1.7.3 - root zone transfer and resolving SLD of delegated TLD

Anand Buddhdev anandb at ripe.net
Sun Oct 28 14:58:00 UTC 2018


On 28/10/2018 13:22, A. Schulze wrote:

Hi Andreas,

> The reason is a more broad problem: not all nameservers for these zones provide AXFR.
> Maybe because RFC 2870 (Root Name Server Operational Requirements) say:
> 
> 2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
>     queries from clients other than other root servers.

Well, the servers for in-addr.arpa and ip6.arpa are NOT root name
servers, so RFC 2870 wouldn't apply to them. However, RFC 2870 is also
outdated, and its successor, RFC 7720 does not explicitly forbid zone
transfers, because there's no strong reason to, especially when the
zones are NSEC-signed, and can be enumerated trivially.

However, one should not rely on zone transfers being available all the
time, and in the case of your configuration, with just one server for
in-addr.arpa and ip6.arpa, it's fragile.

Regards,
Anand



More information about the Unbound-users mailing list