NS ROOT queries to root servers
Tony Finch
dot at dotat.at
Fri Jan 19 12:11:06 UTC 2018
Medina, Antonio <antonio.medina at gibtele.com> wrote:
>
> We have noticed that each query forwarded towards root servers creates
> an extra NS ROOT query.
This is due to a long-standing bug which was recently fixed. You need
change number 4770 - see
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=blob;f=CHANGES;hb=v9_9#l169
Complain to your vendor if it isn't present in their mystery meat version.
> In addition, we are going to configure a second provider that has warned
> us on they do not reply to NS ROOT queries. Could this pose a problem
> for our DNS servers? Is it possible to instruct our DNS servers not to
> perform root priming?
Jeez, are they deliberately trying to break things? :-)
You should find that it works as they require if you configure the root
zone on your server as a static-stub zone, with the server-addresses
clause pointing at your upstreams. From a brief test I think this
suppresses the priming queries, but I'm running bleeding edge BIND, so
your milage may vary.
I have a crazy setup on my test server, with a local mirror of the root
zone (which feeds https://twitter.com/diffroot). Because BIND does not
normally validate authoritative data, I have separate views for
authoritative service and recursive service. The rec view is configured
with static-stub versions of all the auth zones, pointing at localhost.
When I remove the static-stub root zone and restart the server, it logs
about sending priming queries; when I restart with my usual configuration
it does not.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Irish Sea: Westerly 5 to 7, occasionally gale 8 at first, becoming variable 3
or 4. Moderate or rough, becoming slight. Wintry showers, rain later in south.
Good, occasionally poor.
More information about the bind-users
mailing list