On 02/05/2018 23:39, Rick Dicaire wrote:
> Thanks for the responses folks...so if I don't need to manage root.hints,
> can I remove the line:
>
> zone "." IN {type hint;file "root.cache";};
>
> from named.conf?
Yes, you can remove it.
Regards,
Anand
Thanks for the responses folks...so if I don't need to manage root.hints,
can I remove the line:
zone "." IN {type hint;file "root.cache";};
from named.conf?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this li
On Wed, May 2, 2018 at 5:02 PM Greg Rivers
wrote:
> On Wednesday, May 02, 2018 16:48:00 Rick Dicaire wrote:
> > ... what is the official/best practise/recommended way to update
> root.hints?
> >
> https://www.iana.org/domains/root/files
>
> But you don't really need it unless you're running an in
On Wednesday, May 02, 2018 16:48:00 Rick Dicaire wrote:
> ... what is the official/best practise/recommended way to update root.hints?
>
https://www.iana.org/domains/root/files
But you don't really need it unless you're running an internal root; as stated
at that link, "For many pieces of softwar
Grant Taylor wrote:
>
> This quite from Twitter seems appropriate: DNSSEC only protects you from
> getting bad answers. If someone wants you to get no answers at all then
> DNSSEC cannot help.
That wasn't from Twitter, that was from me on NANOG.
http://mailman.nanog.org/pipermail/nanog/2015-Nov
In message <564be747.40...@tnetconsulting.net>, Grant Taylor writes:
> On 11/17/2015 03:22 PM, Mark Andrews wrote:
> > Given the root zone is signed and most of the TLD's are also signed
> > there is little a rogue operator can do besides causing a DoS if
> > you validate the returned answers.
>
On 11/17/2015 03:22 PM, Mark Andrews wrote:
Given the root zone is signed and most of the TLD's are also signed
there is little a rogue operator can do besides causing a DoS if
you validate the returned answers.
This quite from Twitter seems appropriate: DNSSEC only protects you
from getting
On 11/17/2015 03:02 PM, Dave Warren wrote:
Or, the IP formerly used as a root server could turn malicious and start
offering an alternate response. This would only impact resolvers that
had outdated root hints, and also happened to try that particular IP
first, but it's at least a theoretical ris
On 11/17/2015 04:10 PM, Darcy Kevin (FCA) wrote:
No default route to Internet, internal-root architecture; when you think this through,
it's pretty obvious that the ability to explicitly specify "hints" is a
mandatory feature of any enterprise-strength DNS product.
There is noting that preven
On 11/17/2015 02:21 AM, Ray Bellis wrote:
It's important that they're exclusive - it would be very much harder to
build an isolated test bed (with "fake" root hints) if BIND insisted on
always trying to reach all of the compiled-in root hints.
Valid point. Thanks Ray.
Otherwise, I might be te
On 11/17/2015 02:15 AM, Cathy Almond wrote:
If someone *could* maliciously replace a file on your DNS server with a
blank one, you have more problems than just a blank root hints file
don't you?
Very likely. But not guaranteed. }:->
--
Grant. . . .
unix || die
_
riginal Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao
Sent: Tuesday, November 17, 2015 10:25 AM
To: Ray Bellis
Cc: bind-users@lists.isc.org
Subject: Re: root hints operation
On 2015-11-17 04:21, Ray Bellis wrote:
> On 17/11
In message <564ba6e9.2050...@hireahit.com>, Dave Warren writes:
> On 2015-11-17 14:13, Mark Andrews wrote:
> > In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
> >> On 2015-11-16 18:09, Grant Taylor wrote:
> >>> It's my understanding that ALL of the root servers would have to
> >>>
On 2015-11-17 14:13, Mark Andrews wrote:
In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
On 2015-11-16 18:09, Grant Taylor wrote:
It's my understanding that ALL of the root servers would have to
change all of their addresses at the same time for DNS to be impacted.
Or, the IP f
In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes:
> On 2015-11-16 18:09, Grant Taylor wrote:
> > It's my understanding that ALL of the root servers would have to
> > change all of their addresses at the same time for DNS to be impacted.
>
> Or, the IP formerly used as a root serve
On 2015-11-16 18:09, Grant Taylor wrote:
It's my understanding that ALL of the root servers would have to
change all of their addresses at the same time for DNS to be impacted.
Or, the IP formerly used as a root server could turn malicious and start
offering an alternate response. This would
On 2015-11-17 04:21, Ray Bellis wrote:
On 17/11/2015 02:09, Grant Taylor wrote:
On 11/16/2015 06:56 PM, /dev/rob0 wrote:
You either specify a hints file to use, or use the compiled-in root
hints.
Interesting. I was not aware that it was an exclusive or type
situation.
It's important that
On 17/11/2015 02:09, Grant Taylor wrote:
> On 11/16/2015 06:56 PM, /dev/rob0 wrote:
>> You either specify a hints file to use, or use the compiled-in root
>> hints.
>
> Interesting. I was not aware that it was an exclusive or type situation.
It's important that they're exclusive - it would be ve
On 17/11/2015 02:31, Grant Taylor wrote:
...
> The idea that a (maliciously) blank root.hints file would prevent BIND
> from using the compiled in version is new to me.
If someone *could* maliciously replace a file on your DNS server with a
blank one, you have more problems than just a blank root
On 11/16/2015 07:20 PM, Barry Margolin wrote:
Did you think it combined the file with the built-in list?
I hadn't given much thought to how the built in would or would not be
combined with the contents of the root.hints file.
I always took it that BIND would fall back to the compiled in vers
In article ,
Grant Taylor wrote:
> On 11/16/2015 06:56 PM, /dev/rob0 wrote:
> > You either specify a hints file to use, or use the compiled-in root
> > hints.
>
> Interesting. I was not aware that it was an exclusive or type situation.
Did you think it combined the file with the built-in list
On 11/16/2015 06:56 PM, /dev/rob0 wrote:
You either specify a hints file to use, or use the compiled-in root
hints.
Interesting. I was not aware that it was an exclusive or type situation.
Since the beginning of DNS, there has not been enough change to root
hints so as to cause operational p
On Mon, Nov 16, 2015 at 06:37:36PM -0700, Grant Taylor wrote:
> In light of the upcoming H-root server changing addresses I wanted
> to confirm how BIND uses root hints.
>
> It's my understanding that BIND has a compiled in version of the
> root hints -and- a root hints file that can easily be u
Am 06.10.2015 um 19:42 schrieb Jack Tavares:
Since the H root server IP address will be changing I have a question:
http://h.root-servers.org/renumber.html
how does bind get the root servers these days?
I think the code includes a set.
yes, a hardcoded fallback
Is there a provision to quer
On Tue, Oct 06, 2015 at 05:42:52PM +, Jack Tavares wrote:
> Since the H root server IP address will be changing I have a question:
> http://h.root-servers.org/renumber.html
>
> how does bind get the root servers these days?
> I think the code includes a set.
There's a copy of the hints built
On 09/06/12 07:06, Timothe Litt wrote:
In doing some system administration, I realized that I have a tool that
might be
generally useful - ISC is welcome to add it to contribs. Hopefully the
attachment
will make it through the mailing list server.
This is a script to automagically update the ro
Timothe Litt wrote:
>
> Until someone authoritative tells me that BIND manages the hints file on its
> own, I'm taking the conservative route and letting my tool run
> BTW, I do have systems that come on-line every 5 years or so. Automation is
> good :-)
Well, I'm not authoritative, but I do
yer [mailto:bortzme...@nic.fr]
Sent: Thursday, September 06, 2012 09:08
To: Timothe Litt
Cc: bind-users@lists.isc.org
Subject: Re: Root hints updates
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote
a message of 466 lines which said:
> This is a script to automagically update the root
On Thu, Sep 06, 2012 at 08:06:45AM -0400,
Timothe Litt wrote
a message of 466 lines which said:
> This is a script to automagically update the root hints file.
Since the first thing BIND does at startup is to check the root NS
set, and since DNSSEC guarantees that it is genuine, is there sti
On 3/9/2011 8:32 AM, Tony MacDoodle wrote:
Hello,
I am currently running BIND 9.6.1-P3 and it works fine. My question is
regarding the db.cache file. I am only running a local domain
(apps.local) that does not access the internet for resolution. My
current root hints file is from Internic.
* Tony MacDoodle:
> So in the named.conf file I can get rid of the following:
>
> zone "." { type hint; file "db.cache"; };
Yes, I think 9.6 has built-in root hints. The zone contents is
ignored, except for the NS records and the associated addresses
(because of "type hint" instead of "type mast
So in the named.conf file I can get rid of the following:
zone "." { type hint; file "db.cache"; };
Thanks
On Wed, Mar 9, 2011 at 9:19 AM, Florian Weimer wrote:
> * Tony MacDoodle:
>
> > 2) Do I need it at all for a local domain
>
> No, configuring a zone using the "zone" statement on all re
* Tony MacDoodle:
> 2) Do I need it at all for a local domain
No, configuring a zone using the "zone" statement on all resolvers is
sufficient. If the resolver knows about authoritative data, it will
not try to fetch it from the Internet.
You should reconsider using "local", though. Some clien
On Fri, Jan 28, 2011 at 11:12:29PM -0500, Barry Margolin wrote:
...
> I'm sure the folks who run these networks are quite aware of this
> danger. If a root server changes, I'll bet it will be several years
> before the old address goes to some other organization.
...
Yah, I know. May not be t
In message , Barry Mar
golin writes:
> In article ,
> Joseph S D Yao wrote:
>
> > [This does leave a security hole - if a root name server's IP changes,
> > and a Bad Guy gets the old one; or on another internet, if the Bad Guy
> > gets all the IP addresses in the default file. It's not just l
In article ,
Joseph S D Yao wrote:
> [This does leave a security hole - if a root name server's IP changes,
> and a Bad Guy gets the old one; or on another internet, if the Bad Guy
> gets all the IP addresses in the default file. It's not just lust for
> control that has me using a visible root
On Fri, Jan 28, 2011 at 09:51:13PM -0500, Joseph S D Yao wrote:
> On Fri, Jan 28, 2011 at 08:10:10PM +, Jack Tavares wrote:
> > I have a question about the hints file.
> >
> > It is "built in" to BIND.
> >
> > Does bind check for updates to this periodically?
...
> To the best of my knowledge
On Fri, Jan 28, 2011 at 08:10:10PM +, Jack Tavares wrote:
> I have a question about the hints file.
>
> It is "built in" to BIND.
>
> Does bind check for updates to this periodically?
> If so, where does it get it from ?
> I assume it gets it from ftp.isc.org.
> Does bind contain a hardcode f
On Fri, Jan 28, 2011 at 04:40:50PM +0800, p...@mail.nsbeta.info wrote:
> Joseph S D Yao writes:
> > Just because we don't need to, doesn't mean that it's a good practtice
> > not to. And it's so easy to create one on a system where DNS is already
> > set up.
> >
> > dig ns . > root.hints
>
On 28/01/2011 21:10, Jack Tavares wrote:
> I have a question about the hints file.
>
> It is "built in" to BIND.
>
> Does bind check for updates to this periodically?
> If so, where does it get it from ?
> I assume it gets it from ftp.isc.org.
> Does bind contain a hardcode for that IP address?
> On 28/01/2011 21:10, Jack Tavares wrote:
>
> > I have a question about the hints file.
> >
> > It is "built in" to BIND.
> >
> > Does bind check for updates to this periodically?
> > If so, where does it get it from ?
> > I assume it gets it from ftp.isc.org.
> > Does bind contain a hardcode for
I have a question about the hints file.
It is "built in" to BIND.
Does bind check for updates to this periodically?
If so, where does it get it from ?
I assume it gets it from ftp.isc.org.
Does bind contain a hardcode for that IP address?
or does it use the existing hints to find the address
of "
Joseph S D Yao writes:
Just because we don't need to, doesn't mean that it's a good practtice
not to. And it's so easy to create one on a system where DNS is already
set up.
dig ns . > root.hints
I disagree with this.
Few files mean few risk for admin.
How about the case when someone
On Thu, Jan 27, 2011 at 09:59:58AM +0800, p...@mail.nsbeta.info wrote:
...
> That means since BIND 9.2 we don't have the need to make a hints file for
> named. Yep in current days who are running the named version below 9.2?
...
Surprisingly more people than you would imagine. Is Bill M still d
On Wed, Jan 26, 2011 at 04:16:47PM +, Chris Thompson wrote:
...
> which puts it in BIND 9.2 but not in 9.1. I can't find any indication
> in the CHANGES files or in my memory that BIND 8 ever had compiled-in
> hints.
...
Which just shows that my memory going back to BIND 8 has deteriorated.
I
Chris Thompson writes:
The relevant CHANGES file entry for BIND 9 would seem to be
701. [func] Root hints are now fully optional. Class IN
views use compiled-in hints by default, as
before. Non-IN views with no root hints now
provide authoritative
On Jan 26 2011, Joseph S D Yao wrote:
On Wed, Jan 26, 2011 at 11:20:18AM +0800, p...@mail.nsbeta.info wrote:
Hello,
From what version of bind we won't include the root hints file in
named.conf? Since the bind server has been including it inherently.
I could be wrong, but I think that a
Tried both numbers.
I'm available 602-418-6471.
On Jan 26, 2011, at 6:49 AM, Mark Andrews wrote:
>
> In message <20110126003702.c16...@gwyn.tux.org>, Joseph S D Yao writes:
>> On Wed, Jan 26, 2011 at 11:20:18AM +0800, p...@mail.nsbeta.info wrote:
>>>
>>> Hello,
>>>
>>> From what version
Please excuse my prior noise. Fat finger and head replied to wrong email. But
feel free to call if you feel the need ;-)
On Jan 26, 2011, at 6:49 AM, Mark Andrews wrote:
>
> In message <20110126003702.c16...@gwyn.tux.org>, Joseph S D Yao writes:
>> On Wed, Jan 26, 2011 at 11:20:18AM +0800, p
In message <20110126003702.c16...@gwyn.tux.org>, Joseph S D Yao writes:
> On Wed, Jan 26, 2011 at 11:20:18AM +0800, p...@mail.nsbeta.info wrote:
> >
> > Hello,
> >
> > From what version of bind we won't include the root hints file in
> > named.conf? Since the bind server has been including it
On 26.01.11 11:20, p...@mail.nsbeta.info wrote:
> From what version of bind we won't include the root hints file in
> named.conf? Since the bind server has been including it inherently.
Why won't you include root hints file in named.conf?
While named has builtin default, you can always includep
On Wed, Jan 26, 2011 at 11:20:18AM +0800, p...@mail.nsbeta.info wrote:
>
> Hello,
>
> From what version of bind we won't include the root hints file in
> named.conf? Since the bind server has been including it inherently.
I could be wrong, but I think that all V9 and even all V8 had this
"f
52 matches
Mail list logo
