builtin hints working - Re: Building a fresh named.root
Robert Moskowitz
rgm at htt-consult.com
Fri Feb 15 18:56:08 UTC 2013
I commented out include for the root.hints and things are working still
so obviously it is built in even though the string search is not working
on my binary.
On 02/15/2013 12:57 PM, Robert Moskowitz wrote:
>
> On 02/15/2013 12:37 PM, Chris Buxton wrote:
>>
>> On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:
>>
>>>
>>> Running bind rooted on FC 16 using the standard package.
>>>
>>> The ca file is located in /var/named/chroot/var/named/named.ca
>>>
>>> The hints are not built in.
>>> [shawn at www ~]$ strings /usr/sbin/named | grepA.ROOT-SERVERS.NET
>>> <http://A.ROOT-SERVERS.NET/>
>>> returns nothing.
>>
>> Yes they are. All versions of BIND since 9.3 or so have had the root
>> hints built in. Even Red Hat's version. Unfortunately, Warren missed
>> a trick of some sort -- I suspect that if you strip the binary, the
>> 'strings' command won't find the values. But they're still there.
>> Adam Tkac would not remove this from the Red Hat SRPM.
>
> I will do some more testing with this to see if I can indeed remove
> the root.hint includes. But I have a question. I have tried to dig
> in my server for the root info like you can a root server, but
> obviously this is not the way to do it, as I get an empty list
> eventhough I know I can resolve names that I am not authoritative for.
>
> I tried
>
> dig +bufsize=4096 . ns @localhost
>
> (and without the bufsize) and it comes back with a warning that
> recursion requested but not available and an empty list. More
> interestingly is that in /var/log/messages it shows:
>
> named[2872]: client ::1#57049: view external: query (cache) './NS/IN'
> denied
>
> I would think this should go to my internal view? I even put
> 127.0.0.1 into my match-clients/destinations network list and it is
> still using the external view.
>
>>
>> Root hints, as somebody pointed out, are just hints. There is no
>> reason to focus on making sure they're 100% accurate. There's also no
>> point in stripping the IPv6 addresses out of the root hints zone if
>> you don't have IPv6 -- the real list will be fetched (by DNS query)
>> from the servers in the hints file, including all of their IPv6
>> addresses.
>>
>> If your DNS server doesn't have IPv6 connectivity, I have two
>> comments for you:
>>
>> - Why not? It's easy to get a tunnel, if nothing else is available.
>
> I have a /48 allocated to my home lab :) (I also have a /26 IPv4
> allocation here)
>
>>
>> - Start named with the -4 argument to prevent it from trying to
>> contact IPv6 addresses.
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130215/094640b9/attachment.html>
More information about the bind-users
mailing list