[net-dns-users] AXFR of root zone

Ronald F. Guilmette rfg at tristatelogic.com
Sun Sep 28 23:03:11 UTC 2014 

In message <CAKW6Ri7G_t2o_3OU2hk18fiQ162SGctV3asV7YnqGGM-zGGzwg at mail.gmail.com>
Dick Franks <rwfranks at acm.org> wrote:

>On 28 September 2014 21:12, Ronald F. Guilmette <rfg at tristatelogic.com>
>wrote:
>> OK, so how may I AXFR the root zone?
>
>You can not.

Actually, it appears to be quite possible to do this.

>> There must be some trick I am missing.

There was!  See below.

>1) Your script fails because your local nameserver is not authoritative for
>the root zone.

As has now been explained to me, yes, exactly.  You are 100% correct
that that was indeed the _primary_ problem.

>2) Directing the request at one of the 13 root nameservers will also fail

I'm sorry to have to disagree, but no, apparently, it won't.  At least not
for the B, C, and K root servers, which are the only ones other than the
A server that I tried.

Trying to perform the AXFR from the A server *definitely* fails, but it
appears to work on for all of (or most of) the non-A servers.

>because, in common with the majority of operators, the good people who run
>the 13 authoritative root nameservers refuse AXFR requests.

As a general rule, yes, it is indeed good policy to _not_ allow any
Tom, Dick, and Harry to transfer one's zone files.  However the root
zone is kind-of special.  It is important to a lot of people for a
lot of reasons, and thus deserves to be open for inspection to the
public at large.  And indeed, as I have noted above, it apparently
*is* in fact readily available (via AXFR) from many, or perhaps most
of the official root servers (with the expection of the A server).

However, as I have only just now been informed (on a different mailing
list) there are even better places to fetch the root zone file from!

Rather than going to any of the official root zone servers, it appears
that one can go instead to one of two servers that ICANN has put up,
and whose primary duties seem to be serving up the root zone... and
a few other... for AXFR:

   http://www.dns.icann.org/services/axfr/

So I'm using those two servers now.

The "trick"... which I have only just learned... to making the AXFR work
is that one has to set the name servers explicitly before calling the
Net::DNS::Resolver axfr method.  Here is exactly how I am doing that now:

my $res = Net::DNS::Resolver->new (nameservers => ['xfr.lax.dns.icann.org',
                                                   'xfr.cjr.dns.icann.org']);
my @rr_list = $res->axfr ('.');

Works great!  Try it!  You'll like it!


Regards,
rfg


P.S. Ya know, speaking of zone file security, a little known fact is that
even a few TLD zone files are readily available for AXFR.  In an ideal
world, they all would be.  There is nothing in any TLD zone file which
has any reasonable need to be kept secret.

More information about the net-dns-users mailing list