Re: Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

2017-09-10 Thread Mark Andrews 

In message , Timothe Litt writes:
> The most sensible thing to do is ignore the message, and keep named
> reasonably up-to-date.

Well something in the resolution path is changing the answer to
return the old  address which is why I suggested that there may
be a forwarder involved.  One should get a answer like this from
all of the root server addresses.  The exact ordering of the records
may differ.  If one doesn't then something on the path is modifying
the response.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> ns . +norec 
@a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29723
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  b.root-servers.net.
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 518400  IN  A   198.41.0.4
b.root-servers.net. 518400  IN  A   192.228.79.201
c.root-servers.net. 518400  IN  A   192.33.4.12
d.root-servers.net. 518400  IN  A   199.7.91.13
e.root-servers.net. 518400  IN  A   192.203.230.10
f.root-servers.net. 518400  IN  A   192.5.5.241
g.root-servers.net. 518400  IN  A   192.112.36.4
h.root-servers.net. 518400  IN  A   198.97.190.53
i.root-servers.net. 518400  IN  A   192.36.148.17
j.root-servers.net. 518400  IN  A   192.58.128.30
k.root-servers.net. 518400  IN  A   193.0.14.129
l.root-servers.net. 518400  IN  A   199.7.83.42
m.root-servers.net. 518400  IN  A   202.12.27.33
a.root-servers.net. 518400  IN  2001:503:ba3e::2:30
b.root-servers.net. 518400  IN  2001:500:200::b
c.root-servers.net. 518400  IN  2001:500:2::c
d.root-servers.net. 518400  IN  2001:500:2d::d
e.root-servers.net. 518400  IN  2001:500:a8::e
f.root-servers.net. 518400  IN  2001:500:2f::f
g.root-servers.net. 518400  IN  2001:500:12::d0d
h.root-servers.net. 518400  IN  2001:500:1::53
i.root-servers.net. 518400  IN  2001:7fe::53
j.root-servers.net. 518400  IN  2001:503:c27::2:30
k.root-servers.net. 518400  IN  2001:7fd::1
l.root-servers.net. 518400  IN  2001:500:9f::42
m.root-servers.net. 518400  IN  2001:dc3::35

;; Query time: 179 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Mon Sep 11 10:09:10 AEST 2017
;; MSG SIZE  rcvd: 811

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

2017-09-10 Thread Timothe Litt 
The most sensible thing to do is ignore the message, and keep named
reasonably up-to-date.

I used to maintain a local hints file with a script that periodically
downloads and updates it (from internic or the DNS), reconfiguring named
when it changes.  It works well - but it's really not worth the effort. 
I've switched to just using the built-in hints.

The hints are only used to locate a root server ("root priming"); as the
message indicates, once any one is found, named will query it  for the
current servers/addresses and check for consistency.   It uses the query
results; the multiple hints provide redundancy for the initial query -
but you don't need all 13 (26) to be correct.  The only reason to worry
is if most of the hint addresses go stale at once - which would be
unprecedented in the history of the DNS.

Note that when root server addresses go stale, the convention is that
the old address is kept in service for some time after the change, so
there's plenty of time for clients to catch up with no impact.  For B
root, the plan is at least 6 months. 
(https://b.root-servers.org/news/2017/06/01/new-ipv6.html)

There does seem to be an issue where if cache memory size is small &
root references rare, the root server records are evicted - causing the
hints to be re-fetched and the messages repeated.  Arguably, named
should treat these as more precious than other records when doing cache
evictions.

But they're just informational messages.  You should run a reasonably
current version of named for security and performance.  As long as you
do, the built-in hints will be perfectly adequate.  Even if you don't,
the hint addresses from a decade ago are adequate to bootstrap named. 
The only good reason to have private hints is if you have an alternate
DNS universe - which is highly discouraged.

For more detail, see
https://kb.isc.org/article/AA-01309/0/Root-hints-a-collection-of-operational-and-configuration-FAQs.html

Bottom line is that these messages are a nuisance & in almost all cases
the most effective use of your time is to ignore them... The effort of
maintaining a private copy of the root hints isn't worthwhile.


Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

On 09-Sep-17 23:14, Stefan Sticht wrote:
> Hi,
>
> thanks for all the suggestions.
>
> I have no forwarders configured.
> I started downloading and using the hints file from 
> ftp://FTP.INTERNIC.NET/domain/named.cache shortly after I noticed the problem.
>
> # grep B.ROOT /var/named/named.ca
> .360  NSB.ROOT-SERVERS.NET.
> B.ROOT-SERVERS.NET.  360  A 192.228.79.201
> B.ROOT-SERVERS.NET.  360    2001:500:200::b
>
> I wouldn’t expect a problem with my hints file.
>
> Thanks,
> Stefan
> .org
> https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users