>> No, it requires a rebuild after changing lib/dns/rootns.c. But using a >> mildly out-of-date hints file is usually harmless - it is only a *hint*.
> Right. One of the first things BIND does after starting up is query one of > the root servers to get the current set of root servers. Thanks. This is not what I am seeing using tcpdump and capturing port 53. Using a test bind9.9.0 resolver, I restarted the bind9 service to clear the cache and load the built-in root hints. There was no DNS traffic for a minute until I issued the first dig query to the server. The first DNS packet transmitted was to send this query to the IPv4 address of i.root-servers.net (192.36.148.17). The second query, 300 microsec later also to i.root-servers.net, was for "NS <root>". I didn't see any packets querying for addresses of the root servers. It might be that if that second query returned the name of a new root server not in the built-in hints, bind9.9.0 would query for its address at some point. > So the only potential problem would be if someone were to hijack one (or > more) of the root servers and make it give out a bogus answer. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users