builtin hints working - Re: Building a fresh named.root

Robert Moskowitz rgm at htt-consult.com
Fri Feb 15 18:56:08 UTC 2013


I commented out include for the root.hints and things are working still 
so obviously it is built in even though the string search is not working 
on my binary.


On 02/15/2013 12:57 PM, Robert Moskowitz wrote:
>
> On 02/15/2013 12:37 PM, Chris Buxton wrote:
>>
>> On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:
>>
>>>
>>> Running bind rooted on FC 16 using the standard package.
>>>
>>> The ca file is located in /var/named/chroot/var/named/named.ca
>>>
>>> The hints are not built in.
>>> [shawn at www ~]$ strings /usr/sbin/named | grepA.ROOT-SERVERS.NET 
>>> <http://A.ROOT-SERVERS.NET/>
>>> returns nothing.
>>
>> Yes they are. All versions of BIND since 9.3 or so have had the root 
>> hints built in. Even Red Hat's version. Unfortunately, Warren missed 
>> a trick of some sort -- I suspect that if you strip the binary, the 
>> 'strings' command won't find the values. But they're still there. 
>> Adam Tkac would not remove this from the Red Hat SRPM.
>
> I will do some more testing with this to see if I can indeed remove 
> the root.hint includes.  But I have a question.  I have tried to dig 
> in my server for the root info like you can a root server, but 
> obviously this is not the way to do it, as I get an empty list 
> eventhough I know I can resolve names that I am not authoritative for.
>
> I tried
>
> dig +bufsize=4096 . ns @localhost
>
> (and without the bufsize) and it comes back with a warning that 
> recursion requested but not available and an empty list.  More 
> interestingly is that in /var/log/messages it shows:
>
> named[2872]: client ::1#57049: view external: query (cache) './NS/IN' 
> denied
>
> I would think this should go to my internal view?  I even put 
> 127.0.0.1 into my match-clients/destinations network list and it is 
> still using the external view.
>
>>
>> Root hints, as somebody pointed out, are just hints. There is no 
>> reason to focus on making sure they're 100% accurate. There's also no 
>> point in stripping the IPv6 addresses out of the root hints zone if 
>> you don't have IPv6 -- the real list will be fetched (by DNS query) 
>> from the servers in the hints file, including all of their IPv6 
>> addresses.
>>
>> If your DNS server doesn't have IPv6 connectivity, I have two 
>> comments for you:
>>
>> - Why not? It's easy to get a tunnel, if nothing else is available.
>
> I have a /48 allocated to my home lab  :)  (I also have a /26 IPv4 
> allocation here)
>
>>
>> - Start named with the -4 argument to prevent it from trying to 
>> contact IPv6 addresses.
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130215/094640b9/attachment.html>


More information about the bind-users mailing list