>> No, it requires a rebuild after changing lib/dns/rootns.c. But using a 
>> mildly out-of-date hints file is usually harmless - it is only a *hint*.

> Right. One of the first things BIND does after starting up is query one of 
> the root servers to get the current set of root servers.

Thanks. This is not what I am seeing using tcpdump and capturing port 53. Using 
a test bind9.9.0 resolver, I restarted the bind9 service to clear the cache and 
load the built-in root hints. There was no DNS traffic for a minute until I 
issued the first dig query to the server. The first DNS packet transmitted was 
to send this query to the IPv4 address of i.root-servers.net (192.36.148.17). 
The second query, 300 microsec later also to i.root-servers.net, was for "NS 
<root>". I didn't see any packets querying for addresses of the root servers. 
It might be that if that second query returned the name of a new root server 
not in the built-in hints, bind9.9.0 would query for its address at some point.

> So the only potential problem would be if someone were to hijack one (or
> more) of the root servers and make it give out a bogus answer.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to