Building a fresh named.root
Robert Moskowitz
rgm at htt-consult.com
Fri Feb 15 17:57:32 UTC 2013
On 02/15/2013 12:37 PM, Chris Buxton wrote:
>
> On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:
>
>>
>> Running bind rooted on FC 16 using the standard package.
>>
>> The ca file is located in /var/named/chroot/var/named/named.ca
>>
>> The hints are not built in.
>> [shawn at www ~]$ strings /usr/sbin/named | grepA.ROOT-SERVERS.NET
>> <http://A.ROOT-SERVERS.NET/>
>> returns nothing.
>
> Yes they are. All versions of BIND since 9.3 or so have had the root
> hints built in. Even Red Hat's version. Unfortunately, Warren missed a
> trick of some sort -- I suspect that if you strip the binary, the
> 'strings' command won't find the values. But they're still there. Adam
> Tkac would not remove this from the Red Hat SRPM.
I will do some more testing with this to see if I can indeed remove the
root.hint includes. But I have a question. I have tried to dig in my
server for the root info like you can a root server, but obviously this
is not the way to do it, as I get an empty list eventhough I know I can
resolve names that I am not authoritative for.
I tried
dig +bufsize=4096 . ns @localhost
(and without the bufsize) and it comes back with a warning that
recursion requested but not available and an empty list. More
interestingly is that in /var/log/messages it shows:
named[2872]: client ::1#57049: view external: query (cache) './NS/IN' denied
I would think this should go to my internal view? I even put 127.0.0.1
into my match-clients/destinations network list and it is still using
the external view.
>
> Root hints, as somebody pointed out, are just hints. There is no
> reason to focus on making sure they're 100% accurate. There's also no
> point in stripping the IPv6 addresses out of the root hints zone if
> you don't have IPv6 -- the real list will be fetched (by DNS query)
> from the servers in the hints file, including all of their IPv6 addresses.
>
> If your DNS server doesn't have IPv6 connectivity, I have two comments
> for you:
>
> - Why not? It's easy to get a tunnel, if nothing else is available.
I have a /48 allocated to my home lab :) (I also have a /26 IPv4
allocation here)
>
> - Start named with the -4 argument to prevent it from trying to
> contact IPv6 addresses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130215/ca8c78c2/attachment.html>
More information about the bind-users
mailing list