Re: [arin-announce] IN-ADDR.ARPA Zone Transfer Complete

[Doug Barton <dougb () dougbarton us>]

On 02/16/2011 15:13, Franck Martin wrote:
> ----- Original Message -----
> > From: "Joe Abley"<jabley () hopcount ca>
> > To: "Doug Barton"<dougb () dougbarton us>
> > Cc: "John Curran"<jcurran () arin net>, "NANOG"<nanog () merit edu>
> > Sent: Thursday, 17 February, 2011 12:05:16 PM
> > Subject: Re: [arin-announce] IN-ADDR.ARPA Zone Transfer Complete
> > On 2011-02-16, at 17:33, Doug Barton wrote:
> >
> > > 2. Is there any objection to having those servers listed in publicly
> > > available documentation on how to configure resolvers to slave the
> > > root
> > > and related zones?
> >
> > My personal opinion is that such advice is misguided,

Yes, I know. :)  I obviously believe that reasonable minds can differ on 
this topic, but as we've gone round about this before and I don't want 
to get too deep in the DNS weeds I'll just say that I respect your 
perspective on this topic, even though I disagree with it.

I should also add that the fact that this configuration can get out of 
sync and cause problems is not to be taken lightly. When I first started 
using and recommending this configuration 10 years ago my feeling was 
that the days of "set it and forget it" DNS were coming to an end since 
DNSSEC was "just around the corner." I was wrong about that on both 
counts, but I still believe that for those that are willing and able to 
take appropriate care with their DNS infrastructure that this 
configuration is a win.

> > but we place no
> > restrictions on the soundness of the reasons for transferring zones
> > from those places :-)
> Would it break DNSSEC ?

No. In my current configuration I have the root zone trust anchor 
configured and I just re-configured it to download ip6.arpa and 
in-addr.arpa from the ICANN servers Joe mentioned. Note the "ad" bit:

dig @127.0.0.1 6.0.1.0.0.2.ip6.arpa. ns +dnssec

; <<>> DiG 9.8.0rc1 <<>> @127.0.0.1 6.0.1.0.0.2.ip6.arpa. ns +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39677
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;6.0.1.0.0.2.ip6.arpa.          IN      NS

;; ANSWER SECTION:
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      sns-pb.isc.org.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      sec3.apnic.net.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      sunic.sunet.se.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      tinnie.arin.net.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      ns3.nic.fr.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      sec1.apnic.net.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      ns-pri.ripe.net.
6.0.1.0.0.2.ip6.arpa.   172800  IN      NS      munnari.oz.au.
6.0.1.0.0.2.ip6.arpa.	172800	IN	RRSIG	NS 5 8 172800 20110318135006 
20110216125006 63865 6.0.1.0.0.2.ip6.arpa. 
fe3wJGI5KHjrR2HasKojm8gpJxpQXcPY5Piy7c58XmSyzKlONxOTwvdC 
+Cjlw/XCfWCSc6IjNlmJm7kACRtQrOrv2PnvYan+1yslAJyguoTvl56j 
N+nOTD0VDlNeInKkonn/attHWvV+c05gxdXLEkW11PSdF1xtkDKgPkwV n54=

;; Query time: 376 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 16 16:07:34 2011
;; MSG SIZE  rcvd: 435



--

        Nothin' ever doesn't change, but nothin' changes much.
                        -- OK Go

        Breadth of IT experience, and depth of knowledge in the DNS.
        Yours for the right price.  :)  http://SupersetSolutions.com/