RFC 6303 and bind 9.9.0
Spain, Dr. Jeffry A.
spainj at countryday.net
Fri Mar 2 11:08:15 UTC 2012
>> No, it requires a rebuild after changing lib/dns/rootns.c. But using a
>> mildly out-of-date hints file is usually harmless - it is only a *hint*.
> Right. One of the first things BIND does after starting up is query one of the root servers to get the current set of root servers.
Thanks. This is not what I am seeing using tcpdump and capturing port 53. Using a test bind9.9.0 resolver, I restarted the bind9 service to clear the cache and load the built-in root hints. There was no DNS traffic for a minute until I issued the first dig query to the server. The first DNS packet transmitted was to send this query to the IPv4 address of i.root-servers.net (18.104.22.168). The second query, 300 microsec later also to i.root-servers.net, was for "NS <root>". I didn't see any packets querying for addresses of the root servers. It might be that if that second query returned the name of a new root server not in the built-in hints, bind9.9.0 would query for its address at some point.
> So the only potential problem would be if someone were to hijack one (or
> more) of the root servers and make it give out a bogus answer.
More information about the bind-users