Setting up a Root name server

Scott Morizot tmorizot at ccsi.com
Fri Sep 3 22:04:21 UTC 1999 

On 3 Sep 99, at 14:23, chris wrote:
> I'm going to add my internal root server to the hint file. I will leave all the
> other root name servers in there as well, since the RTT on my server should be
> better then all the rest the resolvers will automatically use it.

The entries in the hints file are not authoritative.  As soon as a
name server gets an authoritative list of name servers for the root
zone back in a query, it will replace that information with the
authoritative information.  Unless it happens to query your
name server, that list will not include your "root" server.

Unless, of course, you can have your name server added to the
list of servers authoritative for the root zone.  In which
case, it will be visible to everyone in the world, just
like the other root servers.  A.ROOT is, I believe the
master for the root zone.  It's listed as the SOA anyway.

The only way you could ensure that your internal nameservers
always queried your fake root server is to remove all the
root servers from the hints file they all use and then
remove the other root servers from the NS list in the
root zone you run on your fake root.  And even that
won't prevent them from following a referral returned
by an external server.

If it's down, your internal systems will lose connectivity.
And if the root zone changes, you will have to manually make
the changes before they see it.

> > What Barry pointed out is also correct:  that most of the benefit would come
> > from having a local com name server.  But, as I've said, com is well over a
> > gigabyte at this point, and BIND loads all that zone data into memory.
> 
> If this will work I have the OK for 2gig of ram for this server.

You would experience the same problems with the com zone.  Only
multiplied many times.  You would have to list only it in your
fake internal root.  You would have to remove the other nameservers
from the NS list for com in its zone.  And you would have to manually
keep up with a very large zone that frequently changes.

> Welp, I'm in the ISI building, drop me an e-mail and we can talk about it, I
> really think this will speed things up. My CTO thought it was a great idea, I'm
> just having one hell of a time fighting back the lack of information in this
> area....

Fake roots only really work if you have an internal DNS environment 
that is not connected to the 'net at all (with or without a
proxy based firewall).  I run one of our internal roots in
such a configuration at work.  On the 'net, you are either fully
part of the official group of authoritative servers or
you are not really part of it at all.  You can't really
fake it or go halfway.

What you describe not only wouldn't work as you anticipate,
it's a pretty bad idea.

Scott

More information about the bind-users mailing list