I commented out include for the root.hints and things are working still
so obviously it is built in even though the string search is not working
on my binary.
On 02/15/2013 12:57 PM, Robert Moskowitz wrote:
On 02/15/2013 12:37 PM, Chris Buxton wrote:
On Feb 14, 2013, at 8:49 AM, Shawn Bakhtiar wrote:
Running bind rooted on FC 16 using the standard package.
The ca file is located in /var/named/chroot/var/named/named.ca
The hints are not built in.
[shawn@www ~]$ strings /usr/sbin/named | grepA.ROOT-SERVERS.NET
<http://A.ROOT-SERVERS.NET/>
returns nothing.
Yes they are. All versions of BIND since 9.3 or so have had the root
hints built in. Even Red Hat's version. Unfortunately, Warren missed
a trick of some sort -- I suspect that if you strip the binary, the
'strings' command won't find the values. But they're still there.
Adam Tkac would not remove this from the Red Hat SRPM.
I will do some more testing with this to see if I can indeed remove
the root.hint includes. But I have a question. I have tried to dig
in my server for the root info like you can a root server, but
obviously this is not the way to do it, as I get an empty list
eventhough I know I can resolve names that I am not authoritative for.
I tried
dig +bufsize=4096 . ns @localhost
(and without the bufsize) and it comes back with a warning that
recursion requested but not available and an empty list. More
interestingly is that in /var/log/messages it shows:
named[2872]: client ::1#57049: view external: query (cache) './NS/IN'
denied
I would think this should go to my internal view? I even put
127.0.0.1 into my match-clients/destinations network list and it is
still using the external view.
Root hints, as somebody pointed out, are just hints. There is no
reason to focus on making sure they're 100% accurate. There's also no
point in stripping the IPv6 addresses out of the root hints zone if
you don't have IPv6 -- the real list will be fetched (by DNS query)
from the servers in the hints file, including all of their IPv6
addresses.
If your DNS server doesn't have IPv6 connectivity, I have two
comments for you:
- Why not? It's easy to get a tunnel, if nothing else is available.
I have a /48 allocated to my home lab :) (I also have a /26 IPv4
allocation here)
- Start named with the -4 argument to prevent it from trying to
contact IPv6 addresses.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
