root.ca

[Paul Vixie]

Chris Buxton <cbuxton at menandmice.com> writes:

> It would be nice if the name server did actually update the file with  
> the resulting cached list of root servers, but it doesn't.

when dnssec is eventually deployed, we will consider updating the file.
until then, the chance of getting flooded with spoofed-source responses
trying to guess our upstream query-id during boot time is just too high
(which is to say, it's epsilon zero and we need it to be real zero.)

those of us who want tracking, use the pgp keys published on the internet
ftp site to verify the contents of the file when it changes.  it's a
weekly cron job / perl script in a lot of places.

bind9 also has the root hints compiled in, and can warn when the hints
file is out of date.
-- 
Paul Vixie