New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6/1/23 3:57 PM, William Herrin wrote:
>> Certainly we would appreciate other opinions about what the right length
>> of a change-over time would be, especially from the operational
>> communities that will be most impacted by this change.
> 
> A server generation is about 3 years before it's obsolete and is
> generally replaced. I suggest making the old address operable for two
> generations (6 years) and black-holed for another generation (3 more
> years).

I'm not convinced it should be based entirely on physical server rollovers, but certainly you could 
look at it through the lens of DNS resolver software security update support timelines. As far as 
I'm aware, RHEL is one of the longest-available support timelines, with RHEL 6 released in 2010 
still supported into 2026 (per Wikipedia).

I assume RHEL would ship a root hints update during that time, but such things can slip through 
pretty easily as its not a security update.

You could also look at the DNSSEC KSK rollover as a natural cutoff point - the KSK rollover in 
October 2018 used a KSK created in October 2016, which is a substantially more aggressive timeline 
than a 3 year physical server rollover (I'm gonna bet you can find *tons* of folks on this list 
running physical servers way older than 3 years with production DNS resolvers on them) or 15+ year 
RHEL support timeline.

As properly configured resolutions will fail after a new KSK rollover, its probably not unreasonable 
to stop responding (correctly) after a future KSK rollover.

Not sure what the operation cost is to keep responding on another IP block, but I'm gonna assume its 
not a whole lot, so absent a strong reason ISTM its easy to air on the side of responding for a 
long, long time rather than not responding.

> Perhaps make it a false responder in the last of those 9 years so that
> anybody who is truly that far behind on their software updates gets
> enough of a spanking to stop sending you packets. You'll have problems
> repurposing the address and its subnet until folks stop sending you
> DNS query packets, even if you don't respond to them.

Not a bad idea, you could also put a nice warning page up informing them that their DNS resolver is 
broken and not enforcing DNSSEC while you're at it :)

Matt

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]