<div dir="ltr"><div dir="ltr">On Thu, Jun 1, 2023 at 5:59 PM William Herrin <<a href="mailto:bill@herrin.us">bill@herrin.us</a>> wrote:<br></div><div dir="ltr"><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">A server generation is about 3 years before it's obsolete and is<br>
generally replaced. I suggest making the old address operable for two .<br>
generations (6 years) and black-holed for another generation (3 more ....<br></blockquote><div><br></div><div>As you mention.. there is No TTL for the root hints. The TTL is Infinite. And not </div><div>all users will be retired after 3 years... there are DNS resolvers online running </div><div>10-year old code and there are DNS resolvers on the internet that may not see a roots hint </div><div>update in the next 10 years. It is unlikely that there is any practical way of giving notice</div><div>to the operators of such servers.</div><div><br></div><div>Therefore, I would suggest IP Addresses that ever appeared in the official root hints</div><div>should be reserved permanently and exclusively for official root service, then blackholed indefinitely once service</div><div>is not in operation anymore to prevent any DNS service other than an official root server appearing at</div><div>that IP at any point in time in the future no matter how many years have elapsed (Infinite TTL).</div><div><br></div><div>A major concern would be if the IP address were eventually re-assigned to something else that </div><div>ended up reporting false answers due to a malicious or misconfigured DNS service.</div><div><br></div><div>DNS resolvers can handle no answer by trying other servers, but </div><div>a false answer from an unauthorized and malicious root service being received by non-validating</div><div>resolvers would be fairly certain to be capable of causing total failure in the resolver;</div><div>while an IP address being offline would more likely only cause impairment or delays.</div><div><br></div><div>It's understandable if some root service IP addresses stop providing service years after </div><div>the end of service, and resolvers should still be able to function at some level with</div><div>reduced resiliency and increased errors if only a small number have changed.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Regards,<br>
Bill Herrin<br></blockquote><div>--</div><div>-JH </div></div></div>