Updating the public root content DNS server list

The conventional setup for DNS services has an instance of tinydns as a private root content DNS server. The servers/@ file for dnscache simply lists 127.53.0.1 (or whatever on-machine/on-site IP address tinydns is listening on).

Unconventionally, but in the old style of Bernstein djbdns, one can have the servers/@ file list the IP addresses of the public root content DNS servers run by ICANN. The list of "." content DNS servers changes over time.

Some changes over the years to the list of ICANN's "." content DNS servers were on 2017-10-24, 2016-03-23, 2015-12-01, 2007-11-01, 2004-01-29, 2002-11-05, and 1997-08-22; and this is not even a complete list. The IP addresses do not change egregiously often in practice, and it is normally sufficient to update the list once or twice per year.

Bernstein djbdns shipped with a file named /etc/dnsroots.global which contained ICANN's list of these IP addresses as it stood in 2001. It is no longer packaged by djbwares, in favour of just collecting the updated address list using this method instead. It is nonetheless possible to limp along with this same list if one has it, a quarter of a century later, with somewhat degraded query resolution, and with the caveat that someone might re-use one of the old IP addresses and put a DNS server on it.

Procedure

Use a command pipeline to obtain the list of IP addresses of the "." content DNS servers, directing its output to the root/servers/@ file, then restart the dnscache service: 

~ #cd "$(system-control find dnscache@127.0.0.1)/service"
/var/local/service-bundles/services/dnscache@127.0.0.1/service #cd "$(system-control print-service-env dnscache@127.0.0.1 ROOT"
/var/local/service-bundles/services/dnscache@127.0.0.1/service/root #printf '%s\n' $(dnsip $(dnsns .)) > servers/.@.tmp
/var/local/service-bundles/services/dnscache@127.0.0.1/service/root #mv servers/.@.tmp servers/@
/var/local/service-bundles/services/dnscache@127.0.0.1/service/root #system-control try-restart dnscache@127.0.0.1
/var/local/service-bundles/services/dnscache@127.0.0.1/service/root #

Notes

The service management tooling here is from the nosh toolset.

dnsip is IPv6-capable, and will print multiple IP addresses on a single line. The ICANN "." content DNS servers all nowadays have both IPv4 and IPv6 addresses, a process that began in 2008. The use of printf '%s\n' is a standard Unix idiom for separating these addresses onto individual single lines.

The use of .@.tmp is not necessary for dnscache, which does not re-read the servers/@ file once it has started. It is to avoid losing the original servers/@ file should a network outage or something cause the two lookup tools to fail. It is a wise idea to just look at the new file, and check that it really does list 26-or-so IP addresses, before moving it into place.