New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 1, 2023 at 5:59 PM William Herrin <bill at herrin.us> wrote:

A server generation is about 3 years before it's obsolete and is
> generally replaced. I suggest making the old address operable for two .
> generations (6 years) and black-holed for another generation (3 more  ....
>

As you mention.. there is No TTL for the root hints.  The TTL is Infinite.
And not
all users will be retired after 3 years... there are DNS resolvers online
running
10-year old code and there are DNS resolvers on the internet that may not
see a roots hint
update in the next 10 years.    It is unlikely that there is any practical
way of giving notice
to the operators of such servers.

Therefore, I would suggest IP Addresses that ever appeared in the official
root hints
should be reserved permanently and exclusively for official root service,
then blackholed indefinitely once service
is not in operation anymore to prevent any DNS service other than an
official root server appearing at
that IP at any point in time in the future  no matter how many years have
elapsed (Infinite TTL).

A major concern would be if the IP address were eventually re-assigned to
something else that
ended up reporting false answers due to a malicious or misconfigured DNS
service.

DNS resolvers can handle no answer by trying other servers,  but
a false answer from an unauthorized and malicious root service being
received by non-validating
resolvers would be fairly certain to be capable of causing total failure in
the resolver;
while an IP address being offline would more likely only cause impairment
or delays.

It's understandable if some root service IP addresses stop providing
service years after
the end of service, and resolvers should still be able to function at some
level with
reduced resiliency and increased errors  if only a small number have
changed.


> Regards,
> Bill Herrin
>
--
-JH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230602/2a20a844/attachment.html>

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]