>> Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there still an use for this tool?
Unless bind updates the hint file as a result of these checks, yes. It's not a question of authenticity; named has to start somewhere to find the root NS; this is the bootstrap cache. It wouldn't be a bad thing if bind did the update itself (sort of like DNSSECS's 5011 for keys). But so far as I know, it doesn't. Since I run the tool, I can't say that I've ever seen a message from BIND complaining about the root hints being out of date. I know there was a root hints update last June... Does it sync to what it finds, or just complain? Until someone authoritative tells me that BIND manages the hints file on its own, I'm taking the conservative route and letting my tool run.... BTW, I do have systems that come on-line every 5 years or so. Automation is good :-) --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. -----Original Message----- From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] Sent: Thursday, September 06, 2012 09:08 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: Root hints updates On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt <l...@acm.org> wrote a message of 466 lines which said: > This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there still an use for this tool? _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
