Knowledge Base ISC Main Website Ask a Question/Contact ISC
Why does my authoritative-only nameserver try to query the root nameservers?
Author: ISC Support Reference Number: AA-00914 Views: 7067 Created: 2013-05-22 11:21 Last Updated: 2013-06-03 11:39 0 Rating/ Voters

Check first that recursion really is disabled:

recursion no;

This will prevent your nameserver from performing iterative queries on behalf of any client queries that it receives, but it won't prevent your server from needing to make queries of its own in some circumstances:

  • If your authoritative zones contain NS records for servers that are not within any zones that you manage or have delegated to (for example, someone with whom you have partnered in order to provide geographic or network diversity for your zone data availability), then when your zone data is updated, by default, your server will attempt to notify the other masters.  In order to do this, it will need to resolve the names pointed to by the NS records.

    To prevent these attempted notification, you can disable notifications entirely in the zone statement:
    notify no;

    Alternatively, you can disable the automatic notifications, but list instead the servers (by IP address) that you need to notify explicitly:

    notify explicit;
    also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] };

  • Even if you are not handling recursive client queries, if you have DNSSEC validation set to auto (the default is 'yes') then named will load a default pre-configured root trust anchor, and then will periodically attempt to refresh it using RFC 5011 trust anchor maintenance.  Look for and remove this setting in named.conf:

    dnssec-validation auto;

  • Similarly, and although it's unlikely that you would configure them on an authoritative-only server, any explicit managed-keys clauses will also cause named to initiate queries to the root nameservers.  (dnssec-validation auto; loads a managed root key implicitly).


© 2001-2017 Internet Systems Consortium

For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.

ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.

Feedback
  • There is no feedback for this article
Quick Jump Menu