AXFR root zone

Anand Buddhdev anandb at ripe.net
Sun Sep 28 22:54:13 UTC 2014


On 28/09/2014 23:59, Ronald F. Guilmette wrote:

Hi Ronald,

> Wow!  I am delighted that I've been able to get an answer to my
> question direct "from the horse's mouth" as we say... and on a
> Sunday even!  So, um, THANK YOU for that.

You're welcome :)

> It appears to me that the "a" root server _does not_ allow the
> zone transfer.  My guess is that the operators of that server
> wished to prevent every impertinent fellow (like me) and his
> brother from all writing scripts which would run frequently and
> which would always suck copies of the root zone from the most
> obvious candidate, i.e. a.root-servers.net.  Is that approximately
> correct?  Or are the operators of the "a" server just less
> friendly/accomodating folks than you? ;-)

I'm afraid I cannot speak for Verisign, the operator of A-root.

> Do 100% of the other (non-a) root zone servers support axfr for
> the root zone?  (I only checked "b", "c", and your's, "k", but
> those all seem to do so.)

Some do, and some don't. I don't know off the top of my head, but you
can query and find out.

> Is the openness of your server (to root zone axfrs) a policy choice
> that I can rely on, i.e. that is likely to be in place for the
> forseeable future?

Yes, we have chosen to allow zone transfers, so we will keep providing
them for the foreseeable future.

> I ask because I have indeed written a script which I will be running
> on the order of once per day, and which needs to be able to suck
> down a copy of the root zone.  May I rely on this continuing to
> work for the forseeable future if I hardcode my little script with
> the name "k.root-servers.net"?  Or is there a better choice for
> the long term?

If you wanted your script to be robust, then you would program it with
the names of all 13 root name servers, and have it try the zone
transfers from a random server each time, and trying another one in case
of failure.

However, you're better off using ICANN's dedicated zone transfer
servers. See this URL for details:

http://www.dns.icann.org/services/axfr/

Regards,

Anand Buddhdev
RIPE NCC


More information about the bind-users mailing list