1.7.3 - root zone transfer and resolving SLD of delegated TLD
A. Schulze
sca at andreasschulze.de
Sun Oct 28 17:27:31 UTC 2018
Am 28.10.18 um 15:58 schrieb Anand Buddhdev:
> However, one should not rely on zone transfers being available all the
> time, and in the case of your configuration, with just one server for
> in-addr.arpa and ip6.arpa, it's fragile.
You are right.
https://mailarchive.ietf.org/arch/msg/dnsop/MbsFCR_nZPUvAutn0C5ouwz_M7c mention ICANN as alternative.
(at least for me) it's possible to fetch in-addr.arpa and ip6.arpa
from both servers lax.xfr.dns.icann.org and iad.xfr.dns.icann.org
via IPv4 and IPv6.
As Paul Vixie pointed out, it's wise to separate production an AXFR service.
an updated unbound configuration file may now look like this:
auth-zone:
name: "."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: lax.xfr.dns.icann.org.
master: iad.xfr.dns.icann.org.
zonefile: "auth-zones/root"
auth-zone:
name: "arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: lax.xfr.dns.icann.org.
master: iad.xfr.dns.icann.org.
zonefile: "auth-zones/arpa"
# https://unbound.nlnetlabs.nl/pipermail/unbound-users/2018-May/005268.html
# and https://www.dns.icann.org/services/axfr/
auth-zone:
name: "in-addr.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: lax.xfr.dns.icann.org.
master: iad.xfr.dns.icann.org.
zonefile: "auth-zones/in-addr.arpa"
auth-zone:
name: "ip6.arpa."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
master: lax.xfr.dns.icann.org.
master: iad.xfr.dns.icann.org.
zonefile: "auth-zones/ip6.arpa"
Andreas
More information about the Unbound-users
mailing list