An interesting article caught my eye the other day. When Goverments Lie discusses how it is possible for DNS queries to the root servers to be answered by one of the servers located within the great Chinese firewall. For most of us this isn’t great news, but we tend to forget nevertheless. A glance at the map, shows there are a number of installations within China. Now, when and if DNSSEC is fully rolled out, the “dangers” of having DNS replies to queries faked will be mitigated, but I believe it will still be quite some time until we see the Top-Level Domains (TLD) fully signed by DNSSEC. (I keep a daily count on my Graphic DNSSEC Report, and as you can see, the green pie is far from being full.) For those people who have the necessary infrastructure (an NSD or BIND name server is all you need) you can easily set up your own root name server. The root hints are published daily, and you can retrieve a current copy from the FTP server at Take that, remove the entries for the root servers you don’t want queries sent to, and bob’s your uncle. You can go a step further and publish your own root name server using the file. For instance, by creating your own root name server you can ensure typos in domain names don’t leave your premises. I wouldn’t necessarily recommend you do this, but your are free to do so.

DNS and root :: 30 Nov 2010 :: e-mail