root-hints as master for RFC7706

rainer at rainer at
Fri Nov 30 14:15:21 UTC 2018

Am 2018-11-30 15:05, schrieb Joe Abley:
> On Nov 30, 2018, at 08:37, Rainer Duffner via Unbound-users
> <unbound-users at> wrote:
> When I was in the team that operated that service there we went to
> some lengths to emphasise that it was not a supported, production,
> operational service but rather a convenient troubleshooting and
> diagnostic tool provided on a best-effort basis.
> (I think it's actually; there was a companion
> service They served not just the root zone but
> every infrastructure/community zone that ICANN hosted, like
> This may be perfectly fine for your purposes (and of course the
> disposition of those services might have changed during the 800 years
> I've been away) but I thought I'd mention it.
> Joe


the blurb in named.conf.sample says:

// The traditional root hints mechanism. Use this, OR the slave zones 
zone "." { type hint; file "/usr/local/etc/namedb/named.root"; };

/*      Slaving the following zones from the root name servers has some
         significant advantages:
         1. Faster local resolution for your users
         2. No spurious traffic will be sent from your network to the 
         3. Greater resilience to any potential root server failure/DDoS

         On the other hand, this method requires more monitoring than the
         hints file to be sure that an unexpected failure mode has not
         incapacitated your server.  Name servers that are serving a lot
         of clients will benefit more from this approach than individual
         hosts.  Use with caution.

         To use this mechanism, uncomment the entries below, and comment
         the hint zone above.

         As documented at these 
         "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and a few others
         are available for AXFR from these servers on IPv4 and IPv6:,
zone "." {
         type slave;
         file "/usr/local/etc/namedb/slave/root.slave";
         masters {
       ;           //
                 2620:0:2d0:202::132;    //
       ;           //
                 2620:0:2830:202::132;   //
         notify no;

pkg info bind911
Name           : bind911
Version        : 9.11.3_1
Installed on   : Thu Apr 19 14:14:06 2018 CEST
Origin         : dns/bind911
Architecture   : FreeBSD:11:amd64
Prefix         : /usr/local
Categories     : net dns ipv6
Licenses       : MPL20
Maintainer     : mat at
WWW            :
Comment        : BIND DNS suite with updated DNSSEC and DNS64

I'd have to check the source (of 9.12 or 9.13) to see if anything has 
changed in that text.

It doesn't say "don't use this in production".


More information about the Unbound-users mailing list