root hints operation

Mark Andrews marka at
Tue Nov 17 22:22:28 UTC 2015

In message <564BA6E9.2050408 at>, Dave Warren writes:
> On 2015-11-17 14:13, Mark Andrews wrote:
> > In message <564BA3E3.9060008 at>, Dave Warren writes:
> >> On 2015-11-16 18:09, Grant Taylor wrote:
> >>> It's my understanding that ALL of the root servers would have to
> >>> change all of their addresses at the same time for DNS to be impacted.
> >> Or, the IP formerly used as a root server could turn malicious and start
> >> offering an alternate response. This would only impact resolvers that
> >> had outdated root hints, and also happened to try that particular IP
> >> first, but it's at least a theoretical risk.
> > Which is why those addresses get held back from reassignment.  It is a
> > known risk that is mitigated.
> Understood and agreed, there's little real-world risk, but it's 
> important to understand that this risk is mitigated by policy, not by 
> technology.

Given the root zone is signed and most of the TLD's are also signed
there is little a rogue operator can do besides causing a DoS if
you validate the returned answers.

> -- 
> Dave Warren
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list