Re: rz.verisign-grs.com root zone ftp access
On 28 May 2014, at 3:21, Martin Hannigan hanni...@gmail.com wrote:
IIRC you can ftp to rs.internic.net (the IANA) and download zones to your
hearts content. At least until transition, I'd think this one is
authoritative.
I don't exactly remember where you can pull it from, but I believe they
offer it in XML too.
[ Paging Joe Abley ]
*twitch*
Half of this thread seems to be talking about the COM/NET zones, not the root
zone, but since you asked...
ftp://ftp.internic.net/domain/root.zone is a service provided by ICANN.
ftp://rs.internic.net/domain/root.zone is a service provided by Verisign.
I think both services are provided under their respective agreements with NTIA
(the IANA Functions Contract and the Cooperative Agreement) and hence those
URLs can be expected to be somewhat stable. (We live in interesting times, but
I don't sense a desire by anybody to change the IANA Functions as part of the
management transition currently under discussion). I don't remember the details
of how the two sites above are provisioned, but I have a feeling that one is
mirrored from the other.
Right now, from here, B-Root, C-Root, F-Root, G-Root, and K-Root respond
positively to AXFR requests. Sending AXFR requests to instances of root servers
is a bit unfriendly, in my opinion, since you're occupying TCP slots on
nameservers that arguably would be better used for non-AXFR queries using TCP
transport.
As Mehmet mentioned, xfr.cjr.dns.icann.org and xfr.lax.dns.icann.org are both
dedicated AXFR servers from which the root zone (and other zones served by
ICANN's DNS Operations department) can be retrieved. I am not aware of any
commitment or requirement to provide those services, but I can't imagine the
good people currently in that ICANN department would make them unavailable
gratuitously.
Lastly, the root zone is signed with NSEC, which means you can walk the NSEC
chain and recover the complete zone (see below, thanks Jelte). It occurs to me
that this is actually a plausible way to prime your resolver with the full
contents of the root zone, as an alternative to slaving the root zone, for
people who think this kind of obsessive behaviour is useful. But maybe that's
just the malarone talking.
I am not aware of anybody providing the contents of the root zone in XML format
(and I'm not sure what value that would have to anybody). You may have been
remembering the root zone trust anchor distribution format, as seen at
http://data.iana.org/root-anchors/root-anchors.xml.
Joe
[walrus:~]% ldns-walk -f . | head -40
. 218447 IN NS i.root-servers.net.
. 218447 IN NS h.root-servers.net.
. 218447 IN NS m.root-servers.net.
. 218447 IN NS l.root-servers.net.
. 218447 IN NS j.root-servers.net.
. 218447 IN NS e.root-servers.net.
. 218447 IN NS d.root-servers.net.
. 218447 IN NS b.root-servers.net.
. 218447 IN NS f.root-servers.net.
. 218447 IN NS k.root-servers.net.
. 218447 IN NS g.root-servers.net.
. 218447 IN NS c.root-servers.net.
. 218447 IN NS a.root-servers.net.
. 487056 IN RRSIG NS 8 0 518400 2014060300 2014052623
40926 .
gsG1xrmc32HKMscG4pEQjgTNg2UOKgXTEZEGjg5lY9X14ADCwNleAwfNXkeAS2cEEJI+Sj8P4gWvKCpgCi7rKSMVPapfelN8huMZHiplWsl0JyaHxkU6WwAa2ciBIayGuY7vsPY2LGudosN4th+5eXnB0gfIJFCuQjhaK3dI5iM=
. 86309 IN SOA a.root-servers.net. nstld.verisign-grs.com.
2014052701 1800 900 604800 86400
. 86309 IN RRSIG SOA 8 0 86400 2014060300 2014052623
40926 .
JZPdfvMZq/+k+ScgnPVp02j6PSYnA5ntR4TGiLHoeeLTWty7OY3ATas48mCxRZja8D/44VKV5COiXb3dNJNRnXtGqI1nuTWwGXmK/J52satKzLilkk/NtHjy1MxT1NQmgnPYFKNP4liE3vr0deTUYCPRkjDwveTCJ/NowB1OyWs=
. 45819 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b}
. 45819 IN DNSKEY 256 3 8
AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0nmOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G2GwbMF5v
;{id = 40926 (zsk), size = 1024b}
. 45819 IN RRSIG DNSKEY 8 0 172800 20140604235959 2014052100
19036 .
H6fUqoXYqDtYeDOZxBxBEXWsQ1APR6+MMboI74uSgdIkcm5B2zBQOwD+lYid1j3JJ1vhzONwk4PP31o1RG24P0iMqhwwaGXtoWLDeH3FSQxuVUdLA3DxIM0c8NdEzgCW36iH8zzcy/uzFwgPvw6/ksbd6Np+nu/bIw38XhGH61fkidahj1lTAUDIMXi4TM7igJ9bZgUtLViXN8sLeD4G+hrPZbydcksvZpVB8XFCvgKrHHMq3Ha7AO6cl2XDrn6/DodibcVBpMK07kL24NEVFre/jeqjiQWCms6GDuGkqRKaUf8Hdwl12rsmptIuDa70qNh3Pz+pbjNXXGuWlkyYdA==
.
Re: rz.verisign-grs.com root zone ftp access
All, Verisign performed routine account maintenance on the Verisign TLD Zone File Access Program (TLDZ) platform. This service gives participants FTP access to the TLD Zone Files for the .com, .net and .name top-level domains (TLDs). Each file contains the active domain names in that particular TLD and is updated daily. Any user without a current contract in place was removed. All reasonable efforts were taken to notify users prior to their access being revoked. If a customer has lost their access to rz.verisign-grs.comhttp://rz.verisign-grs.com (TLDZ), they should call into Verisign Customer Service @+1-703-925-6999 and they will be instructed on how to submit the contract request. Once the request is processed a new user ID for the customer will be added to the platform. Additional information regarding TLDZ can be view at http://www.verisigninc.com/en_US/channel-resources/domain-registry-products/zone-file-information/index.xhtml Regards, Brad G. Bradford Verd Vice President Operations bv...@verisign.commailto:bv...@verisign.com 12061 Bluemont Way Reston, VA 20190 VerisignInc.comhttp://www.verisigninc.com/ [cid:image003.gif@01CE05D2.5D1F5A90] On May 20, 2014, at 5:21 PM, Brandon Applegate bran...@burn.netmailto:bran...@burn.net wrote: Is anyone using this and having failed login for a few days now ? I’ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun.
Re: rz.verisign-grs.com root zone ftp access
On 5/20/14, 11:53 PM, John Levine wrote: In article 537c1f17.6070...@digital-z.com you write: On 5/20/14, 4:21 PM, Brandon Applegate wrote: Is anyone using this and having failed login for a few days now ? I�ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. I have been experiencing this problem as well but have not had a chance to look into it. It stopped working some time between May 15th and May 16th. If you find out anything, please let me know! When I had problems like this a while ago, I found their support people to be quite responsive. Try writing them at tldz...@verisign-grs.com or call the support number on the web site 703-925-6999. If you're not using your password to download the .COM or .NET zones, it is my impression that they will eventually turn off your password because they think you're not using it. R's, John Just wanted to follow-up on this issue. I was actively using it every day to fetch the .COM and .NET TLD zone files. Sent multiple emails to tldz...@verisign-grs.com with no response. Finally reached out to them via chat and was informed that I needed to execute a new zone file access agreement because they needed updated information for me. New agreement has been submitted so we will see what they say this time. If anyone else is still having problems then you probably need to do the same. --Blaine
Re: rz.verisign-grs.com root zone ftp access
Hi Doug, IIRC you can ftp to rs.internic.net (the IANA) and download zones to your hearts content. At least until transition, I'd think this one is authoritative. I don't exactly remember where you can pull it from, but I believe they offer it in XML too. [ Paging Joe Abley ] Best, -M On Wed, May 21, 2014 at 1:50 AM, Doug Barton do...@dougbarton.us wrote: The last time I asked them, F-root had a we allow it because it's the right thing to do but we don't like it policy. Given that ICANN operates an infrastructure purposely built for doing zone transfers, and given that they offer more zones than are on the roots, that's the way I recommend people go. YMMV. Doug On 05/20/2014 10:42 PM, Mehmet Akcin wrote: F-root also allows you to axfr root-zone ( dig @f.root-servers.net . axfr ) On May 20, 2014, at 10:32 PM, Doug Barton do...@dougbarton.us wrote: Signed PGP part On 05/20/2014 02:21 PM, Brandon Applegate wrote: | Is anyone using this and having failed login for a few days now ? I?ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. You can slave the root and more directly from ICANN: http://www.dns.icann.org/services/axfr/
Re: rz.verisign-grs.com root zone ftp access
Pretty annoying (esp. to my databases) that com.zone.gz alone is 2.3 GB ... . On Tue, May 27, 2014 at 6:21 PM, Blaine Fleming gro...@digital-z.com wrote: On 5/20/14, 11:53 PM, John Levine wrote: In article 537c1f17.6070...@digital-z.com you write: On 5/20/14, 4:21 PM, Brandon Applegate wrote: Is anyone using this and having failed login for a few days now ? I�ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. I have been experiencing this problem as well but have not had a chance to look into it. It stopped working some time between May 15th and May 16th. If you find out anything, please let me know! When I had problems like this a while ago, I found their support people to be quite responsive. Try writing them at tldz...@verisign-grs.com or call the support number on the web site 703-925-6999. If you're not using your password to download the .COM or .NET zones, it is my impression that they will eventually turn off your password because they think you're not using it. R's, John Just wanted to follow-up on this issue. I was actively using it every day to fetch the .COM and .NET TLD zone files. Sent multiple emails to tldz...@verisign-grs.com with no response. Finally reached out to them via chat and was informed that I needed to execute a new zone file access agreement because they needed updated information for me. New agreement has been submitted so we will see what they say this time. If anyone else is still having problems then you probably need to do the same. --Blaine -- jamie rishaw // .com.arpa@j - reverse it. ish. ...let's consider this world like a family and care about each other... -Malala Yousafzai
Re: rz.verisign-grs.com root zone ftp access
On 20/05/2014 22:21, Brandon Applegate wrote: Is anyone using this and having failed login for a few days now ? I’ve been mirroring the root zone(s) for years and I just started getting failures in my logs. ftp://rs.internic.net/domain/root.zone Nick
Re: rz.verisign-grs.com root zone ftp access
I have access; my last success was today at 12:27am est Wait; Do you have a userid or are you trying to log in anonymous? I'm pretty sure this is a closed system.. On Tue, May 20, 2014 at 4:21 PM, Brandon Applegate bran...@burn.net wrote: Is anyone using this and having failed login for a few days now ? I’ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 830B 4802 1DD4 F4F9 63FE B966 C0A7 189E 9EC0 3A74 SH1-0151. This is the serial number, of our orbital gun.
Re: rz.verisign-grs.com root zone ftp access
On May 20, 2014, at 5:32 PM, jamie 260...@gmail.com wrote: I have access; my last success was today at 12:27am est Wait; Do you have a userid or are you trying to log in anonymous? I'm pretty sure this is a closed system.. I have a username/pass. Got it by signing the agreement years ago. I just started getting errors in the past few days: --2014-05-20 17:39:28-- ftp://user:*password*@rz.verisign-grs.com/ = `/tmp/verisign-root-zones/rz.verisign-grs.com/.listing' Resolving rz.verisign-grs.com (rz.verisign-grs.com)... 69.58.178.63 Connecting to rz.verisign-grs.com (rz.verisign-grs.com)|69.58.178.63|:21... connected. Logging in as user ... Login incorrect. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: rz.verisign-grs.com root zone ftp access
In article 904ce971-b779-4c9e-af8d-8dafcce01...@burn.net you write: -=-=-=-=-=- Is anyone using this and having failed login for a few days now ? I�ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. I have a password I've been using to FTP .com and .net from rz.verisign-grs.com, which still works fine as of five minutes ago. I can use it to get root.zone.gz as well but it's pretty much the same as the one at http://www.internic.net/zones give or take what time of day they dumped it.
Re: rz.verisign-grs.com root zone ftp access
Some output deleted to save spamminess: }~/ ftp rz.verisign-grs.net Connected to rz.verisign-grs.net. 220- Welcome to the VeriSign Global Registry Services gTLD Zone FTP Server Name (rz.verisign-grs.net:jamie): [myusername] 331 Please specify the password. Password: 230 Login successful. ftp ls 229 Entering Extended Passive Mode (|||31270|). 150 Here comes the directory listing. [ lots truncated ] -rw-r--r--1 ftp ftp 5167 May 20 16:21 arpa.zone.gz -rw-r--r--1 ftp ftp 2309652729 May 20 15:31 com.zone.gz -rw-r--r--1 ftp ftp 3107 Mar 28 14:46 named.root -rw-r--r--1 ftp ftp 317965345 May 20 15:23 net.zone.gz -rw-r--r--1 ftp ftp 550 Mar 27 15:49 root-servers.net.zone.gz -rw-r--r--1 ftp ftp546199 May 20 15:42 root.zone -rw-r--r--1 ftp ftp211133 May 20 15:42 root.zone.gz I will email the OP a couple of contacts in the AM after I verify it's alright to give out their info. -jamie
Re: rz.verisign-grs.com root zone ftp access
On 5/20/14, 4:21 PM, Brandon Applegate wrote: Is anyone using this and having failed login for a few days now ? I’ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. I have been experiencing this problem as well but have not had a chance to look into it. It stopped working some time between May 15th and May 16th. If you find out anything, please let me know! --Blaine Fleming
Re: rz.verisign-grs.com root zone ftp access
In article 537c1f17.6070...@digital-z.com you write: On 5/20/14, 4:21 PM, Brandon Applegate wrote: Is anyone using this and having failed login for a few days now ? I�ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. I have been experiencing this problem as well but have not had a chance to look into it. It stopped working some time between May 15th and May 16th. If you find out anything, please let me know! When I had problems like this a while ago, I found their support people to be quite responsive. Try writing them at tldz...@verisign-grs.com or call the support number on the web site 703-925-6999. If you're not using your password to download the .COM or .NET zones, it is my impression that they will eventually turn off your password because they think you're not using it. R's, John
Re: rz.verisign-grs.com root zone ftp access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/20/2014 02:21 PM, Brandon Applegate wrote: | Is anyone using this and having failed login for a few days now ? I?ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. You can slave the root and more directly from ICANN: http://www.dns.icann.org/services/axfr/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBCAAGBQJTfDqGAAoJEFzGhvEaGryEavoH/A8ItF9Ddx2Lg+y7dZf8dLuN zyKMQIGpHZpbC9o1etS/ckK97LKGPFAaW83SfAAmtrXvqFxpziP70Gnnp68QPIS+ hZgBKGhRehy+eUZ/EDqrpDl0VaHns09PP5PVZHco3391aLM5LSVBzDHdygb4c3My NHukMb6dbMhBM4pyFymGXnL2ukFEUw8rGgKby3vWO96WIo0xPgGN/Z8Ev//OCipA dxGgLfHzS26F/qRi6lFg1oMgQZdfzcxG/lz9FI9gmGpC+6btIDUGozk4MgE9GcJW aZKbXq10xHnVl7b6Kncc6YL1kYbbZzXjXyryM3VwbRttS2Fr/PiC8OjJkBapcu4= =8u5u -END PGP SIGNATURE-
Re: rz.verisign-grs.com root zone ftp access
F-root also allows you to axfr root-zone ( dig @f.root-servers.net . axfr ) On May 20, 2014, at 10:32 PM, Doug Barton do...@dougbarton.us wrote: Signed PGP part On 05/20/2014 02:21 PM, Brandon Applegate wrote: | Is anyone using this and having failed login for a few days now ? I?ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. You can slave the root and more directly from ICANN: http://www.dns.icann.org/services/axfr/
Re: rz.verisign-grs.com root zone ftp access
The last time I asked them, F-root had a we allow it because it's the right thing to do but we don't like it policy. Given that ICANN operates an infrastructure purposely built for doing zone transfers, and given that they offer more zones than are on the roots, that's the way I recommend people go. YMMV. Doug On 05/20/2014 10:42 PM, Mehmet Akcin wrote: F-root also allows you to axfr root-zone ( dig @f.root-servers.net . axfr ) On May 20, 2014, at 10:32 PM, Doug Barton do...@dougbarton.us wrote: Signed PGP part On 05/20/2014 02:21 PM, Brandon Applegate wrote: | Is anyone using this and having failed login for a few days now ? I?ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. You can slave the root and more directly from ICANN: http://www.dns.icann.org/services/axfr/
Re: rz.verisign-grs.com root zone ftp access
Yeah, I was just suggesting alternatives just incase. I have setup ICANN's axfr servers :) mehmet On May 20, 2014, at 10:50 PM, Doug Barton do...@dougbarton.us wrote: The last time I asked them, F-root had a we allow it because it's the right thing to do but we don't like it policy. Given that ICANN operates an infrastructure purposely built for doing zone transfers, and given that they offer more zones than are on the roots, that's the way I recommend people go. YMMV. Doug On 05/20/2014 10:42 PM, Mehmet Akcin wrote: F-root also allows you to axfr root-zone ( dig @f.root-servers.net . axfr ) On May 20, 2014, at 10:32 PM, Doug Barton do...@dougbarton.us wrote: Signed PGP part On 05/20/2014 02:21 PM, Brandon Applegate wrote: | Is anyone using this and having failed login for a few days now ? I?ve been mirroring the root zone(s) for years and I just started getting failures in my logs. I emailed an address I found on the Verisign website but so far dead air. If anyone knows of a more pointed email POC that would actually have clue about this that would be awesome. You can slave the root and more directly from ICANN: http://www.dns.icann.org/services/axfr/
