Re: root hints operation

Grant Taylor wrote: > > This quite from Twitter seems appropriate: DNSSEC only protects you from > getting bad answers. If someone wants you to get no answers at all then > DNSSEC cannot help. That wasn't from Twitter, that was from me on NANOG.

Re: root hints operation

On 2015-11-17 04:21, Ray Bellis wrote: On 17/11/2015 02:09, Grant Taylor wrote: On 11/16/2015 06:56 PM, /dev/rob0 wrote: You either specify a hints file to use, or use the compiled-in root hints. Interesting. I was not aware that it was an exclusive or type situation. It's important that

RE: root hints operation

al Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao Sent: Tuesday, November 17, 2015 10:25 AM To: Ray Bellis Cc: bind-users@lists.isc.org Subject: Re: root hints operation On 2015-11-17 04:21, Ray Bellis wrote: > On 17/11/2015

Re: root hints operation

On 11/17/2015 03:02 PM, Dave Warren wrote: Or, the IP formerly used as a root server could turn malicious and start offering an alternate response. This would only impact resolvers that had outdated root hints, and also happened to try that particular IP first, but it's at least a theoretical

Re: root hints operation

On 11/17/2015 03:22 PM, Mark Andrews wrote: Given the root zone is signed and most of the TLD's are also signed there is little a rogue operator can do besides causing a DoS if you validate the returned answers. This quite from Twitter seems appropriate: DNSSEC only protects you from getting

Re: root hints operation

On 11/17/2015 02:15 AM, Cathy Almond wrote: If someone *could* maliciously replace a file on your DNS server with a blank one, you have more problems than just a blank root hints file don't you? Very likely. But not guaranteed. }:-> -- Grant. . . . unix || die

Re: root hints operation

On 11/17/2015 02:21 AM, Ray Bellis wrote: It's important that they're exclusive - it would be very much harder to build an isolated test bed (with "fake" root hints) if BIND insisted on always trying to reach all of the compiled-in root hints. Valid point. Thanks Ray. Otherwise, I might be

Re: root hints operation

On 11/17/2015 04:10 PM, Darcy Kevin (FCA) wrote: No default route to Internet, internal-root architecture; when you think this through, it's pretty obvious that the ability to explicitly specify "hints" is a mandatory feature of any enterprise-strength DNS product. There is noting that

Re: root hints operation

In message <564be747.40...@tnetconsulting.net>, Grant Taylor writes: > On 11/17/2015 03:22 PM, Mark Andrews wrote: > > Given the root zone is signed and most of the TLD's are also signed > > there is little a rogue operator can do besides causing a DoS if > > you validate the returned answers. >

Re: root hints operation

On 17/11/2015 02:31, Grant Taylor wrote: ... > The idea that a (maliciously) blank root.hints file would prevent BIND > from using the compiled in version is new to me. If someone *could* maliciously replace a file on your DNS server with a blank one, you have more problems than just a blank root

Re: root hints operation

On 17/11/2015 02:09, Grant Taylor wrote: > On 11/16/2015 06:56 PM, /dev/rob0 wrote: >> You either specify a hints file to use, or use the compiled-in root >> hints. > > Interesting. I was not aware that it was an exclusive or type situation. It's important that they're exclusive - it would be

Re: root hints operation

On 2015-11-17 14:13, Mark Andrews wrote: In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes: On 2015-11-16 18:09, Grant Taylor wrote: It's my understanding that ALL of the root servers would have to change all of their addresses at the same time for DNS to be impacted. Or, the IP

Re: root hints operation

In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes: > On 2015-11-16 18:09, Grant Taylor wrote: > > It's my understanding that ALL of the root servers would have to > > change all of their addresses at the same time for DNS to be impacted. > > Or, the IP formerly used as a root

Re: root hints operation

In message <564ba6e9.2050...@hireahit.com>, Dave Warren writes: > On 2015-11-17 14:13, Mark Andrews wrote: > > In message <564ba3e3.9060...@hireahit.com>, Dave Warren writes: > >> On 2015-11-16 18:09, Grant Taylor wrote: > >>> It's my understanding that ALL of the root servers would have to > >>>

root hints operation

In light of the upcoming H-root server changing addresses I wanted to confirm how BIND uses root hints. It's my understanding that BIND has a compiled in version of the root hints -and- a root hints file that can easily be updated. This information is used to prime named as it starts up in

Re: root hints operation

On Mon, Nov 16, 2015 at 06:37:36PM -0700, Grant Taylor wrote: > In light of the upcoming H-root server changing addresses I wanted > to confirm how BIND uses root hints. > > It's my understanding that BIND has a compiled in version of the > root hints -and- a root hints file that can easily be

Re: root hints operation

On 11/16/2015 07:20 PM, Barry Margolin wrote: Did you think it combined the file with the built-in list? I hadn't given much thought to how the built in would or would not be combined with the contents of the root.hints file. I always took it that BIND would fall back to the compiled in

Re: root hints operation

On 11/16/2015 06:56 PM, /dev/rob0 wrote: You either specify a hints file to use, or use the compiled-in root hints. Interesting. I was not aware that it was an exclusive or type situation. Since the beginning of DNS, there has not been enough change to root hints so as to cause operational

Re: root hints operation

In article , Grant Taylor wrote: > On 11/16/2015 06:56 PM, /dev/rob0 wrote: > > You either specify a hints file to use, or use the compiled-in root > > hints. > > Interesting. I was not aware that it was an