rz.verisign-grs.com root zone ftp access
Joe Abley
jabley at hopcount.ca
Wed May 28 08:49:08 UTC 2014
On 28 May 2014, at 3:21, Martin Hannigan <hannigan at gmail.com> wrote:
> IIRC you can ftp to rs.internic.net (the IANA) and download zones to your
> hearts content. At least until "transition", I'd think this one is
> authoritative.
>
> I don't exactly remember where you can pull it from, but I believe they
> offer it in XML too.
>
> [ Paging Joe Abley ]
*twitch*
Half of this thread seems to be talking about the COM/NET zones, not the root zone, but since you asked...
<ftp://ftp.internic.net/domain/root.zone> is a service provided by ICANN.
<ftp://rs.internic.net/domain/root.zone> is a service provided by Verisign.
I think both services are provided under their respective agreements with NTIA (the IANA Functions Contract and the Cooperative Agreement) and hence those URLs can be expected to be somewhat stable. (We live in interesting times, but I don't sense a desire by anybody to change the IANA Functions as part of the management transition currently under discussion). I don't remember the details of how the two sites above are provisioned, but I have a feeling that one is mirrored from the other.
Right now, from here, B-Root, C-Root, F-Root, G-Root, and K-Root respond positively to AXFR requests. Sending AXFR requests to instances of root servers is a bit unfriendly, in my opinion, since you're occupying TCP slots on nameservers that arguably would be better used for non-AXFR queries using TCP transport.
As Mehmet mentioned, xfr.cjr.dns.icann.org and xfr.lax.dns.icann.org are both dedicated AXFR servers from which the root zone (and other zones served by ICANN's DNS Operations department) can be retrieved. I am not aware of any commitment or requirement to provide those services, but I can't imagine the good people currently in that ICANN department would make them unavailable gratuitously.
Lastly, the root zone is signed with NSEC, which means you can walk the NSEC chain and recover the complete zone (see below, thanks Jelte). It occurs to me that this is actually a plausible way to prime your resolver with the full contents of the root zone, as an alternative to slaving the root zone, for people who think this kind of obsessive behaviour is useful. But maybe that's just the malarone talking.
I am not aware of anybody providing the contents of the root zone in XML format (and I'm not sure what value that would have to anybody). You may have been remembering the root zone trust anchor distribution format, as seen at <http://data.iana.org/root-anchors/root-anchors.xml>.
Joe
[walrus:~]% ldns-walk -f . | head -40
. 218447 IN NS i.root-servers.net.
. 218447 IN NS h.root-servers.net.
. 218447 IN NS m.root-servers.net.
. 218447 IN NS l.root-servers.net.
. 218447 IN NS j.root-servers.net.
. 218447 IN NS e.root-servers.net.
. 218447 IN NS d.root-servers.net.
. 218447 IN NS b.root-servers.net.
. 218447 IN NS f.root-servers.net.
. 218447 IN NS k.root-servers.net.
. 218447 IN NS g.root-servers.net.
. 218447 IN NS c.root-servers.net.
. 218447 IN NS a.root-servers.net.
. 487056 IN RRSIG NS 8 0 518400 20140603000000 20140526230000 40926 . gsG1xrmc32HKMscG4pEQjgTNg2UOKgXTEZEGjg5lY9X14ADCwNleAwfNXkeAS2cEEJI+Sj8P4gWvKCpgCi7rKSMVPapfelN8huMZHiplWsl0JyaHxkU6WwAa2ciBIayGuY7vsPY2LGudosN4th+5eXnB0gfIJFCuQjhaK3dI5iM=
. 86309 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014052701 1800 900 604800 86400
. 86309 IN RRSIG SOA 8 0 86400 20140603000000 20140526230000 40926 . JZPdfvMZq/+k+ScgnPVp02j6PSYnA5ntR4TGiLHoeeLTWty7OY3ATas48mCxRZja8D/44VKV5COiXb3dNJNRnXtGqI1nuTWwGXmK/J52satKzLilkk/NtHjy1MxT1NQmgnPYFKNP4liE3vr0deTUYCPRkjDwveTCJ/NowB1OyWs=
. 45819 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
. 45819 IN DNSKEY 256 3 8 AwEAAZvJd8ORk+jmZ41QMYbQ1XCpf60l6YJuHtnxn0VSh5a5vqwEjTST3/PZ4xhUFu2YcTfRNWxs9WTiGZl3MY/UlBIvzpLhKgKnf9Vk8sEU3q0nmOGFgE6jTi/cU95ATU/2dTQovMDv9XyWvrmj8KIG2brj6mF4S8GTae6G2GwbMF5v ;{id = 40926 (zsk), size = 1024b}
. 45819 IN RRSIG DNSKEY 8 0 172800 20140604235959 20140521000000 19036 . H6fUqoXYqDtYeDOZxBxBEXWsQ1APR6+MMboI74uSgdIkcm5B2zBQOwD+lYid1j3JJ1vhzONwk4PP31o1RG24P0iMqhwwaGXtoWLDeH3FSQxuVUdLA3DxIM0c8NdEzgCW36iH8zzcy/uzFwgPvw6/ksbd6Np+nu/bIw38XhGH61fkidahj1lTAUDIMXi4TM7igJ9bZgUtLViXN8sLeD4G+hrPZbydcksvZpVB8XFCvgKrHHMq3Ha7AO6cl2XDrn6/DodibcVBpMK07kL24NEVFre/jeqjiQWCms6GDuGkqRKaUf8Hdwl12rsmptIuDa70qNh3Pz+pbjNXXGuWlkyYdA==
. 10709 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
. 10709 IN RRSIG NSEC 8 0 86400 20140603000000 20140526230000 40926 . DfkP4WFtbeus1jPx7viKJ9GAPlRvgJfgJzvRTA8zoAbteZyOD3zDOs64YcBoDt/0kQxpfa5RYKbEHTzquV8FiPyAZ91a5Syh0ml5tOoWIgxArLKAYpdW5sTKSOwYsrvZ3zb8Bwt9DTjrv7z7fPy8byVKyAJcN1vGB7odFOagHro=
ac. 172708 IN NS b.nic.ac.
ac. 172708 IN NS b.ns13.net.
ac. 172708 IN NS a.ns13.net.
ac. 172708 IN NS ns1.communitydns.net.
ac. 172708 IN NS a.nic.ac.
ac. 172708 IN NS b.nic.io.
ac. 172708 IN NS ns3.icb.co.uk.
ac. 86400 IN RRSIG NS 8 1 86400 20140630163458 20140526153043 15896 ac. VZHivI5edUvEwYka2WNX7/A0ud5u+vGObZ54Aw/RpJuCMv3Q4VrLP3HFVmQCWdALxldamnYnUPiLnnhjWL/xaYrKHbvmIViws5nsDLMWy5jHzLxCBUtm4BudRq7sLcWNKwZi08eP9Gq2G4/aOhnGmhjQs6its+slrAhbXDc/n7I=
ac. 8622 IN DS 23014 8 2 9f135b4b4c69c92383b997632e821e3c8ab9699658674cc96fde5405acb68b65
ac. 8622 IN RRSIG DS 8 1 86400 20140603000000 20140526230000 40926 . EsZz1A8kWMAzsg9+mrsLfdH78qOFd4HTKErJT7LuL20uOId6SvWT7br8hyK6XP7w3USSXsH4miYhH+oh8spxEH11KMgTOT0Lm2LE7W16asO0cHfN4SantZ8aeubDlDWbYj+DioqUuDUgqbMqeOxV3E42ROo0mINDOo+QxWj7GuU=
ac. 10709 IN NSEC academy. NS DS RRSIG NSEC
ac. 10709 IN RRSIG NSEC 8 1 86400 20140603000000 20140526230000 40926 . TtCsZLK3YtFXiRHi4ZGKreWbrf1+97tA973i64k7RTT2GujHPv3MhpDP+IWlqcwvH1XcX5CBkleDbIBVGzxgenzewl31wF+ufw9DCbPlbli38y2S7Z5QK50Q+Sa3cJvFm0CagkM5s0owZxyZKdAdZbohWAy74ohb5gf+rjWOrR8=
academy. 172709 IN NS demand.beta.aridns.net.au.
academy. 172709 IN NS demand.alpha.aridns.net.au.
academy. 172709 IN NS demand.gamma.aridns.net.au.
academy. 172709 IN NS demand.delta.aridns.net.au.
academy. 86400 IN RRSIG NS 8 1 86400 20140609042557 20140510040258 9414 academy. dBGJK1r2Ay31FYTLFEfjXTdgQTQVOWlSsKWHu9hoC7fOwySFOhRtBh/Me/dpuHz2TqtCQ4pKBpu+CsAbWWrdrJz727CCRdmmhfClI+c70eO7oNoE5/zwchLOqmyLERaoInYi2Ra3PQYQpZc23PYy15jr8hblvKOx7cSW/RR4fZIaZFbVB3rGJtiDxSoTpCTA4evlUvcLVTIGfD4MJBLbXg==
academy. 86309 IN DS 47032 8 2 e2a2dae3cc55e8ce27e9aea6217bda4a835bf2270c40749ad278e9a9b4aba132
academy. 86309 IN RRSIG DS 8 1 86400 20140603000000 20140526230000 40926 . AwaaZrLUSAiSaKw0NMkXRtvsUjH0rajpHGHwTaZ4ROf+4DYD3vpXqYIT7DQ6s/LMmZSPEhjzpH7OS8/gpomZZVyadfjQQ3/aLDej3vwImI5ZYHNr8Y6dJyFZ81ihyk+Xxu7l3cmt5mPlGIAQ87CYh8bz7tF6raor8hkqk0bNNls=
[walrus:~]%
More information about the NANOG
mailing list