DIG root.hints update failure

DIG root.hints update failure

Post by Jim Rei » Tue, 13 Jun 2000 04:00:00



    Bruce> I am using DIG to update my root.hints file, format: dig

    Bruce> Each time it runs I receive:

    Bruce> res_nsend to server rs.internic.net 198.41.0.6: Connection timeout.

    Bruce> Am I pointing DIG to the correct root server?

No. 198.41.0.6 doesn't seem to run a name server, far less act as a
root server.

There's probably no need to "update your root.hints file". That file
hasn't changed in years. And if you have an out of date copy, the
current version is available at:
        ftp:ftp.rs.internic.net/domain/named.root
and no doubt at zillions of archive sites all over the net.

BTW, if your name server is configured correctly it will already know
the names and addresses of the root name servers. So you could just
query it for that information. The info in the root.hints file -
sometimes called root.cache or root.ca - serves as a hint to your name
server. It's used to find the actual names and addresses of the root
servers. When a name server starts, one or more of the IP addresses in
that file is asked for the details of the root servers. It just
happens that the well-known addresses for these "hint" servers in
root.hints turn out to be the root servers themselves.

 
 
 

DIG root.hints update failure

Post by Jim Rei » Tue, 13 Jun 2000 04:00:00


    >> There's probably no need to "update your root.hints file". That
    >> file hasn't changed in years. And if you have an out of date
    >> copy, the current version is available at:
    >> ftp:ftp.rs.internic.net/domain/named.root and no doubt at
    >> zillions of archive sites all over the net.

    >> I looked at the URL and found that the file is out-of-date, May
    >> 22, 1999.

Wrong. That's the date that the FTP server says the file was last
modified. This is not necessarily the same as the date the file's
contents were actually changed. If you read the comments in that file,
you would have seen the following comment:

        ;       last update:    Aug 22, 1997
        ;       related version of root zone:   1997082200

FWIW, the file I just FTP'ed from ftp.rs.internic.net is identical to
the one I installed on one of my name servers over 2 years ago. This
added [J-M].ROOT-SERVERS.NET to the version of the file from 1995.
That just added another 4 servers to the already existing 9 for other
name servers to query when they started up. Hardly an earth-shattering
change.

    >> It seems they have changed the root servers in the
    >> meantime resulting in error above.

If 198.41.0.6 ever was a root server, it must have been a *very* long
time ago. It wasn't even listed in the copy of root-servers.txt that
was given in the 1st edition of Cricket's book: published in 1992 BTW.

    >> dig is still a good way to update your named.ca only

I thought that I'd already explained that it's usually irrelevant and
unnecessary to update that file. Name servers only use it start-up to
locate the root servers so as long as any one of the servers listed in
that file answers, all is well. And the servers listed in that file
are by definition (a) highly available; (b) spread all over the world
on different nets; (c) unlikely to go away or be renumbered.

It's also highly unlikely that the file will get changed any time
soon. First of all, adding more NS and A records for the root zone
will probably make the answers too big to fit in the current DNS UDP
payload of 512 bytes. That problem will go away when/if EDNS0 is
deployed everywhere. Secondly, adding new root name servers is fraught
wiith all sorts of political and logistical problems. So we have to
wait for ICANN, IANA, IETF, WTO and everyone else who has something to
say about this topic to reach a consensus and then implement it. Don't
hold your breath waiting.

 
 
 

DIG root.hints update failure

Post by Jim Rei » Wed, 14 Jun 2000 04:00:00


    >> So what's your point?

Updating the root.cache file is for the most part pointless. And if it
has to be done - say once every 5 years or so - you should ftp the
file from ftp.rs.internic.net. This is now the third time I've made
that point. Is is clear enough now? Using dig might produce something
usable, but doesn't produce the version information that's in the
comments in the file. That version information is important and
useful, especially to people who have a proper CM procedure
surrounding their DNS administration.

    >> My point is still if it's out-of-date, bind throws errors.

No. It will only throw errors if NONE of the name servers listed in
the file are reachable. This is extremely unlikely unless the file
exclusively consists of lies. The most probable reason why the name
server will complain that it can't find the root servers is no access
to the Internet because the link to your ISP is down. It's hard to
invent another scenario that could explain why queries to all 9 or 13
name servers in the root.cache file would fail or timeout.

 
 
 

DIG root.hints update failure

Post by Cricket Li » Thu, 15 Jun 2000 04:00:00


Quote:>     >> My point is still if it's out-of-date, bind throws errors.

> No. It will only throw errors if NONE of the name servers listed in
> the file are reachable. This is extremely unlikely unless the file
> exclusively consists of lies. The most probable reason why the name
> server will complain that it can't find the root servers is no access
> to the Internet because the link to your ISP is down. It's hard to
> invent another scenario that could explain why queries to all 9 or 13
> name servers in the root.cache file would fail or timeout.

Actually, newer BIND name servers do note mismatches
between the root hints file and the result of a system
query.

cricket

Acme Byte & Wire

www.acmebw.com

Attend the next Internet Software Consortium/Acme Byte & Wire
DNS and BIND class!  See www.acmebw.com/training.htm for
the schedule and to register for upcoming classes.

 
 
 

DIG root.hints update failure

Post by Jim Rei » Thu, 15 Jun 2000 04:00:00


    >> No. It will only throw errors if NONE of the name servers
    >> listed in the file are reachable. This is extremely unlikely
    >> unless the file exclusively consists of lies. The most probable
    >> reason why the name server will complain that it can't find the
    >> root servers is no access to the Internet because the link to
    >> your ISP is down. It's hard to invent another scenario that
    >> could explain why queries to all 9 or 13 name servers in the
    >> root.cache file would fail or timeout.

    Cricket> Actually, newer BIND name servers do note mismatches
    Cricket> between the root hints file and the result of a system
    Cricket> query.

True enough - I overlooked this earlier - but those checks are only
logged as warnings.

 
 
 

DIG root.hints update failure

Post by G. Roderick Singleto » Thu, 15 Jun 2000 04:00:00




>     >> So what's your point?

> Updating the root.cache file is for the most part pointless. And if it
> has to be done - say once every 5 years or so - you should ftp the
> file from ftp.rs.internic.net. This is now the third time I've made
> that point. Is is clear enough now? Using dig might produce something
> usable, but doesn't produce the version information that's in the
> comments in the file. That version information is important and
> useful, especially to people who have a proper CM procedure
> surrounding their DNS administration.

>     >> My point is still if it's out-of-date, bind throws errors.

> No. It will only throw errors if NONE of the name servers listed in
> the file are reachable. This is extremely unlikely unless the file
> exclusively consists of lies. The most probable reason why the name
> server will complain that it can't find the root servers is no access
> to the Internet because the link to your ISP is down. It's hard to
> invent another scenario that could explain why queries to all 9 or 13
> name servers in the root.cache file would fail or timeout.

Okay okay!  What you say makes much sense.  I wish I had the logs
to backup what I suggested.  I did get errors using the ftp'd copy
and I recovered using dig.

Thanks for being patient.
--
________________________________________________________________________________

71 Underhill Drive, Unit 159, Toronto, ON  M3A 2J8
Voice : 416-452-4583 Fax: 416-452-0036 Toll Free: 1-888-354-PATH
________________________________________________________________________________

*** Notice To Bulk Emailers: Attention!  Pursuant to US Code, Title 47,
Chapter 5, Subchapter II, 227, any & all unsolicited commercial e-mail
sent to this address is subject to a download and archival fee in the
amount of the $1500 US and copies will be forwarded to domain
administrators.  Emailing denotes acceptance of said terms!