Re: Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
In message, Timothe Litt writes: > The most sensible thing to do is ignore the message, and keep named > reasonably up-to-date. Well something in the resolution path is changing the answer to return the old address which is why I suggested that there may be a forwarder involved. One should get a answer like this from all of the root server addresses. The exact ordering of the records may differ. If one doesn't then something on the path is modifying the response. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> ns . +norec @a.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29723 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 199.7.91.13 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 198.97.190.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN 2001:500:200::b c.root-servers.net. 518400 IN 2001:500:2::c d.root-servers.net. 518400 IN 2001:500:2d::d e.root-servers.net. 518400 IN 2001:500:a8::e f.root-servers.net. 518400 IN 2001:500:2f::f g.root-servers.net. 518400 IN 2001:500:12::d0d h.root-servers.net. 518400 IN 2001:500:1::53 i.root-servers.net. 518400 IN 2001:7fe::53 j.root-servers.net. 518400 IN 2001:503:c27::2:30 k.root-servers.net. 518400 IN 2001:7fd::1 l.root-servers.net. 518400 IN 2001:500:9f::42 m.root-servers.net. 518400 IN 2001:dc3::35 ;; Query time: 179 msec ;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) ;; WHEN: Mon Sep 11 10:09:10 AEST 2017 ;; MSG SIZE rcvd: 811 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
The most sensible thing to do is ignore the message, and keep named reasonably up-to-date. I used to maintain a local hints file with a script that periodically downloads and updates it (from internic or the DNS), reconfiguring named when it changes. It works well - but it's really not worth the effort. I've switched to just using the built-in hints. The hints are only used to locate a root server ("root priming"); as the message indicates, once any one is found, named will query it for the current servers/addresses and check for consistency. It uses the query results; the multiple hints provide redundancy for the initial query - but you don't need all 13 (26) to be correct. The only reason to worry is if most of the hint addresses go stale at once - which would be unprecedented in the history of the DNS. Note that when root server addresses go stale, the convention is that the old address is kept in service for some time after the change, so there's plenty of time for clients to catch up with no impact. For B root, the plan is at least 6 months. (https://b.root-servers.org/news/2017/06/01/new-ipv6.html) There does seem to be an issue where if cache memory size is small & root references rare, the root server records are evicted - causing the hints to be re-fetched and the messages repeated. Arguably, named should treat these as more precious than other records when doing cache evictions. But they're just informational messages. You should run a reasonably current version of named for security and performance. As long as you do, the built-in hints will be perfectly adequate. Even if you don't, the hint addresses from a decade ago are adequate to bootstrap named. The only good reason to have private hints is if you have an alternate DNS universe - which is highly discouraged. For more detail, see https://kb.isc.org/article/AA-01309/0/Root-hints-a-collection-of-operational-and-configuration-FAQs.html Bottom line is that these messages are a nuisance & in almost all cases the most effective use of your time is to ignore them... The effort of maintaining a private copy of the root hints isn't worthwhile. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 09-Sep-17 23:14, Stefan Sticht wrote: > Hi, > > thanks for all the suggestions. > > I have no forwarders configured. > I started downloading and using the hints file from > ftp://FTP.INTERNIC.NET/domain/named.cache shortly after I noticed the problem. > > # grep B.ROOT /var/named/named.ca > .360 NSB.ROOT-SERVERS.NET. > B.ROOT-SERVERS.NET. 360 A 192.228.79.201 > B.ROOT-SERVERS.NET. 360 2001:500:200::b > > I wouldn’t expect a problem with my hints file. > > Thanks, > Stefan > .org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users