Building a fresh named.root

Robert Moskowitz rgm at htt-consult.com
Fri Feb 15 17:57:32 UTC 2013 

On 02/15/2013 12:37 PM, Chris Buxton wrote:
>
> On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:
>
>>
>> Running bind rooted on FC 16 using the standard package.
>>
>> The ca file is located in /var/named/chroot/var/named/named.ca
>>
>> The hints are not built in.
>> [shawn at www ~]$ strings /usr/sbin/named | grepA.ROOT-SERVERS.NET 
>> <http://A.ROOT-SERVERS.NET/>
>> returns nothing.
>
> Yes they are. All versions of BIND since 9.3 or so have had the root 
> hints built in. Even Red Hat's version. Unfortunately, Warren missed a 
> trick of some sort -- I suspect that if you strip the binary, the 
> 'strings' command won't find the values. But they're still there. Adam 
> Tkac would not remove this from the Red Hat SRPM.

I will do some more testing with this to see if I can indeed remove the 
root.hint includes.  But I have a question.  I have tried to dig in my 
server for the root info like you can a root server, but obviously this 
is not the way to do it, as I get an empty list eventhough I know I can 
resolve names that I am not authoritative for.

I tried

dig +bufsize=4096 . ns @localhost

(and without the bufsize) and it comes back with a warning that 
recursion requested but not available and an empty list.  More 
interestingly is that in /var/log/messages it shows:

named[2872]: client ::1#57049: view external: query (cache) './NS/IN' denied

I would think this should go to my internal view?  I even put 127.0.0.1 
into my match-clients/destinations network list and it is still using 
the external view.

>
> Root hints, as somebody pointed out, are just hints. There is no 
> reason to focus on making sure they're 100% accurate. There's also no 
> point in stripping the IPv6 addresses out of the root hints zone if 
> you don't have IPv6 -- the real list will be fetched (by DNS query) 
> from the servers in the hints file, including all of their IPv6 addresses.
>
> If your DNS server doesn't have IPv6 connectivity, I have two comments 
> for you:
>
> - Why not? It's easy to get a tunnel, if nothing else is available.

I have a /48 allocated to my home lab  :)  (I also have a /26 IPv4 
allocation here)

>
> - Start named with the -4 argument to prevent it from trying to 
> contact IPv6 addresses.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130215/ca8c78c2/attachment.html>

More information about the bind-users mailing list