configuring BIND9 correctly for root servers

Tue Nov 5 19:03:02 UTC 2002

On Tue, Nov 05, 2002 at 09:58:38AM -0800, Your name wrote:
> 
> I seem to have something set up incorrectly. Here are the results from
> a DIG on our DNS linux box.
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
> ; <<>> DiG 9.2.1 <<>>
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56270
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 4
> 
> ;; QUESTION SECTION:
> ;.                              IN      NS
> 
> ;; ANSWER SECTION:
> .                       437350  IN      NS      H.ROOT-SERVERS.NET.
> .                       437350  IN      NS      I.ROOT-SERVERS.NET.
> .                       437350  IN      NS      J.ROOT-SERVERS.NET.
> .                       437350  IN      NS      K.ROOT-SERVERS.NET.
> .                       437350  IN      NS      L.ROOT-SERVERS.NET.
> .                       437350  IN      NS      M.ROOT-SERVERS.NET.
> .                       437350  IN      NS      A.ROOT-SERVERS.NET.
> .                       437350  IN      NS      B.ROOT-SERVERS.NET.
> .                       437350  IN      NS      C.ROOT-SERVERS.NET.
> .                       437350  IN      NS      D.ROOT-SERVERS.NET.
> .                       437350  IN      NS      E.ROOT-SERVERS.NET.
> .                       437350  IN      NS      F.ROOT-SERVERS.NET.
> .                       437350  IN      NS      G.ROOT-SERVERS.NET.
> ;; ADDITIONAL SECTION:
> J.ROOT-SERVERS.NET.     523750  IN      A       198.41.0.10
> K.ROOT-SERVERS.NET.     523750  IN      A       193.0.14.129
> L.ROOT-SERVERS.NET.     523750  IN      A       198.32.64.12
> M.ROOT-SERVERS.NET.     523750  IN      A       202.12.27.33
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
> How do i correctly configure the system so that it sees the root
> servers A through J in the "additional section" ?
there is nothing wrong with your configuration. the root servers are "seen" by
the nameserver. look at the following example (from my openbsd lappy):
first query:
------------
ttyp0:saad at kenjiro [~]
19:54:59 {531}> dig . ns
[snip]
;; ANSWER SECTION:
.                       316064  IN      NS      H.ROOT-SERVERS.NET.
[...]
;; ADDITIONAL SECTION:
G.ROOT-SERVERS.NET.     604787  IN      A       192.112.36.4
L.ROOT-SERVERS.NET.     402464  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     402464  IN      A       202.12.27.33

note that the A RR for A.ROOT-SERVERS.NET. is not listed above.

second query:
-------------
ttyp0:saad at kenjiro [~]
19:55:09 {532}> dig @a.root-servers.net. com ns
[...]

third query (same as the first):
------------
ttyp0:saad at kenjiro [~]
19:57:20 {533}> dig . ns
[snip]
;; ANSWER SECTION:
.                       315891  IN      NS      J.ROOT-SERVERS.NET.
[...]
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     604757  IN      A       198.41.0.4
G.ROOT-SERVERS.NET.     604614  IN      A       192.112.36.4
L.ROOT-SERVERS.NET.     402291  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     402291  IN      A       202.12.27.33

Can't fight the Systemagic
Über tragic
-- 
Saad Kadhi -- [saad at docisland.org] [bsdguy at docisland.org]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---
"Si ce que tu dis n'est ni beau, ni bon, ni vrai, alors tais-toi!"
							    - Socrate