Root hints updates
Timothe Litt
litt at acm.org
Thu Sep 6 13:19:46 UTC 2012
>> Since the first thing BIND does at startup is to check the root NS set,
and since DNSSEC guarantees that it is genuine, is there still an use for
this tool?
Unless bind updates the hint file as a result of these checks, yes.
It's not a question of authenticity; named has to start somewhere to find
the root NS; this is the bootstrap cache.
It wouldn't be a bad thing if bind did the update itself (sort of like
DNSSECS's 5011 for keys). But so far as I know, it doesn't.
Since I run the tool, I can't say that I've ever seen a message from BIND
complaining about the root hints being out of date. I know there was a root
hints update last June... Does it sync to what it finds, or just complain?
Until someone authoritative tells me that BIND manages the hints file on its
own, I'm taking the conservative route and letting my tool run....
BTW, I do have systems that come on-line every 5 years or so. Automation is
good :-)
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
-----Original Message-----
From: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
Sent: Thursday, September 06, 2012 09:08
To: Timothe Litt
Cc: bind-users at lists.isc.org
Subject: Re: Root hints updates
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt <litt at acm.org> wrote
a message of 466 lines which said:
> This is a script to automagically update the root hints file.
Since the first thing BIND does at startup is to check the root NS set, and
since DNSSEC guarantees that it is genuine, is there still an use for this
tool?
More information about the bind-users
mailing list