Acting as stealth slave for root zone

Stephane Bortzmeyer bortzmeyer at
Wed Dec 8 08:51:51 UTC 2004

On Tue, Dec 07, 2004 at 07:18:19PM -0800,
 David Carmean <dlc at> wrote 
 a message of 33 lines which said:

> Eventually, I tried something that I fully expected not to work: I
> tried to pull a copy of the root zone by zone transfer from the root
> servers themselves.  It worked!  I'd expected the query to be
> refused.

Why? You can have the root zone in many ways, and it is even signed:

rm -f*
wget --quiet && wget --quiet
if [ $? != 0 ]; then
        error "Cannot retrieve root zone file" 
        exit 1
gpg --quiet --verify  
if [ $? != 0 ]; then
        error "[SECURITY] Bad signature of the root zone file" 
        exit 1

> So ... I set my test cache server up as a "stealth" slave for the
> root zone, and behold, no more bogus TLD queries to the roots.
The problem is that you need to be sure to refresh your copy of the
root zone often enough. 

> Is this new/temporary behavior?  The spirited discussion a few weeks
> ago engendered by the idea of grabbing the root zone by ftp would
> seem to indicate that zone transfers have not always been permitted.

I believe that F and K always authorized it.

More information about the bind-users mailing list