root hints

Barry Margolin barmar at
Sat Jan 29 04:12:29 UTC 2011

In article <mailman.1562.1296270623.555.bind-users at>,
 Joseph S D Yao <jsdy at> wrote:

> [This does leave a security hole - if a root name server's IP changes,
> and a Bad Guy gets the old one; or on another internet, if the Bad Guy
> gets all the IP addresses in the default file.  It's not just lust for
> control that has me using a visible root hints file.]

I'm sure the folks who run these networks are quite aware of this 
danger.  If a root server changes, I'll bet it will be several years 
before the old address goes to some other organization.

How would a Bad Guy get these blocks, anyway?  Since when do 
organizations return IP blocks.

And if you check the registrations, several of them are assigned 
specifically to reserve the blocks for root servers.  Presumably the 
intent is that even if the organizations operating them change, the IPs 
shouldn't -- they simply route the IPs to someone else.

inetnum: -
netname:        NSPIXP-2
descr:          root DNS server

NetRange: -
OriginAS:       AS20144
NetName:        L-ROOT

Barry Margolin, barmar at
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list