[dns-operations] New addresses for b.root-servers.net

Dave Knight dave at knig.ht
Sat Jun 3 18:03:04 UTC 2023



> On Jun 3, 2023, at 1:22 AM, Doug Barton <dougb at dougbarton.us> wrote:
> 
> On 6/2/23 11:12 AM, Dave Knight wrote:
>> commented out the root hints file in /etc/bind/named.conf.default-zones
>> run named with debugging output enabled and tcpdump running, it primes itself and validates the priming response at startup
> 
> BIND does not "prime itself." That would be impossible. It has a compiled-in version of root hints that it falls back on if it cannot find one on the file system.

Said exactly that in my initial post in the thread.


> Regarding your assertion that you can validate the priming query with DNSSEC,

I suggested that we validate the priming response, we don't validate queries with DNSSEC.


> all you can validate is the NS set. The host records cannot be validated because root-servers.net is not signed.

Good point!

They're still used to replace what was provided in the root.hints after the priming response is received though.


dave



More information about the dns-operations mailing list