Why does my authoritative-only nameserver try to query the root nameservers?
  • 25 May 2021
  • 1 Minute to read
  • Contributors
  • PDF

Why does my authoritative-only nameserver try to query the root nameservers?

  • PDF

Article summary

Check first that recursion really is disabled:

recursion no;

This will prevent your nameserver from performing iterative queries on behalf of any client queries that it receives, but it won't prevent your server from needing to make queries of its own in some circumstances:

  • If your authoritative zones contain NS records for servers that are not within any zones that you manage or have delegated to (for example, someone with whom you have partnered in order to provide geographic or network diversity for your zone data availability), then when your zone data is updated, by default, your server will attempt to notify the other primaries. In order to do this, it will need to resolve the names pointed to by the NS records.

To prevent these attempted notifications, you can disable notifications entirely in the zone statement:

notify no;

Alternatively, you can disable the automatic notifications, but list instead the servers (by IP address) that you need to notify explicitly:

notify explicit;
also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] };
  • Even if you are not handling recursive client queries, if you have DNSSEC validation set to auto (the default is 'yes') then named will load a default pre-configured root trust anchor, and then will periodically attempt to refresh it using RFC 5011 trust anchor maintenance. Look for and remove this setting in named.conf:
dnssec-validation auto;
  • Similarly, and although it's unlikely that you would configure them on an authoritative-only server, any explicit managed-keys clauses will also cause named to initiate queries to the root nameservers. (dnssec-validation auto; loads a managed root key implicitly.)