Re: BIND - slaving the root zone and signature expired

Thu, 25 Oct 2012 09:56:09 -0700 

On 25 October 2012 18:33, Warren Block <wbl...@wonkity.com> wrote:
> On Thu, 25 Oct 2012, Damien Fleuriot wrote:
>
>> Anyone else experienced this problem today ?
>>
>> We slave the root zone and have received "signature expired" errors.
>
>
> Found this:
>
> https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
>
> which leads to this:
>
> http://in-addr-transition.icann.org/



Hi Warren and thanks for your reply,


I've dug around some more and identified the problem we've been having.



Apparently, from a given netblock, we can't AXFR the "." and "arpa"
zones anymore with F.ROOT-SERVERS.NET.
We can from some other boxes.
I suspect we might have been firewalled or something, although we
don't query them very often , but that's beyond the point.


I've now transitioned all our PF boxes to slave from
"xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the
documentation found in /etc/namedb/named.conf

What bothers me is that the commented lines from named.conf say to use
the ICANN XFR servers, while the actual commented configuration uses
F.ROOT-SERVERS.NET




See below a freshly SVNup'd copy on 10.0:

% svn info named.conf
Path: named.conf
Name: named.conf
Working Copy Root Path: /data/freebsd/src/head
URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
Repository Root: svn://svn.freebsd.org/base
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 242082
Node Kind: file
Schedule: normal
Last Changed Author: uqs
Last Changed Rev: 229783
Last Changed Date: 2012-01-07 16:10:32 +0000 (Sat, 07 Jan 2012)
Text Last Updated: 2012-09-01 11:43:31 +0000 (Sat, 01 Sep 2012)
Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9


I SVNup'd it just today, and yet:

===
        As documented at http://dns.icann.org/services/axfr/ these zones:
        "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
        are available for AXFR from these servers on IPv4 and IPv6:
        xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone "." {
        type slave;
        file "/etc/namedb/slave/root.slave";
        masters {
                192.5.5.241;    // F.ROOT-SERVERS.NET.
        };
        notify no;
};
===




I'm going to file a PR with a small diff to use the ICANN's XFR
servers instead of F.



Thanks for your feedback regardless :)
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to