root hints

Mark Andrews marka at
Sat Jan 29 15:11:51 UTC 2011

In message <barmar-A10CC5.23122928012011 at>, Barry Mar
golin writes:
> In article <mailman.1562.1296270623.555.bind-users at>,
>  Joseph S D Yao <jsdy at> wrote:
> > [This does leave a security hole - if a root name server's IP changes,
> > and a Bad Guy gets the old one; or on another internet, if the Bad Guy
> > gets all the IP addresses in the default file.  It's not just lust for
> > control that has me using a visible root hints file.]
> I'm sure the folks who run these networks are quite aware of this 
> danger.  If a root server changes, I'll bet it will be several years 
> before the old address goes to some other organization.
> How would a Bad Guy get these blocks, anyway?  Since when do 
> organizations return IP blocks.
> And if you check the registrations, several of them are assigned 
> specifically to reserve the blocks for root servers.  Presumably the 
> intent is that even if the organizations operating them change, the IPs 
> shouldn't -- they simply route the IPs to someone else.
> inetnum: -
> netname:        NSPIXP-2
> descr:          root DNS server
> NetRange: -
> CIDR: 
> OriginAS:       AS20144
> NetName:        L-ROOT
> -- 
> Barry Margolin, barmar at
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> _______________________________________________
> bind-users mailing list
> bind-users at

And one can always turn on DNSSEC and then it doesn't matter which server
gives you the information.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list