When I do a "dig . ns", many of the A records for the root servers are missing. Why?
- Updated on 21 Dec 2016
- 1 minute to read
This is normal and harmless. It is a somewhat confusing
side effect of the way BIND 9 does RFC 2181 trust ranking and of the efforts BIND 9 makes to avoid promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the root server addresses as additional data in an authoritative response from a root server, and these records are eligible for inclusion as additional data in responses. Subsequently it receives a subset of the root server addresses as additional data in a non-authoritative (referral) response from a root server. This causes the addresses to now be considered non-authoritative (glue) data, which is not eligible for inclusion in responses.
The server does have a complete set of root server addresses cached at all times, it just may not include all of them as additional data, depending on whether they were last received as answers or as glue. You can always look up the addresses with explicit queries like "dig a.root-servers.net A".
© 2001-2018 Internet Systems Consortium For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership. ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.