AXFR root zone
Ronald F. Guilmette
rfg at tristatelogic.com
Sun Sep 28 21:59:06 UTC 2014
In message <54287C3F.60407 at ripe.net>,
Anand Buddhdev <anandb at ripe.net> wrote:
>... Unlike other query types, an AXFR is not recursively
>looked up by a resolver.
Ah! Ok. That certainly explains the failure then. Thank you for
>> P.S. Strangely, this rather different query _does_ work:
>> dig @k.root-servers.net . axfr
>> So, um, it appears that "k" will allow the AXFR but, I gather, other
>> root zone servers won't (?)
>Speaking as the operator of K-root, I can confirm that K allows zone
>transfers. That's why this query works.
Wow! I am delighted that I've been able to get an answer to my
question direct "from the horse's mouth" as we say... and on a
Sunday even! So, um, THANK YOU for that.
But please allow me a couple of follow-up questions also...
It appears to me that the "a" root server _does not_ allow the
zone transfer. My guess is that the operators of that server
wished to prevent every impertinent fellow (like me) and his
brother from all writing scripts which would run frequently and
which would always suck copies of the root zone from the most
obvious candidate, i.e. a.root-servers.net. Is that approximately
correct? Or are the operators of the "a" server just less
friendly/accomodating folks than you? ;-)
Do 100% of the other (non-a) root zone servers support axfr for
the root zone? (I only checked "b", "c", and your's, "k", but
those all seem to do so.)
Is the openness of your server (to root zone axfrs) a policy choice
that I can rely on, i.e. that is likely to be in place for the
I ask because I have indeed written a script which I will be running
on the order of once per day, and which needs to be able to suck
down a copy of the root zone. May I rely on this continuing to
work for the forseeable future if I hardcode my little script with
the name "k.root-servers.net"? Or is there a better choice for
the long term?
More information about the bind-users