Re: [DNSOP] RFC7720 and AXFR

Evan Hunt <each@isc.org> Sun, 28 October 2018 16:44 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B39D124408 for <dnsop@ietfa.amsl.com>; Sun, 28 Oct 2018 09:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KAaePElPYGM for <dnsop@ietfa.amsl.com>; Sun, 28 Oct 2018 09:44:45 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0135124D68 for <dnsop@ietf.org>; Sun, 28 Oct 2018 09:44:45 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E18FC3AB03C; Sun, 28 Oct 2018 16:44:43 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 07415216C1C; Sun, 28 Oct 2018 16:44:42 +0000 (UTC)
Date: Sun, 28 Oct 2018 16:44:42 +0000
From: Evan Hunt <each@isc.org>
To: "A. Schulze" <sca@andreasschulze.de>
Cc: dnsop <dnsop@ietf.org>
Message-ID: <20181028164441.GA22119@isc.org>
References: <2c00abd8-1c0d-cfee-5a5f-764a90f3f38c@andreasschulze.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2c00abd8-1c0d-cfee-5a5f-764a90f3f38c@andreasschulze.de>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vLbEIoP25fZL2E2nxAmXT8fRX18>
Subject: Re: [DNSOP] RFC7720 and AXFR
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Oct 2018 16:44:47 -0000

On Sun, Oct 28, 2018 at 01:32:51PM +0100, A. Schulze wrote:
> RFC 2870 (Root Name Server Operational Requirements) say
> 
> 	2.7 Root servers SHOULD NOT answer AXFR, or other zone transfer,
>             queries from clients other than other root servers.
> 
> The update, RFC 7720 (DNS Root Name Service Protocol and Deployment
> Requirements) don't even mention AXFR at all.  All I found is
> https://tools.ietf.org/html/rfc7720#section-2
> 
> 	o MUST implement core DNS [RFC1035] and clarifications to the DNS
> 	[RFC2181].
> 
> Is AXFR a strict requirement for root-servers today?

As a relatively new consideration, root zone local mirroring (RFC 7706)
depends on at least a subset of root servers being able to provide the
zone via AXFR. The configuration examples in the appendix specify B, F,
G, and K.

I've been assured by ISC folks that we'll always serve AXFR on F, but I
don't know if that commitment is in writing, nor whether the other roots
that currently support it have made any promises to keep doing so.

IMHO it would be nice if all 13 letters provided AXFR service, but at a
minimum we it's important for *some* of them to do so.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.