> On Jun 3, 2023, at 1:22 AM, Doug Barton <[email protected]> wrote:
>
> On 6/2/23 11:12 AM, Dave Knight wrote:
>> commented out the root hints file in /etc/bind/named.conf.default-zones
>> run named with debugging output enabled and tcpdump running, it primes
>> itself and validates the priming response at startup
>
> BIND does not "prime itself." That would be impossible. It has a compiled-in
> version of root hints that it falls back on if it cannot find one on the file
> system.
Said exactly that in my initial post in the thread.
> Regarding your assertion that you can validate the priming query with DNSSEC,
I suggested that we validate the priming response, we don't validate queries
with DNSSEC.
> all you can validate is the NS set. The host records cannot be validated
> because root-servers.net is not signed.
Good point!
They're still used to replace what was provided in the root.hints after the
priming response is received though.
dave
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
