[NCLUG] Are you running a local nameserver?

Bob Proulx bob at proulx.com
Tue Nov 6 13:53:44 MST 2007 

If you are running a local DNS nameserver, as most/many/some GNU/Linux
users do, then you probably already have gotten notice that there has
been a change to the IP address of one of the root nameservers.  Mark
Andrews at the ISC recently sent out a message with the following
title.  You may have already seen this message and if not then a quick
web search will find it.

  L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42

Let me take a moment and pass along this reminder to the NCLUG
community that all nameserver configurations should be updated to
accomodate this IP address change.  This is pretty simple and I will
outline how to do it for the very popular BIND in a moment.  Other
nameserver software will be similar but I am only going to talk about
BIND (Berkeley Internet Name Daemon).

Why?  Nameservers need a place to start when beginning a name
resolution.  They need the IP of a server in order to find the IP of a
server.  It is a bootstrapping issue.  They use the root nameservers
currently named A through M in the ROOT-SERVERS.NET domain.  These are
seeded into a file or compiled into the nameserver code as a place to
start to prime-the-pump to get things going.  They change seldom but
sometimes they do change.  If they all changed at once then the local
nameserver would no longer know where to start.  It would no longer be
able to bootstrap itself.  With one out of the thirteen inaccessible
there are twelve more to go.  It is a fairly robust and reliable
system through redundancy.  While this redundancy means there is no
rush, things won't break any time soon, it is still a good idea to
perform the update while the information is current.  If for no other
reason than that the old IP will be completely unusable for other
purposes as it gets bombarded by DNS requests from stale
configurations.  Like inheriting the old phone number of the Waffle
House or something.

For BIND the root hints file is called db.root and is typically
configured to be located in /etc/bind/db.root.  But your installation
may call it something else since this is configurable.  I am going to
call it db.root but if your system calls it something different
mentally translate the name from db.root to your system's name for it.
The L.ROOT-SERVERS.NET IP address listed there previously is now
stale.  It needs to be changed to 199.7.83.42.  You could edit the
file and simply make that update.  That would be fine.

Alternatively you could fetch a current copy of the root hints file.
How?  By using DNS itself!

  dig ns . > db.root.new

One fixup that I always do is to edit the new file and to sort the
lists of server names alphabetically.  This makes diff'ing between old
and new versions less noisy.  If you grab a whole new version of the
file then I definitely recommend that you sort the lists for this
reason.  But otherwise the file is of a format suitable for BIND
directly.

After looking at the diff of the file between the old and the new and
verifying that everything looks okay it should be moved into place.  I
avoid creating it in place because if there was a problem it would
zero the file or corrupt the file and then the nameserver would be
broken.  This would prevent 'dig ns .' from working until it was fixed
creating a worse problem.

  mv db.root.new db.root

I don't know if it is needed but at this point I restart the
nameserver.  It can't hurt and definitely ensures that the nameserver
is using the new data provided in the file.

Bob

More information about the NCLUG mailing list