New addresses for b.root-servers.net

Sun Jun 18 01:05:40 UTC 2023

IP addresses cannot and should not be trusted. It’s not like you can really
trust your packets going to B _today_ are going to and from the real B (or
Bs).

If the security of DNS relies on no one intercepting or spoofing responses
of some of your queries to a root server, it’s been game over for a long
time.

On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo <nanog at as397444.net> wrote:

>
>
> On 6/17/23 7:12 AM, Tom Beecher wrote:
> > Bill-
> >
> >     Don't say, "We'll keep it up for as long as we feel like it, but at
> >     least a year." That's crap.
> >
> >
> > 30% of the root servers have been renumbered in the last 25 years.
> >
> > h : 2015
> > d: 2013
> > l : 2007
> > j : 2002
> >
> > For these 4 cases, only a 6 month transition time was provided, and the
> internet as we know it did
> > not fall over in a flaming pile. ( One could argue it was ALREADY a
> flaming pile, but that's a
> > different discussion.)
>
> There’s a huge difference between “no one noticed any issues because
> recursive resolvers will
> seamlessly fall back to other root servers if there’s an outage” and
> “there aren’t issues”.
>
> For non-DNSSEC-verifying-resolvers (sheesh, but they still exist), if the
> IPs are eventually
> released and someone stands up a DNS server on them you could cause real
> harm.
>
> Does this need to be over-engineered to prevent that? No, though doing a
> few tricks to help the poor
> folks on unmaintained recursive resolvers isn’t bad either.
>
> But lack of visible issues doesn’t mean that users aren’t put at risk.
> That said, I have no idea if
> the old number resources were released or no longer announced in the DFZ
> after the previous
> renumbers, which would really be the point at which concern is warranted,
> not simply no longer
> responding.
>
> Matt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230617/b7ad4e49/attachment.html>