Authoritative internal server - how do I get rid of...

jsdy at jsdy at
Tue May 21 12:04:03 UTC 2013

On 2013-05-21 04:57, Elmar K. Bins wrote:
> ... these annoying root lookups:
> error (host unreachable) resolving './DNSKEY/IN':
> error (host unreachable) resolving './NS/IN':
> ...
> Hi guys,
> I guess a few of you have seen and mitigated this before. We're 
> running
> a few BIND server strictly internally - for master zone loading, 
> actually.
> Those servers have no external connectivity. Since they seem to 
> routinely
> look up stuff concerning ".", I get a lot of the above error messages 
> due
> to - certainly - unreachability of anything outside local.
> Is there any way I can get those BIND9 servers to *not* look up root 
> stuff?
> Recursion is off, and the root hints file has been removed from the 
> local
> zone config. No effect.
> Any pointers would be much appreciated.

1   PTR   localhost

Seriously, some ways to redirect root are:
   - root.cache file naming your internal root servers, if any, and a 
hint root zone
   - master root zone that is empty [except for SOA and NS]
   - forward external lookups to external name servers

Or compile it excluding the built-in root hints file.

As far as the DNSKEY, is it possible that you have root's key still in 
your configuration, and that's why it's trying to look it up?

Joe Yao

More information about the bind-users mailing list