Root hints in Ubuntu

grigory · 10-25-2015, 11:08 PM

Hello!

I've checked the /etc/bind/db.root text file and all the root name server IP's are current (I've checked the IP's one by one). So BIND9 reads this file and knows how to find root servers.
The output of dig . ns command shows me this. Why I can't see in the output the actual IP addresses? Is that normal???

;; ANSWER SECTION:
. 13309 IN NS i.root-servers.net.
. 13309 IN NS e.root-servers.net.
. 13309 IN NS g.root-servers.net.
. 13309 IN NS d.root-servers.net.
. 13309 IN NS b.root-servers.net.
. 13309 IN NS a.root-servers.net.
. 13309 IN NS m.root-servers.net.
. 13309 IN NS l.root-servers.net.
. 13309 IN NS k.root-servers.net.
. 13309 IN NS j.root-servers.net.
. 13309 IN NS f.root-servers.net.
. 13309 IN NS c.root-servers.net.
. 13309 IN NS h.root-servers.net.

Then why some people include this in their configuration files?

zone "." {
type hint;
file "root.hints";
};

OR:

zone "." {
type hint;
file "db.root";
};

chrism01 · 10-26-2015, 03:26 AM

1. in the first place any given root server eg a.root-servers.net will in fact be a cluster so its always up.

2. DNS is a tree structure and you've got to initialise your system with the root of the system. Also, it means that even if you don't have any zonefiles configured, your system can always fall back to the root if absolutely necessary.
In reality it'll probably pick from eg your ISP's DNS servers.

(AFAIK)

bathory · 10-26-2015, 04:45 AM

@OP

Quote:

The output of dig . ns command shows me this. Why I can't see in the output the actual IP addresses? Is that normal???

No, the default is to also show the root servers IPs in the Additional Section.
Could be that your dig command is aliased with the +noadd option, e.g:

Code:

dig +noadd . ns

; <<>> DiG 9.10.3 <<>> . ns +noadd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31316
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 24

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       512229  IN      NS      i.root-servers.net.
.                       512229  IN      NS      b.root-servers.net.
.                       512229  IN      NS      j.root-servers.net.
.                       512229  IN      NS      m.root-servers.net.
.                       512229  IN      NS      c.root-servers.net.
.                       512229  IN      NS      e.root-servers.net.
.                       512229  IN      NS      d.root-servers.net.
.                       512229  IN      NS      l.root-servers.net.
.                       512229  IN      NS      a.root-servers.net.
.                       512229  IN      NS      k.root-servers.net.
.                       512229  IN      NS      h.root-servers.net.
.                       512229  IN      NS      g.root-servers.net.
.                       512229  IN      NS      f.root-servers.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Oct 26 11:40:57 EET 2015
;; MSG SIZE  rcvd: 727

Re. the hint zone take a look here

Regards

grigory · 10-26-2015, 06:00 AM

Thanks for your replies, but I still don't understand.
I enter dig . ns command without anything special. Same as I did when I saw ISP's output with root servers IP's.
What if I don't bother adding root hints into my BIND configuration. What exactly would I lose? That's another part that your answer didn't make clear to me. Frankly, it's BIND's problem what it's gonna do. Whether it would turn for help to my ISP's servers or someone else's. Why would I worry about that? The only thing that concerns me is that my DNS server works Okay.

bathory · 10-26-2015, 07:30 AM

Quote:

What if I don't bother adding root hints into my BIND configuration. What exactly would I lose?

You won't loose anything, because bind has already a compiled-in list of root servers.
Quote from the link in my previous post:

Quote:

If you are running an authoritative only server or an internal name service on a closed network you do not need the root.servers file or 'hint' zone. Even if the hint zone file is not defined BIND 9 has an internal list which it uses.

grigory · 10-26-2015, 09:02 AM

O.K. now I understand. Thank you!