On Tue, Dec 07, 2004 at 07:18:19PM -0800,
David Carmean wrote
a message of 33 lines which said:

> Eventually, I tried something that I fully expected not to work: I
> tried to pull a copy of the root zone by zone transfer from the root
> servers themselves. It worked! I'd expected the query to be
> refused.


Why? You can have the root zone in many ways, and it is even signed:

rm -f root.zone.*
wget --quiet ftp://rs.internic.net/domain/root.zone.gz.sig && wget --quiet ftp://rs.internic.net/domain/root.zone.gz
if [ $? != 0 ]; then
error "Cannot retrieve root zone file"
exit 1
fi
gpg --quiet --verify root.zone.gz.sig
if [ $? != 0 ]; then
error "[SECURITY] Bad signature of the root zone file"
exit 1
fi
gunzip root.zone.gz

> So ... I set my test cache server up as a "stealth" slave for the
> root zone, and behold, no more bogus TLD queries to the roots.


The problem is that you need to be sure to refresh your copy of the
root zone often enough.

> Is this new/temporary behavior? The spirited discussion a few weeks
> ago engendered by the idea of grabbing the root zone by ftp would
> seem to indicate that zone transfers have not always been permitted.


I believe that F and K always authorized it.