Re: rz.verisign-grs.com root zone ftp access

[Joe Abley <jabley () hopcount ca>]

On 28 May 2014, at 3:21, Martin Hannigan <hannigan () gmail com> wrote:

> IIRC you can ftp to rs.internic.net (the IANA) and download zones to your
> hearts content. At least until "transition", I'd think this one is
> authoritative.
>
> I don't exactly remember where you can pull it from, but I believe they
> offer it in XML too.
>
> [ Paging Joe Abley ]

*twitch*

Half of this thread seems to be talking about the COM/NET zones, not the root zone, but since you asked...

<ftp://ftp.internic.net/domain/root.zone> is a service provided by ICANN.

<ftp://rs.internic.net/domain/root.zone> is a service provided by Verisign.

I think both services are provided under their respective agreements with NTIA (the IANA Functions Contract and the 
Cooperative Agreement) and hence those URLs can be expected to be somewhat stable. (We live in interesting times, but I 
don't sense a desire by anybody to change the IANA Functions as part of the management transition currently under 
discussion). I don't remember the details of how the two sites above are provisioned, but I have a feeling that one is 
mirrored from the other.

Right now, from here, B-Root, C-Root, F-Root, G-Root, and K-Root respond positively to AXFR requests. Sending AXFR 
requests to instances of root servers is a bit unfriendly, in my opinion, since you're occupying TCP slots on 
nameservers that arguably would be better used for non-AXFR queries using TCP transport.

As Mehmet mentioned, xfr.cjr.dns.icann.org and xfr.lax.dns.icann.org are both dedicated AXFR servers from which the 
root zone (and other zones served by ICANN's DNS Operations department) can be retrieved. I am not aware of any 
commitment or requirement to provide those services, but I can't imagine the good people currently in that ICANN 
department would make them unavailable gratuitously.

Lastly, the root zone is signed with NSEC, which means you can walk the NSEC chain and recover the complete zone (see 
below, thanks Jelte). It occurs to me that this is actually a plausible way to prime your resolver with the full 
contents of the root zone, as an alternative to slaving the root zone, for people who think this kind of obsessive 
behaviour is useful. But maybe that's just the malarone talking.

I am not aware of anybody providing the contents of the root zone in XML format (and I'm not sure what value that would 
have to anybody). You may have been remembering the root zone trust anchor distribution format, as seen at 
<http://data.iana.org/root-anchors/root-anchors.xml>.


Joe

[walrus:~]% ldns-walk -f . | head -40
.       218447  IN      NS      i.root-servers.net.
.       218447  IN      NS      h.root-servers.net.
.       218447  IN      NS      m.root-servers.net.
.       218447  IN      NS      l.root-servers.net.
.       218447  IN      NS      j.root-servers.net.
.       218447  IN      NS      e.root-servers.net.
.       218447  IN      NS      d.root-servers.net.
.       218447  IN      NS      b.root-servers.net.
.       218447  IN      NS      f.root-servers.net.
.       218447  IN      NS      k.root-servers.net.
.       218447  IN      NS      g.root-servers.net.
.       218447  IN      NS      c.root-servers.net.
.       218447  IN      NS      a.root-servers.net.
.       487056  IN      RRSIG   NS 8 0 518400 20140603000000 20140526230000 40926 . 
gsG1xrmc32HKMscG4pEQjgTNg2UOKgXTEZEGjg5lY9X14ADCwNleAwfNXkeAS2cEEJI+Sj8P4gWvKCpgCi7rKSMVPapfelN8huMZHiplWsl0JyaHxkU6WwAa2ciBIayGuY7vsPY2LGudosN4th+5eXnB0gfIJFCuQjhaK3dI5iM=
.       86309   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2014052701 1800 900 604800 86400
.       86309   IN      RRSIG   SOA 8 0 86400 20140603000000 20140526230000 40926 . 
JZPdfvMZq/+k+ScgnPVp02j6PSYnA5ntR4TGiLHoeeLTWty7OY3ATas48mCxRZja8D/44VKV5COiXb3dNJNRnXtGqI1nuTWwGXmK/J52satKzLilkk/NtHjy1MxT1NQmgnPYFKNP4liE3vr0deTUYCPRkjDwveTCJ/NowB1OyWs=
.       45819   IN      DNSKEY  257 3 8 
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
 ;{id = 19036 (ksk), size = 2048b}
.       45819   IN      DNSKEY  256 3 8 
AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0nmOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G2GwbMF5v
 ;{id = 40926 (zsk), size = 1024b}
.       45819   IN      RRSIG   DNSKEY 8 0 172800 20140604235959 20140521000000 19036 . 
H6fUqoXYqDtYeDOZxBxBEXWsQ1APR6+MMboI74uSgdIkcm5B2zBQOwD+lYid1j3JJ1vhzONwk4PP31o1RG24P0iMqhwwaGXtoWLDeH3FSQxuVUdLA3DxIM0c8NdEzgCW36iH8zzcy/uzFwgPvw6/ksbd6Np+nu/bIw38XhGH61fkidahj1lTAUDIMXi4TM7igJ9bZgUtLViXN8sLeD4G+hrPZbydcksvZpVB8XFCvgKrHHMq3Ha7AO6cl2XDrn6/DodibcVBpMK07kL24NEVFre/jeqjiQWCms6GDuGkqRKaUf8Hdwl12rsmptIuDa70qNh3Pz+pbjNXXGuWlkyYdA==
.       10709   IN      NSEC    ac. NS SOA RRSIG NSEC DNSKEY 
.       10709   IN      RRSIG   NSEC 8 0 86400 20140603000000 20140526230000 40926 . 
DfkP4WFtbeus1jPx7viKJ9GAPlRvgJfgJzvRTA8zoAbteZyOD3zDOs64YcBoDt/0kQxpfa5RYKbEHTzquV8FiPyAZ91a5Syh0ml5tOoWIgxArLKAYpdW5sTKSOwYsrvZ3zb8Bwt9DTjrv7z7fPy8byVKyAJcN1vGB7odFOagHro=
ac.     172708  IN      NS      b.nic.ac.
ac.     172708  IN      NS      b.ns13.net.
ac.     172708  IN      NS      a.ns13.net.
ac.     172708  IN      NS      ns1.communitydns.net.
ac.     172708  IN      NS      a.nic.ac.
ac.     172708  IN      NS      b.nic.io.
ac.     172708  IN      NS      ns3.icb.co.uk.
ac.     86400   IN      RRSIG   NS 8 1 86400 20140630163458 20140526153043 15896 ac. 
VZHivI5edUvEwYka2WNX7/A0ud5u+vGObZ54Aw/RpJuCMv3Q4VrLP3HFVmQCWdALxldamnYnUPiLnnhjWL/xaYrKHbvmIViws5nsDLMWy5jHzLxCBUtm4BudRq7sLcWNKwZi08eP9Gq2G4/aOhnGmhjQs6its+slrAhbXDc/n7I=
ac.     8622    IN      DS      23014 8 2 9f135b4b4c69c92383b997632e821e3c8ab9699658674cc96fde5405acb68b65
ac.     8622    IN      RRSIG   DS 8 1 86400 20140603000000 20140526230000 40926 . 
EsZz1A8kWMAzsg9+mrsLfdH78qOFd4HTKErJT7LuL20uOId6SvWT7br8hyK6XP7w3USSXsH4miYhH+oh8spxEH11KMgTOT0Lm2LE7W16asO0cHfN4SantZ8aeubDlDWbYj+DioqUuDUgqbMqeOxV3E42ROo0mINDOo+QxWj7GuU=
ac.     10709   IN      NSEC    academy. NS DS RRSIG NSEC 
ac.     10709   IN      RRSIG   NSEC 8 1 86400 20140603000000 20140526230000 40926 . 
TtCsZLK3YtFXiRHi4ZGKreWbrf1+97tA973i64k7RTT2GujHPv3MhpDP+IWlqcwvH1XcX5CBkleDbIBVGzxgenzewl31wF+ufw9DCbPlbli38y2S7Z5QK50Q+Sa3cJvFm0CagkM5s0owZxyZKdAdZbohWAy74ohb5gf+rjWOrR8=
academy.        172709  IN      NS      demand.beta.aridns.net.au.
academy.        172709  IN      NS      demand.alpha.aridns.net.au.
academy.        172709  IN      NS      demand.gamma.aridns.net.au.
academy.        172709  IN      NS      demand.delta.aridns.net.au.
academy.        86400   IN      RRSIG   NS 8 1 86400 20140609042557 20140510040258 9414 academy. 
dBGJK1r2Ay31FYTLFEfjXTdgQTQVOWlSsKWHu9hoC7fOwySFOhRtBh/Me/dpuHz2TqtCQ4pKBpu+CsAbWWrdrJz727CCRdmmhfClI+c70eO7oNoE5/zwchLOqmyLERaoInYi2Ra3PQYQpZc23PYy15jr8hblvKOx7cSW/RR4fZIaZFbVB3rGJtiDxSoTpCTA4evlUvcLVTIGfD4MJBLbXg==
academy.        86309   IN      DS      47032 8 2 e2a2dae3cc55e8ce27e9aea6217bda4a835bf2270c40749ad278e9a9b4aba132
academy.        86309   IN      RRSIG   DS 8 1 86400 20140603000000 20140526230000 40926 . 
AwaaZrLUSAiSaKw0NMkXRtvsUjH0rajpHGHwTaZ4ROf+4DYD3vpXqYIT7DQ6s/LMmZSPEhjzpH7OS8/gpomZZVyadfjQQ3/aLDej3vwImI5ZYHNr8Y6dJyFZ81ihyk+Xxu7l3cmt5mPlGIAQ87CYh8bz7tF6raor8hkqk0bNNls=
[walrus:~]%