[NCLUG] Are you running a local nameserver?
Thomas J Loran
tom at loran3.net
Tue Nov 6 15:37:06 MST 2007
Bob,
I tried your dig ns . > db.root.new solution and compared that file to
the ftp version at FTP.INTERNIC.NET//domain/db.cache. The two files are
nothing alike, although I could make the "dig" version work, I suppose.
And yes, I always make a backup copy before changing editing any
critical file. How do you clean up your "dig" version?
I attached two files. the db.cache version is the ftp download and the
db.root version in the "dig" version.
Tom
On Tue, 2007-11-06 at 13:53 -0700, Bob Proulx wrote:
> If you are running a local DNS nameserver, as most/many/some GNU/Linux
> users do, then you probably already have gotten notice that there has
> been a change to the IP address of one of the root nameservers. Mark
> Andrews at the ISC recently sent out a message with the following
> title. You may have already seen this message and if not then a quick
> web search will find it.
>
> L.ROOT-SERVERS.NET has changed IP address to 199.7.83.42
>
> Let me take a moment and pass along this reminder to the NCLUG
> community that all nameserver configurations should be updated to
> accomodate this IP address change. This is pretty simple and I will
> outline how to do it for the very popular BIND in a moment. Other
> nameserver software will be similar but I am only going to talk about
> BIND (Berkeley Internet Name Daemon).
>
> Why? Nameservers need a place to start when beginning a name
> resolution. They need the IP of a server in order to find the IP of a
> server. It is a bootstrapping issue. They use the root nameservers
> currently named A through M in the ROOT-SERVERS.NET domain. These are
> seeded into a file or compiled into the nameserver code as a place to
> start to prime-the-pump to get things going. They change seldom but
> sometimes they do change. If they all changed at once then the local
> nameserver would no longer know where to start. It would no longer be
> able to bootstrap itself. With one out of the thirteen inaccessible
> there are twelve more to go. It is a fairly robust and reliable
> system through redundancy. While this redundancy means there is no
> rush, things won't break any time soon, it is still a good idea to
> perform the update while the information is current. If for no other
> reason than that the old IP will be completely unusable for other
> purposes as it gets bombarded by DNS requests from stale
> configurations. Like inheriting the old phone number of the Waffle
> House or something.
>
> For BIND the root hints file is called db.root and is typically
> configured to be located in /etc/bind/db.root. But your installation
> may call it something else since this is configurable. I am going to
> call it db.root but if your system calls it something different
> mentally translate the name from db.root to your system's name for it.
> The L.ROOT-SERVERS.NET IP address listed there previously is now
> stale. It needs to be changed to 199.7.83.42. You could edit the
> file and simply make that update. That would be fine.
>
> Alternatively you could fetch a current copy of the root hints file.
> How? By using DNS itself!
>
> dig ns . > db.root.new
>
> One fixup that I always do is to edit the new file and to sort the
> lists of server names alphabetically. This makes diff'ing between old
> and new versions less noisy. If you grab a whole new version of the
> file then I definitely recommend that you sort the lists for this
> reason. But otherwise the file is of a format suitable for BIND
> directly.
>
> After looking at the diff of the file between the old and the new and
> verifying that everything looks okay it should be moved into place. I
> avoid creating it in place because if there was a problem it would
> zero the file or corrupt the file and then the nameserver would be
> broken. This would prevent 'dig ns .' from working until it was fixed
> creating a worse problem.
>
> mv db.root.new db.root
>
> I don't know if it is needed but at this point I restart the
> nameserver. It can't hurt and definitely ensures that the nameserver
> is using the new data provided in the file.
>
> Bob
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
-------------- next part --------------
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/db.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Nov 01, 2007
; related version of root zone: 2007110100
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
-------------- next part --------------
; <<>> DiG 9.5.0a6 <<>> . ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55006
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 329582 IN NS J.ROOT-SERVERS.NET.
. 329582 IN NS K.ROOT-SERVERS.NET.
. 329582 IN NS L.ROOT-SERVERS.NET.
. 329582 IN NS M.ROOT-SERVERS.NET.
. 329582 IN NS A.ROOT-SERVERS.NET.
. 329582 IN NS B.ROOT-SERVERS.NET.
. 329582 IN NS C.ROOT-SERVERS.NET.
. 329582 IN NS D.ROOT-SERVERS.NET.
. 329582 IN NS E.ROOT-SERVERS.NET.
. 329582 IN NS F.ROOT-SERVERS.NET.
. 329582 IN NS G.ROOT-SERVERS.NET.
. 329582 IN NS H.ROOT-SERVERS.NET.
. 329582 IN NS I.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 48684 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 581589 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 581589 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 581589 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 4710 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 495174 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 495174 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 495174 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 493109 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 134404 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 581589 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 455786 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 581589 IN A 202.12.27.33
;; Query time: 2 msec
;; SERVER: 192.168.3.72#53(192.168.3.72)
;; WHEN: Tue Nov 6 15:12:13 2007
;; MSG SIZE rcvd: 436
More information about the NCLUG
mailing list