Re: Repotting report

[Mark Andrews <Mark_Andrews () isc org>]

In article <D2EFA74C-EE9C-4189-BF18-43E73B7C7892 () ca afilias info> you write:
> On 4-Feb-2008, at 16:05, Iljitsch van Beijnum wrote:
>
> > And the new named.root has arrived:
> >
> > ftp://rs.internic.net/domain/named.root
>
> I seem to think it has become fairly widespread practice for people to  
> refresh their named.root files (or whatever they decide to call it)  
> using something like this:
>
> $ dig . NS >named.root
>
> This worked before today. From today, it still works (in the sense  
> that it will still result in a named.root file which is sufficiently  
> complete in most situations for a nameserver to be able to send a  
> priming query) but it won't contain a complete set of glue.
>
> So, if you're in the habit of doing
>
>   dig . NS >named.root
>
> you would ideally change that habit to something like
>
>   curl -O ftp://rs.internic.net/domain/named.root

        Why?  dig is quite capable of coping.

        Depending apon dig's age and firewall configuration one or
        more of these will work.

        dig +edns=0 . NS @a.root-servers.net > named.root
        dig +bufsize=1200 . NS @a.root-servers.net > named.root
        dig +vc . NS @a.root-servers.net > named.root

        As none of these sets DO, they should suffice for the
        foreseeable future.

        When DNSSEC is deployed for the root and root-servers.net
        you will want to do crypto checks.  Even then the above
        queries won't break.

        Mark

> instead. (Incidentally, for me, rs.internic.net is giving "530 Login  
> incorrect" after PASS when logging in using "ftp" 
>
>
> Joe