> b.nic.ac.               172800  IN      A       217.160.203.158
> ad.                     172800  IN      NS      ad.ns.nic.es.
> ad.                     172800  IN      NS      ns3.nic.fr.
> [modelnine at phoenix ~]$
> 
> The head is necessary, as the output is far, far longer than that. As 
> k.root-servers.net was one of the servers he put in as masters for the root 
> zone, I should presume that his setup works fine.
> 

Not every root server seems to be happy with transfering zone files:

%dig @a.root-servers.net axfr . | head

; <<>> DiG 9.3.3 <<>> @a.root-servers.net axfr .
; (1 server found)
;; global options:  printcmd
; Transfer failed.

%dig @b.root-servers.net axfr . | head

; <<>> DiG 9.3.3 <<>> @b.root-servers.net axfr .
; (1 server found)
;; global options:  printcmd
.                       86400   IN      SOA     A.ROOT-SERVERS.NET.
NSTLD.VERISIGN-GRS.COM. 2007071601 1800 900 604800 86400
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201
.                       518400  IN      NS      C.ROOT-SERVERS.NET.

b.root-servers.net transfers the zone, but a.root-servers.net refuses.
I remember some years back there has been an attack against some root
servers and the conclusion was to deny zone transfers for them. I
thought all root servers are denying zone transfers generally but some
seem to still (or again) let it pass.

The following servers are refusing zone transfers:

a
d
e
h
i
j
l
m

Relying on a zone transfer doesn't seem to be reliable to me as more
than half of the root servers doesn't reply to AXFR requests.

Volker