On 28/10/2018 13:22, A. Schulze wrote: Hi Andreas,
> The reason is a more broad problem: not all nameservers for these zones > provide AXFR. > Maybe because RFC 2870 (Root Name Server Operational Requirements) say: > > 2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer, > queries from clients other than other root servers. Well, the servers for in-addr.arpa and ip6.arpa are NOT root name servers, so RFC 2870 wouldn't apply to them. However, RFC 2870 is also outdated, and its successor, RFC 7720 does not explicitly forbid zone transfers, because there's no strong reason to, especially when the zones are NSEC-signed, and can be enumerated trivially. However, one should not rely on zone transfers being available all the time, and in the case of your configuration, with just one server for in-addr.arpa and ip6.arpa, it's fragile. Regards, Anand
