Acting as stealth slave for root zone

[Stephane Bortzmeyer]

On Tue, Dec 07, 2004 at 07:18:19PM -0800,
 David Carmean <dlc at halibut.com> wrote 
 a message of 33 lines which said:

> Eventually, I tried something that I fully expected not to work: I
> tried to pull a copy of the root zone by zone transfer from the root
> servers themselves.  It worked!  I'd expected the query to be
> refused.

Why? You can have the root zone in many ways, and it is even signed:

rm -f root.zone.*
wget --quiet ftp://rs.internic.net/domain/root.zone.gz.sig && wget --quiet ftp://rs.internic.net/domain/root.zone.gz
if [ $? != 0 ]; then
        error "Cannot retrieve root zone file" 
        exit 1
fi
gpg --quiet --verify root.zone.gz.sig  
if [ $? != 0 ]; then
        error "[SECURITY] Bad signature of the root zone file" 
        exit 1
fi
gunzip root.zone.gz 

> So ... I set my test cache server up as a "stealth" slave for the
> root zone, and behold, no more bogus TLD queries to the roots.
 
The problem is that you need to be sure to refresh your copy of the
root zone often enough. 

> Is this new/temporary behavior?  The spirited discussion a few weeks
> ago engendered by the idea of grabbing the root zone by ftp would
> seem to indicate that zone transfers have not always been permitted.

I believe that F and K always authorized it.