Thank you for your response. I have a better understanding now and appreciate it.
On 9/5/19, 12:33 PM, "Joe Abley" <[email protected]> wrote: On 5 Sep 2019, at 15:12, Guevara, Daniel via Unbound-users <[email protected]> wrote: > Hoping someone can help me understand the root.hints functionality. > > From my previous email: > "I was under the impression that I could create a custom root.hints. For example the one you linked has 13 root servers. I tried configuring it with only one of those root servers, allowing outbound access to that server, yet the startup time is still not as quick as when I allow all outbound access. This leads me to believe that it is still trying root servers I did not define? (This was only a test and I am not proposing to only use one root server)" > > Is there a way to do root server lookup on only the server specified (if it cannot be disabled completely)? The root hints are used to find a server that can respond to a priming query, ./IN/NS -- once a response to that priming query is received (containing in the additional section at least some set of glue, sufficient to look up whatever glue did not fit, in the event it was not complete) the root hints are no longer used. So even if you start with a set of root hints that contains a single address, the resolver will still generally use the full 26 addresses once it has received a priming response. If you want to use a root server set that is different from the full set, you need to create your own private set of root servers that serve your own root zone with a different NS set. You will have to import the delegation RRSets from the real root zone, sign that zone with your own key set and use your own trust anchor if you want to be able to validate responses using DNSSEC. This is not a particularly good idea for an operational DNS service, but it's often done in a lab environment. I suspect the answer you're looking for is "you can't do that". Joe
