Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
The Internet DNS root nameservers are the servers which are authoritative for “.”, the apex of the DNS namespace. They are the starting point for resolving all public names. If you’re running a recursive server, you’re either relying on a built-in set of ‘root hints’, or you will have configured them manually.
So isn’t renumbering one of these vital servers a big deal for all Internet users?
Actually, no, it isn’t. There are 13 Internet root servers, many of them multi-server provisioned via Anycast. DNS resolution will still work as long as there is at least one root server accessible. Moreover, because of the way the DNS resolution protocol is designed to include a process known as ‘root priming’, recursive servers are going to learn and start using the new addresses almost immediately anyway.
H-Root can change its addresses, and if you do nothing, your DNS will carry on working.
Even better - if you are running ISC BIND with the default built-in root hints, and you’re upgrading regularly, you can rest assured that the next production versions of BIND to be released after 1st December 2015 will have updated H-Root’s addresses.
We have a Knowledgebase article that explains how “root priming” works: https://kb.isc.org/docs/aa-01309
If you are running your recursive servers with a manual root hints configuration, then we do recommend that soon after 1st December 2015, you update the H-Root addresses to accommodate this change. If you don’t, and you’re running BIND, you will start to see some warnings being logged periodically that will look a little like:
02-Dec-2015 10:21:32.196 general: warning: checkhints: h.root-servers.net/A (18.104.22.168) missing from hints 02-Dec-2015 10:21:32.196 general: warning: checkhints: h.root-servers.net/A (22.214.171.124) extra record in hints
(There will also be warnings regarding H-Root’s AAAA records.)
Administrators running with built-in root hints will continue to see the same warnings until they can upgrade to a new version of BIND that has the updated addresses.
Once you’ve upgraded BIND, or have updated your own manually-configured hints file, the logged warnings should cease.
Even if there is a significant delay in your upgrade or reconfiguration, your DNS resolution will still not break due to this H-Root change. The combination of root-priming and the built-in redundancy on the Internet name space (13 root nameservers) both provide a high degree of resilience.
Keep calm, and carry on…
Cathy Almond, Senior Support Engineer
What's New from ISC