Maintaining the root.hints File | The Concise Guide to DNS and BIND

Maintaining the `root.hints` File

In Chapter 2 I alluded to the limited lifetime of a "root.hints" file. The set of rootservers and their addresses does change over time, albeit slowly. New ones are added, old ones retired, or moved in a very conservative manner. The "powers that be" of DNS knows their responsibility. There are several ways to keep a root.hints file up-to-date, an updated version can be FTPed from a host, or DNS itself can be examined to determine if anything has changed all automatically if you want. The quickest and easiest way is to use dig. First ask your own nameserver which root nameservers it thinks exist.

 $ dig @127.0.0.1 . NS … ;; ANSWER SECTION: .                       5d23h56m30s IN NS  F.ROOT-SERVERS.NET. … .                       5d23h56m30s IN NS  H.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: F.ROOT-SERVERS.NET.     6d23h56m30s IN A  192.5.5.241 …  H.ROOT-SERVERS.NET.     6d23h56m30s IN A  128.63.2.53

Then ask one of the root servers your nameserver lists the same:

 $ dig @<root-server> . NS ; <<>> DiG 8.2 <<>> @<root-server> . NS ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;;      ., type = NS, class = IN ;; ANSWER SECTION: .                       6D IN NS        L.ROOT-SERVERS.NET. .                       6D IN NS        M.ROOT-SERVERS.NET. .                       6D IN NS        I.ROOT-SERVERS.NET. .                       6D IN NS        E.ROOT-SERVERS.NET. .                       6D IN NS        D.ROOT-SERVERS.NET. .                       6D IN NS        A.ROOT-SERVERS.NET. .                       6D IN NS        H.ROOT-SERVERS.NET. .                       6D IN NS        C.ROOT-SERVERS.NET. .                       6D IN NS        G.ROOT-SERVERS.NET. .                       6D IN NS        F.ROOT-SERVERS.NET. .                       6D IN NS        B.ROOT-SERVERS.NET. .                       6D IN NS        J.ROOT-SERVERS.NET. .                       6D IN NS        K.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12 M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33 I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17 E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10 D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90 A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4 H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53 C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12 G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4 F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241 B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107 J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10 K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129 ;; Total query time: 794 msec ;; FROM: lookfar to SERVER: <root-server>  128.9.0.107 ;; WHEN: Thu May  4 23:23:52 2000 ;; MSG SIZE  sent: 17  rcvd: 436

If you examine this listing closely you will see that it has exactly the right syntax for a root.hints file. You can, in fact, capture the dig output directly into the root.hints file to update it. Updating it is not something you need to do often at all. Updating it whenever you upgrade your BIND would be a good habit.

If you set up automatic procedures to update the root.hints file be careful to handle errors, or you will be stranded with a nonfunctional BIND when a network error causes your root.hints file to be empty.