Resurrecting part of a thread from last September, when I wrote:
On Sep 23 2008, Stephane Bortzmeyer wrote:On Tue, Sep 23, 2008 at 02:07:43PM +0100,Chris Thompson <[email protected]> wrote a message of 20 lines which said:[*] How do I know? Well dlv.isc.org uses NSEC records and is therefore "enumerable" :-) 113 DLV records at the end of July,163 today.
[ 352 at a recent count, by the way ]
As the shadoks <http://en.wikipedia.org/wiki/Les_Shadoks> said, "Why do it simply when you can make it complicated?" :-) dig AXFR is simpler...Over-hasty analysis on my part. Having discovered that ns-ext.isc.org didn't allow zone transfers for dlv.isc.org, I obviously failed to note that the other official nameservers for it do allow them ...
Things have changed more than once since then. When the official
slaves changed to the current set, {ams,sfba,ord}.sns-pb.isc.org,
they didn't allow zone transfers, but the "hidden master" from the
SOA record, ns-int.isc.org still did. But in the last couple of
days it has started forbidding them as well.
So I suppose I will have to go back to enumerating via the NSEC
records after all ... :-)
Apart from vulgar curiosity [*] about the contents, there is a potential issue here. A validating nameserver using dlv.isc.org for lookaside makes a lot of queries to it (the TTLs and, most significantly, the negative TTL, are only 1 hour), and if network access to the official slaves were lost one would start getting SERVFAILs for everything. So a natural thought is that one could (stealth) slave dlv.isc.org, and survive loss of contact for up to its SOA.expire value (28 days at the moment). Of course, one ought to be validating the results of the zone transfer if one did this. Or I should say, were allowed by ISC to do it. [*] Well, perhaps not all that vulgar. I have used lists of thezones secured via dlv.isc.org when arguing here about our own plans for moving to DNSSEC. The recent inclusion of the TLDs
from the IANA ITAR is a good sign. -- Chris Thompson Email: [email protected] _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
