Root Zone Changed

An anonymous reader writes "The day before yesterday the root zone was silently changed for the first time in 5 years. The change was to J.ROOT-SERVERS.NET that is now managed by Verisign. The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced. An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

Will one need

[bplipschitz]

a root canal to get there?

Why should we care?

[Disoriented]

Maybe someone could explain to us newbies how this affects the operation of the Internet.

Re:Why should we care?

[LinuxOnHal]

Without getting extremely technical with it, this mostly affects your ISP. If your ISP does not update their root zone files, when you attempt to resolve a website, your ISP has one less server for it to resolve the root server for and CC top level domains, as well as .com, .org, .net, etc.

Re:Why should we care?

[nelsonal]

The root servers are the master list of domain names for the Internet. The computers still use IP addresses to talk, but us Humans prefer remembering slashdot.org to 66.35.250.150. In meatspace terms, I think this is along the lines of a construction company changing the composition of their concrete for use on the Highway system, you might not notice the change as a user, but it could be a bad decision.
All I want to know is if Sun is back to being the . in .com? :)

Re:Why should we care?

Basically the Root Zone has now changed from behind the McDonald's carpark, to the concreted area behind the abandoned rural supplies warehouse.

Anyone caught in the McDonalds carpark from now on will be laughed at, and their mullet cut off.

Re:Why should we care?

[a+(+h+3+r+0+n]

The root zones are where are all top-level DNS queries start. Think of the internet domain system as one giant honkin' tree. The root servers at the top manage domain information for the top level zones, and they pass off queries down the tree until the query hits an authoritative DNS server for the domain in question.

This affects administrators of DNS servers, because in the DNS config is a list of the IP addresses where these root servers can be found.

Why should you care? You probably don't. It doesn't affect you directly. That is, unless all the root servers mysteriously die one day. That would make surfing for your pr0n a thing of near impossibility. :)

Re:Why should we care?

[sporty]

You forgot to mention domain name servers and the ip's to find out what their IP's are. All the root servers know about slashdot are what its ip's are and what the ip's of the dns servers are along with the fact that the name is slashdot.org.

All the root servers are gigantic signs with posts pointing general directions to find out more specific information.

Re:Why should we care?

[KieranElby]

> Maybe someone could explain to us newbies how this affects the operation of the Internet.

Ok.

Here's the usual (much simplified) explanation for how DNS (that is, maping hostnames to IP addresses) works:

Let's assume we want to connect to www.slashdot.org. We need to know it's IP address in order to do this.

What we do is:

1) Ask one of the 13 root servers which server handles .org domains.

2) Ask that server which server handles the slashdot.org domain.

3)Ask that server which server handles the www.slashdot.org zone.

However, this begs the question:

"Where do the root servers get their info. from?"

Well, as of yesterday they're getting it from 192.58.128.30.

To some extent, 192.58.128.30 is now the most important address on the internet since it is the highest authority for the rather important business of looking up addresses.

Re:Why should we care?

[spinlocked]

All I want to know is if Sun is back to being the . in .com

I think Sun's marketing department finally realised that's not a good thing to be :)

Re:Why should we care?

[MentlFlos]

That would make surfing for your pr0n a thing of near impossibility

just start at 69.69.69.69 and go from there!

(Hmmm, I wonder who has that block.... I think I'll go check)

Re:Why should we care?

[BigGar']

That would make surfing for your pr0n a thing of near impossibility. :)

This is exactly why I keep a notebook, with the ip address, of all the porn sites I visit regularly in it. Never can be to cautious when it comes to your porn.

Re:Why should we care?

No, it doesn't "beg the question." It inspires the question, it raises or prompts the question, but it does not beg the question. HTH.

Re:Why should we care?

[raindrop#1]

"Think of the internet domain system as one giant honkin' tree. The root servers at the top...pass off queries down the tree"

So this is a tree with the roots at top and the branches at the bottom?? Where I live the roots normally go in the ground, that is, at the bottom of the tree. Still, it's a strange old world out there, maybe things are different round your way?

Re:Why should we care?

[timothy_m_smith]

Still, it's a strange old world out there, maybe things are different round your way?

Maybe the author of the parent post lives in Australia...

Re:Why should we care?

Not exactly. The question is actually "how do we find the root servers to ask them who handles .org" aka, "how do we find out who handles '.'".

The answer is to keep a list of the 13 root servers' IPs on disk, in a file called (appropriately enough) "root.hints".

J is *one* of the root servers, and it has changed its IP. Therefore at some point people should update their root.hints files to reflect this change.

There's no hurry, because the other 12 haven't moved, and over time the update will tend to happen without any special help as you upgrade your DNS install, etc.

Re:Why should we care?

...you might not notice the change as a user, but it could be a bad decision.
All I want to know is if Sun is back to being the . in .com?

If this turns out to be a bad decision, Sun could end up as the "stroke dot" (\., as opposed to slash dot, /.) in
[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:] ]{1,3}\.[[:digit:]]{1,3}

I'd hate to be on the marketing team that tries to figure out how to sell that one to consumers.

Re:Why should we care?

[4of12]

remembering slashdot.org to 66.35.250.150

What?

You mean 66.35.250.150 is Slashdot and not Pee Wee's Playhouse?

Re:Why should we care?

[raindrop#1]

in which case I'd like to say that Nasser Hussain is merely biding his time (i hope).

ps. [for the Americans out there] I'm talking about Cricket.

Re:Why should we care?

[Shagg]

Think of it like this:

If you are looking for the phone number for a company you've never called before, you want to look in the Yellow Pages to find it. Now if your wife has moved the Yellow Pages to a different room in the house, you need to know where she put it. However, in this case it's more like there are 13 copies of the Yellow Pages in your home, and she's only moved one of them... so it's not too big of a deal. It's also not something you need to know unless you run a DNS server.

Re:Why should we care?

[dfn5]

But in this specific case j.root-servers.net doesn't really seem to do anything important other than serve up "." so I would say that nobody should really care. At least the other root servers [a-i].root-servers.net serve up other things like .mil and .arpa. Opennic doesn't even have a mention of it in its root zone file because it is soooo unimportant.

Re:Why should we care?

This is funny!!!! Dipshit moderators....

Re:Why should we care?

[SacredNaCl]

I wonder if this has anything to do with the recent denial of service attacks against the root servers?

Just speculating that maybe the attackers used a worm/trojan that was preset to attack them at the previous IP on certain dates? Similar to some things we have seen in the past...

Re:Why should we care?

[Strog]

A.ROOT-SERVERS.NET is considered the ultimate authority in DNS. It is also called "dot" and used to be a healthy Sun box. So they really were the "dot" in .com in a sense and that's what made it so funny. That box was replaced with an IBM box and now IBM could say they are the "dot" in .com.

Link here

Re:Why should we care?

[paranoos]

Sun is now actually the "m" in ".com" ... meaning that it is the butt of all jokes. Including this one.

heh Couldn't resist, sorry :>

Re:Why should we care?

That would make surfing for your pr0n a thing of near impossibility.

What? You don't index your pr0n sites by IP? It's much less suspicious to see 210.214.xx.xx on your history list, instead of www.daddysfistisinsideme.com

Re:Why should we care?

Thank you. Misuse of that phrase drives me right out of my tree.

At some point, I'm hoping the school system reintroduces literacy to the curriculum.

Re:Why should we care?

[MindStalker]

Competly wrong.
Here is how it actually works.

Your computer contacts your ISPs DNS server asking where www.slashdot.org is. That computer if it knows the answer (which it often does as it keeps stores request for a few hours) Tells you the answer, if it doesn't or it only knows the partial answer (it might know the DNS server for slashdot.org in which it would go straight there and ask where www.slashdot.org is. Anyways your ISPs DNs server will assuming it didn't know the answer and immediently tell you, do one of two things, depending upon how its programmed, very small isps or most company intranet DNS servers, will ask its ISPs DNS server. Or assuming its a normal ISP with randomly pick one of X number of servers. (by my list, (not updated sence 1997) 14 different servers A.ROOT-SERVERS.NET to M.ROOT-SERVERS.NET) Of course the IP address of these servers are more important than the names. This server tells me that slashdot.org's domain name records are stored at ns1.osdn.com (and ns2 and ns3 as backups) and gives these ip addresses of ns1.osdn.org and the backups, then tells my local dns to keep this info on hand for just short of 2 days. My DNs server then asks ns1.osdn.org just where I can find www.slashdot.org, this server will answer me.

Re:Why should we care?

[br0ck]

I think your suspicion has been confirmed by a this recent New Scientist article. It says one of the Versign root servers was actually moved to a new location so that two servers wouldn't be relying on the same infrastructure. It does not mention the IP change, but it seems to make sense.

Re:Why should we care?

[Alsee]

Now if your wife has moved the Yellow Pages to a different room in the house, you need to know where she put it. However, in this case it's more like there are 13 copies of the Yellow Pages in your home, and she's only moved one of them... so it's not too big of a deal.

I don't give a damn about the Yellow Pages, I just wish she'd stop leaving the frigg'n cordless phone burried in a pile of freshly folded laundry.

-

Re:Why should we care?

[miltimj]

Unless you've visited the sites recently. DNS info should be cached up (down?) the tree.

You make it seem as though the root servers get every DNS lookups, which is definitely not the case (for obviously good reason!)

Re:Why should we care?

[sv0f]

heh Couldn't resist, sorry :>

No need to apologize. You're not funny.

Re:Why should we care?

[douglas+jeffries]

in computer science, that's how tree's always grow.

weird, i know, and probably makes planting a pain. then again, most of computer science makes more sense standing on your head, if only for the rush of blood.

Re:Why should we care?

[TheOnlyCoolTim]

I remember when my ISPs DNS server would go down a lot, I ended up putting in one of the root servers for the tertiary alternative DNS or something like that...

Tim

Re:Why should we care?

[NateTech]

Actually you missed a step or twenty. "Much simplified" is the understatement of the year.

You said:

1) Ask one of the 13 root servers which server handles .org domains.

2) Ask that server which server handles the slashdot.org domain.

3)Ask that server which server handles the www.slashdot.org zone.

And of course that last step is a bit wrong, even in a simple analogy.

Should have been:

3) Ask that server which server handles the slashdot.org zone.

***4) Ask that server for the A record for the www.slashdot.org name.

And of course, it's a lot more complex than this, as at each point you're really asking "do you have records for this zone?...

If not, do you have an NS record for the nameserver to ask for it?"... "Oh! Your timout values on those zones are X, Y, and Z? Okay... I'll cache those. Thanks."

And of course, like many big sites, you may get more than one answer for the A-record for www.slashdot.org and have to hand all of those back to the client resolver which will randomize (hopefully) which one it uses...

And at each stop, you might have to resolve something ELSE to get here... for example when it finds out that the slashdot.org zone is hosted on ns1-ns3.osdn.net, it has to start all over at the top and see if it has cached information for those and if not, ask from the root down where that name lives...

Etc etc etc...

It's quite amazing that it works as well as it does as fast as it does.

Re:Why should we care?

[Zeinfeld]

It is also called "dot" and used to be a healthy Sun box. So they really were the "dot" in .com in a sense and that's what made it so funny. That box was replaced with an IBM box and now IBM could say they are the "dot" in .com.

Actually the change happened mid way through the Sun marketing campaign. Didn't seem to stop Sun however...

Most folk would think that the folk who run the .com Registry are the dot in dot com.

Re:Why should we care?

[evilviper]

It says one of the Versign root servers was actually moved to a new location so that two servers wouldn't be relying on the same infrastructure. It does not mention the IP change, but it seems to make sense.

Haha... When was the last time you moved a computer from one network to another, but kept the same IP address? Come on, were you confused just because they didn't use the magic phrase 'IP address'?

Re:Why should we care?

[evilviper]

Think of the internet domain system as one giant honkin' tree. The root servers at the top

Okay, so the DNS servers are the top of the tree. That must mean that they are nte most protruded, and support nothing but themselves.

I'd say the DNS 'tree' is better described as a sort of upside down pyramid.

Re:Why should we care?

[numark]

According to ARIN, no one does...

Re:Why should we care?

[JWSmythe]

You know, that domain is available.. :)

Re:Why should we care?

[lostchicken]

You bad man. You very bad man.

Don't do this. The root servers would end up in a smoldering heap of goo if end users started using them.

Re:Why should we care?

[Blkdeath]

Don't do this. The root servers would end up in a smoldering heap of goo if end users started using them.

... you mean "tried to use them". Much like any good authoritative nameserver, they're not recursive.

Re:Why should we care?

[dreamword]

now IBM could say they are the "dot" in .com.

IBM, perhaps unfortunately, would be promptly sued for trademark infringement if they did that, since Sun still holds a trademark on the phrase. I liked it better when, for once, relatively obscure bits of technical reality were lined up with marketing hype. Alas, no longer; the marketing hype lives on.

Re:Why should we care?

[ShavenYak]

I can tell that most Slashdot readers are single by the fact that this post isn't +5, Funny (not that I didn't know beforehand, mind you).

BTW, you forgot to mention the remote control for the TV in the living room being left on the kitchen table.

Re:Why should we care?

[jez9999]

Don't quite get what you mean by 'recursive' here?

Re:Why should we care?

[cperciva]

When was the last time you moved a computer from one network to another, but kept the same IP address?

Given that ARIN makes "micro-allocations" available to root servers (and other "critical infrastructure providers"), it would be quite possible for Verisign to move a root server while keeping the same IP address.

Re:Why should we care?

[Strog]

Why should facts bother a good marketing campaign?

They had pretty good steam and most people didn't know about the change anyway. Most of the ones that did had already made their mind up one way other about Sun and their products.

We should talk about F root server too. It changed from DEC to Compaq to now HP but the specs stay the same. Actually it's the same 2 node cluster of Alpha boxes and they update the manufacturer name on the webpage and nothing else. It is one of the busiest of the root servers.

Re:Why should we care?

[extremely]

Recursive in this case means they don't walk the tree. You ask a non-recursive server "blah.zone.com." and unless it handles "zone.com.", it says "I dunno"!

A recursive server would lookup ".", then ask one of the answers to that question "com." and then ask one of the answers to that questions "zone.com.", and then finally ask the real DNS server for "blah.zone.com."

The authoritative servers aren't recursive to keep bozos from adding them to their DNS lists and beating them to death.

Re:Why should we care?

[delta407]

That is, unless all the root servers mysteriously die one day. That would make surfing for your pr0n a thing of near impossibility.

Actually, some systems (most notably Freenet ) are designed to withstand massive amounts of infrastructure failure. Freenet does not require DNS to work; if IP routing is still happening, Freenet will continue to function. There have been experiments with FNP (Freenet Native Protocol) over private fiber, point-to-point serial links, and even amateur radio, allowing worldwide communication despite all of the Tier 1 ISPs closing their doors.

In short, Freenet would let you get your pr0n -- electronically and anonymously -- even if the entire Internet imploded.

Re:Why should we care?

Nothing to do with ARIN, everything to do with routing. Routing a single IP is kinda wasteful, so usually when you move a machine to a different network, you change its IP address.

Re:Why should we care?

[bpmd]

But there is darker side: the place where the Yellow Pages used to be is currently empty.

And the wife has a possibility to fill it with something else. Which may look like Yellow Pages and smell like Yellow Pages, but this may not be Yellow Pages!

And if I make 13 calls per day and pick a new Yellow Pages each time that means that once per day I may be slightly surprised.

Thanks Micheal, you're gonna /.

[Hairy_Potter]

the internet. Don't every one go J.ROOT-NET.NET now.

Re:Thanks Micheal, you're gonna /.

[br0ck]

Oddly, the reply to the NANOG post about the change encourages people to hold off on downloding the hints file to prevent Slashdotting internic.net since. The reply claims that the update is not at all critical.

Re:Thanks Micheal, you're gonna /.

[eastbam]

too late...

eastbam@Dagger:~$ ping J.ROOT-NET.NET
ping: unknown host J.ROOT-NET.NET

Re:Thanks Micheal, you're gonna /.

[Mitchell+Mebane]

Um, it's actually j.root-servers.net .

Re:Thanks Micheal, you're gonna /.

[thogard]

Its not at all critical and there is a reason its called a "hint" file.

When you start up bind, it will loads the hints file. when you do a dns query where it has to go to the root, it grabs one out of the hints and does a lookup while timimg how long that server took. Its then continues through the list using the one with the lowest time and it increments a running average so that it will retry all the roots over time. At some point during this process it will find out the serail number of the root zone isn't quite what it expected and then will ask the a root server for the list of root servers. If your bind has been running for weeks, months or years, it already has the new data. Its just the startup data that has one wrong entry -- if you've been running a recent zone file, I've seen servers that runing hint files that are close to a decade old.

If you don't want to /. the ftp server,
$ dig @a.ROOT-SERVERS.NET. . ns > root.hints

This would only be an urgent issue if they address of one of the root servers was assigned to a different group.

Re:Thanks Micheal, you're gonna /.

[216pi]

OMG I can't reach it!

oh wait. it's a problem with my proxy.

Re:Thanks Micheal, you're gonna /.

[ibennetch]

No, seriously - what happens if someone launches a large scale DoS or DDoS attack on a few of the root name servers? People's querys start timing out and no one can go anywhere?

Re:Thanks Micheal, you're gonna /.

[TheOnlyCoolTim]

Someone did recently, I believe. They knocked out all but three or four. No one noticed until they read it on slashdot.

Tim

Re:Thanks Micheal, you're gonna /.

[l1_wulf]

Exactly, it has been done, and frankly, will probably happen again. The system is designed to keep the internet running, in theory, as long as one is still up and active. The servers are located virtually and geographically seperate to keep the possibility of a disaster (massive hardware failures, natural disasters, etc.) from keeping the internet from grinding to a halt.

Re:Thanks Micheal, you're gonna /.

[NanoGator]

"Oddly, the reply [cctec.com] to the NANOG post [cctec.com] about the change encourages..."

Heh, wanna know what's funny? When you said "NANOG", I thought you were referring to me!

why tell anyone?

[chef_raekwon]

its not like anyone uses that thing called the internet anyway....

bah.

[grub]

Whenever I go near a "root zone" I end up getting pepper sprayed and charged with sexual assault.

Re:bah.

Good sig. However, it'd be much funnier if you left off the "not as in beer" part. Kinda breaks up the rhythm.

It was announced on NANOG.....

[dannyp]

....the day before. See the message. Granted not much warning, but it wasn't silent.

Re:It was announced on NANOG.....

[Jucius+Maximus]

" ....the day before. See the message [cctec.com]. Granted not much warning, but it wasn't silent."

I see the message but the PGP key fingerprint does not match his key on the server for some reason. (Not that the meassage isn't accurate.)

crain@icann.]org
fingerprint: 1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7

Re:It was announced on NANOG.....

[l1_wulf]

As it has been pointed out further down (for those of us that sort by score), this is truly a non-event and makes no significant impact on the typical /. reader. I will not take credit for the following information, but will quote someone that I think summed up the situation enough to hopefully keep the average Joe from /.ing any of the links posted in the article above. ccandreva posted

This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running. Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".

Essentially, unless you know specifically that you are directly affected by this change, and can explain in detail why exactly you need this information right now, there is no need to /. any of the links above. If you run a linux box and keep your builds rather current, then I can assure you that there is no need to update. Think about it, the last change was 5 years ago, there should not be a major rush to update for the majority of us.

Re:It was announced on NANOG.....

[gfilion]

I see the message but the PGP key fingerprint does not match his key on the server for some reason. (Not that the meassage isn't accurate.)

It does match key 0xD48A5892 on keyserver.pgp.com.

Re:It was announced on NANOG.....

[hoeferbe]

The fingerprint given in John Crain's ICANN/IANA announcement,

1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7

has 32 hexidecimal bits. This is what the MD5 hash algorithm puts out. When I looked up the key that was used to sign John Crain's annoucemnt, it reports this fingerprint:

9A49 B5AF 8C39 83B9 369C 2512 D1B1 A795 D48A 5892

Notice that my PGP Freeware 6.5.8 displays the fingerprint in 40 hexidecimal bits. This is an output of the SHA-1 hash algorithm.

John Crain's PGP signature reports the version of PGP he is using is "PGP Personal Security 7.0.3". Perhaps key fingerprints are displayed in MD5 instead of SHA-1 in this version of PGP? I doubt that, since I think PGP originally used MD5 sum and moved to SHA-1.

I do not now how to compute the MD5 fingerprint of a PGP key either in PGP Freeware 6.5.8 or GnuPG 1.0.6.

Re:It was announced on NANOG.....

[l1_wulf]

Heh, it figures. 10 minutes after I post this, it gets bumped waaaaay lower due to a handful of funny posts and their replies. Oh well, I tried :P.

Re:It was announced on NANOG.....

[TomViolin]

Check out the immediate reply to the original announcement. The guy says "There's no need to slashdot internic.net tomorrow morning." :-)

Re:It was announced on NANOG.....

[MikeBabcock]

Could you please consider getting your GPG key signed by as many people as possible? Please? Perhaps anyone else on NANOG who knows you? Perhaps even by Verisign's Key?

(GPG/PGP Activism ...)

Re:It was announced on NANOG.....

[Jouster]

No such thing as a hexadecimal bit. Only hexadecimal characters, or, if you're adventurous and know your old-fashioned 'puter terminology, hexadecimal nibbles.

Jouster

Verisign? Does that mean

[myowntrueself]

that we are going to need Microsoft passport to make changes to DNS now?

Re:Verisign? Does that mean

[TheCeltic]

Not unless at least one of the Root servers changes from being UNIX based... Come now.. can you imagine the size of the windows cluster needed to offer a stable Root server? It would fill a warehouse!

Re:Verisign? Does that mean

[Mage+Powers]

>that we are going to need Microsoft passport to make changes to DNS now?
Is that a joke? a troll? is it a geniune thought? or are you using the "ask-a-question" shell script? Just curious ;)

Re:Verisign? Does that mean

are you joking or just an idiot?? the .net domain does not belong to microsoft you moron

Re:Verisign? Does that mean

[rizzo]

For whatever subliminal reason I thought you typed "whorehouse" instead of "warehouse". Offtopic, but I thought I'd share. ;)

Re:Verisign? Does that mean

"Whorehouse" would have been a lot more accurate.

Re:Verisign? Does that mean

[Alsee]

can you imagine the size of the windows cluster needed to offer a stable Root server?

Isn't that kind of like asking how many lawyers it takes to find the truth?

-

Re:Verisign? Does that mean

[AndroidCat]

And why do you think that adding more nodes to a Windows cluster would make it stable??

Re:Verisign? Does that mean

[zarqman]

yeah, but considered the state of the tech job market, that wouldn't be so bad. verisign could then put out a press release about creating tons of [windows admin] jobs.

Re:Verisign? Does that mean

[myowntrueself]

I suspect that it was a troll.

Re:Verisign? Does that mean

[jonbrewer]

Not unless at least one of the Root servers changes from being UNIX based... Come now.. can you imagine the size of the windows cluster needed to offer a stable Root server? It would fill a warehouse!

Really I fail to see why you would say this. The IBM workstation sitting below my desk running Windows 2000 has several times the horsepower of the last root server I heard about. (IIRC they're a mishmash of six or seven unix variants running on five different hardware platforms.)

RFC 2870 specifies "2.3 At any time, each (root) server MUST be able to handle a load of requests for root data which is three times the measured peak of such requests on the most loaded server in then current normal conditions"

I believe that normal load is around 280 million requests per day, or 3300 requests per second.

These are not complex transactions. There isn't any writing going on to slow things down. The space requirements for a root server running Win2k would likely be 5U. Smaller than an e450, I do believe. And with 2-4 2GHz Xeon processors, a hell of a lot faster too.

Re:Verisign? Does that mean

[kasperd]

IIRC they're a mishmash of six or seven unix variants running on five different hardware platforms.

That sounds like a good choice. Running different hardware and software combinations should make them less prone to a single bug allowing a DoS attack.

three times the measured peak of such requests on the most loaded server

Does that actually mean, that the root servers are not designed such that a single can serve the entire net if needed?

Re:Verisign? Does that mean

[TheCeltic]

>Really I fail to see why you would say this.

It's about stability, security and the fact that we don't have to reboot our systems everytime we apply a patch. (not to mention the ability to communicate well with others, standards...DNS/Bind etc..). BTW, many of the root servers are 32+ CPU systems.. last I checked, it was impossible to get 32 CPU's in any wintel system without clustering 4 - 8-cpu systems and calling it 32 cpu's.

>And with 2-4 2GHz Xeon processors, a hell of a lot faster too.

Hrmm.. a 32 Bit bus faster than a 64 bit one? The whole concept of multi-processor hasn't yet been fully grasped by ms. (of course the mhz is higher.. but do we include bus speed, downtime,viruses, DOS vulnerability, patch time/etc??)

Re:Verisign? Does that mean

[myowntrueself]

was that an exclusive or inclusive 'or'?

Wha?

matt@wproxy03:~$ ping j.root-net.net
ping: unknown host j.root-net.net
matt@wproxy03:~$

dammit!

protocols?

[ftide]

are there written protocols & procedures for this activity agreed upon by the community?

where's the oversight? who made the decision that changed the root zone? A *.int (intl. exchange) entity should mandate or govern root zone oversight, not some U$ corporate shill.

Re:protocols?

IANA made the decision and they are the appropriate authority to do such things.

Re:protocols?

[DAldredge]

Why? It's not like the international community every does anything. All the ever do is talk about doing it...

Re:protocols?

[pyros]

IANA made the

Did anyone else read that and ask "You are not a what? And who made the decision? Finish your damn sentence!"

Re:protocols?

[Morth]

Did anyone else read that and ask "You are not a what? And who made the decision? Finish your damn sentence!"

No, but perhaps that's because i visit IANA's homepage around once a week. I mean, who can live without the assigned numbers of the Internet?

Re:protocols?

[gughunter]

are there written protocols & procedures for this activity agreed upon by the community?

Of course there are -- that's why it took five years to get it done!

Re:protocols?

[neitzsche]

The parent post here was originally modd'ed as "insightful." It was a great pleasure to meta-moderate that "Unfair."

a quick theory

[cr@ckwhore]

Following the recent DOS attacks against the root servers, it wouldn't surprise me if this move is only a small part of a bigger story. I'm willing to bet that modifications are being made to the networking and security of the root servers that will better prepare the entire root system for future attacks. The move of J. is probably just the tip of the clandestine "ice berg".

Re:a quick theory

[bugpit]

See the CNET article, Key Internet server moved for security, tho Verisign claims that the timing was coincidental.

Re:a quick theory

[TeddyR]

RFC 2010 has the guidelines on what is needed for a root nameserver operations. Those guidelines had not been followed as closely as they should have. My feeling is that even as a result of the recent DOS attacks that they are trying to bring everything to ATLEAST rfc2010 standards and then maybe improve some more... esp. since that RFC was written in 1996, WAY before any of the "new" DOS attacks {like the ones that got Yahoo....) were so easy to do...

http://www.ietf.org/rfc/rfc2010.txt?number=2010

Re:a quick theory

[Dog+and+Pony]

Following the recent DOS attacks against the root servers

You mean like posting the IP on slashdot for all previously unknowing script kiddies to see? :)

Re:a quick theory

[l1_wulf]

Heh, technically an address getting /.ed is a form of DOS...

Re:a quick theory

[BrunoC]

I find this theory pretty good. As far as my named.cache knows, J was "temporarily hosted at NSI" and since root server A survived the DDoS and J did not, moving J to Verisign seems a pretty good thing to do. I truly believe that's why J is moving.

This doesn't matter. Really.

[toastyman]

To quote Sean Donelan's post on NANOG:

Since its been 5 years since the hints/cache boot file has changed,
it may be useful to remind people an immediate change to your
local configuration files is not required. You don't need to
slashdot internic.net tomorrow morning trying to download the file.

As long as 1 listed IP address responds with the current list of root
servers, the server doesn't even need to be a root server itself, your
name server should figure out who are the current roots. In the 1980's
and 1990's when the hints/cache file changed regularly, some people when
years without updating it. Or only updated it when they upgraded their
name server code.

Don't Panic.

To sum up: You don't need to change anything. As long as one of the 13 servers in your hints/cache file responds, your name server will download the updated list on startup. You only have to worry if you've put off updating it so long that all 13 servers have changed IP's. Pretty unlikely, since that would be a hints file that's more than 10 years old at least. (You're not running Linux, anyway...)

And no, this isn't verisign-causing-instability-as-usual. They're actually trying to help it. Before this change, both a.root-servers.net and j.root-servers.net were in the same /24 and in the same BGP annoucement. They're moving things around a bit(presumably) to increase reliability and redundancy.

Re:This doesn't matter. Really.

My job involves looking at naked chicks all day. Why doesn't yours?

Screw the IP change, anyone got more information on how to get a job like this?

Re:This doesn't matter. Really.

[maw]

That's great, until one of the deprecated root servers starts serving stale or even deliberately information.

They say it won't happen, but I'd rather place as little as possible faith in people not screwing up.

Re:This doesn't matter. Really.

[Alsee]

To quote Sean Donelan's post on NANOG:
[yada yada yada]
Don't Panic.

Would that be Sean Donelan, head of Vogon Internet Industries?

-

Re:This doesn't matter. Really.

[JWSmythe]

You gotta luck out..

BTW, I admin voyeurweb.com :) Been here about 5 years, and am not leaving soon.. hehe

Re:This doesn't matter. Really.

[kasperd]

Screw the IP change

No, screw those chicks. This is ./

Re:This doesn't matter. Really.

[jez9999]

Hmm. If the effect they want is for no one to update their hosts file until their server restarts, in order not to overload the root servers, surely the best method would be to 'silently' change the root IP and not tell anyone?

Anyone that cares...

[pirodude]

Anyone that cares and needs to know about it was properly notified. There was a post to NANOG 3 days ago about it:

*****PLEASE NOTE*****
This is an important Informational Message to the internet community:

November 5, 2002, the IP address for J.root-servers.net will
change in the authoritative NS set for "dot". The change will
be reflected in zone serial # 2002110501.

The new set of servers authoritative for "dot" will be:
A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
J.ROOT-SERVERS.NET. 5w6d16h IN A 192.58.128.30
K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90

This WILL require a change to your root hints file. The new
file will be available via anonymous ftp from
rs.internic.net:/domain/named.root as well as
ftp.internic.net:/doamin/named.root starting 11/5/02 1700UTC (12pm
EST/9am PST).

Both the new and old j.root-servers.net IP space will provide
answers in parallel for the foreseeable future.

_________________________________________

John Crain
Manager of Technical Operations
ICANN/IANA

crain@icann.org
1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7

Re:Anyone that cares...

[Tony+Hoyle]

No need to slashdot internic, just:

$ dig @a.root-servers.net . >/etc/bind/db.root

Re:Anyone that cares...

[Tony+Hoyle]

Oops (don't try that at home kids...)

# dig @a.root-servers.net . ns >/etc/bind/db.root

Please Be Advised: +1 Patriotic

that DDOS attacks are covered under the U.S.A.
"Patriot" Act.

Very truly yours,

J. Ashcroft

_)*&^%$$

Be Patriotic: Smoke Amerikan Grown Marijuana

Don't panic - and there is no conspiricy

[karl.auerbach]

This move is "a good thing".

The J server shared a broadcast domain (i.e. it was on the same Ethernet) as the A root server. That's was clearly sub-optimal.

So this move is good in that it creates a small bit of physical separation and a bit larger amount of net-topological separation between the J and A root servers.

I hear that the old server will continue in operation for an indefinite period - so there is no need to rush out and update your "hints" file for your DNS resolvers - you can do it at your leasure and you probably won't notice even if you forget to do it.

(Even if the old server is turned off - as long as a bogus server doesn't replace it, when DNS resolvers that are using the old hints file come up and look for a root zone definition, they will simply bypass the non-responsive absent server and try the other hints.)

But there is another issue - A change in the "hints" is always a nuisance. And since we are incurring this nuisance, I wonder why we did not use this as an opportunity to redress the imbalance of root server placement - there are few root servers in Europe and Asia, and rather than simply moving the J server from one side of Herndon, Virginia to another, why wasn't it moved to Europe of Asia?

Re:Don't panic - and there is no conspiricy

You really should have used the word "paradigum" in your post.

Re:Don't panic - and there is no conspiricy

[sam_handelman]

If there's no conspiracy, why are we all crouching around a table in a smoke filled room going over printed transcripts of your VoIP conversations for the past week, huh, smart guy?

Just because we at Verisign have no sinister motives in moving a god damned computer does NOT mean that we're not involved in any conspiracies!

As another example, our co-conspirators at the NSA just closed a loophole that let members of their alien autopsy division take extra paid sickdays even if they've never been exposed to any alien tissue (and thus, to the space virus). This was a totally inoccuous cost cutting measure, and not part of their conspiracy to conceal the existence the aliens. Does this mean the conspiracy doesn't exist? Absolutely not!

stupid tagline

[GigsVT]

"Causing instability as usual"?

You only need one root server, there are 12 others. In fact, it safe to just wait until the next time you upgrade BIND or your operating system... running an out of date file won't hurt anything.

There was no reason to announce anything here. This is really a non-event.

Re:stupid tagline

[ep32g79]

"Move along, there's nothing to see here...."

Come get some karma...

[Metallic+Matty]

What exactly is a root zone?

Re:Come get some karma...

[fawadhalim]

The root zone corresponds to the '.' at the very end of the domain names. The root name servers have records for .com,.org, and the national (.uk,.dk etc.) etc. DNS servers. If you ping cr.yp.to (DJB's domain), for example, and your DNS server has never seen a .to domain before, it'll query one of the root name servers for a name server authoritative for .to.

Re:Come get some karma...

[Daniel_Staal]

Simple: You know there is a nameserver for slashdot.org, right? You find that nameserver by asking the org nameserver where it is. And how do you find the org nameserver? You ask the root nameservers. The zoot zone is the base zone of the Internet (just like / is the base of the file system in Unix).

Re:Come get some karma...

[Bluecoat93]

Actually, .com, .org, and .net servers aren't on the roots. They're on the gtld-server.net servers, which are completely separate.

Re:Come get some karma...

[jroysdon]

The statement "The root name servers have records for .com,.org, and the national (.uk,.dk etc.) etc. DNS servers." is correct. He was stating that the root name servers have the NS records for the DNS servers of .com, etc., which they do. If the root nameservers didn't know the NS records for the .com DNS servers, you'd never know how to get there. These records are AKA "glue" records. The actual SOA are the .com, etc. DNS servers, but the root still has the glue to get you to that NS.

What you should have clarified is that the actual records in the .com, etc. zones are not in the root servers, other than the NS records glue.

No. There are no black helicopters here.

My 'non-expert' understanding of this:

1. This was discussed in multiple (appropriate) forums significantly before the change.

2. This will be seemless to properly configured DNS.

3. This was to move the server to a different subnet from it's 'mirror' for significantly improved reliability.

Best!

Re:No. There are no black helicopters here.

[swfranklin]

1. This was discussed in multiple (appropriate) forums significantly before the change.

2. This will be seemless to properly configured DNS.

3. This was to move the server to a different subnet from it's 'mirror' for significantly improved reliability.

4. Profit!!!

Re:No. There are no black helicopters here.

What profit? Noone is paid for running root servers. See the article at:
http://www.cnn.com/2002/TECH/internet/11/07/i ntern et.attacks.ap/index.html

It's amazing the even a non-tech organization like CNN has better reporting on this than the 'geeks' at slashdot. How sad.

Best!

umm...

[Triv]

An anonymous reader writes

Ok. I got that. Next.

"The day before yesterday the root zone was silently changed for the first time in 5 years.

That's english at least. Something changed. Hopefully the rest will tell me what.

The change was to J.ROOT-SERVERS.NET that is now managed by Verisign.

Verisign's evil, right?

The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced.

Conspiracies are bad, right?

An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

[Brain explodes]

(Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?) ;)

Triv

Re:umm...

[FauxPasIII]

>> Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?

This should have come with a warning similar to the ones on a lot of linux kernel options: If you don't have any idea what this is talking about, then it doesn't affect you.
This is only important to those of us who run our own DNS servers; the root servers are basically the "upstream" source from which all other DNS servers get their information.

Re:umm...

[Nintendork]

The biased opinions are required material to get your submission posted by Michael.

Re:umm...

[Zwack]

An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

[Brain explodes]

(Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?) ;)

Perhaps it doesn't make sense to you because you don't need to know about it... I'm sure that you say things in English that I wouldn't understand at times...

However, here is the "simple" explanation...

An interesing sidenote is this thread on the IETF discussion list." the_proton writes "

That's just preamble... forget it.

The server j.root-servers.net has changed IP address to 192.58.128.30.

A server called j.root-servers.net has had its IP address changed. The root-servers.net servers (a, b, c,...) are spread out all over the world and tell everyobody where to start looking for IP addresses given a domain name. They can point you to the root server for a particular tld (.org) or a country (.za)... They are important.

The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.

The file which you use to tell your name server where to start looking for an IP address/Domain name has been updated and a new copy is available at one of these two ftp sites. Unless you are running your own DNS server (and even then you can safely ignore this) then you don't need to worry about updating this file.

The new zone serial number is 2002110501."

DNS Zone files have serial numbers. These numbers always increase. It helps you tell if you have got the right version of the DNS information... Your server should cache DNS lookups. The standard serial number is based on the date... in fact it is YYYYMMDDXX where YYYY is the year, MM is the month, DD is the day and XX is an index (multiple updates can be performed in the same day, this allows up to one hundred changes to a zone in a day).

Does this help?

Z.

Getting root.hints

[image]

> The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.

For those running bind, you may want to try this instead:

dig @e.root-servers.net . ns > root.hints

It will generate the root list automatically, ready for you to drop into /var/named/ (or wherever you installed it).

Re:Getting root.hints

[Phroggy]

For those running bind, you may want to try this instead:

dig @e.root-servers.net . ns > root.hints

Or, even simpler:

dig @a.root-servers.net > root.hints

(pick any letter from a-m to use in place of a; they should all work, even j)

Re:Getting root.hints

[belloc]

For those running bind, you may want to try this instead:

Yeah, because "wget ftp://ftp.internic.net/domain/named.root ; cp named.root /var/named/named.ca" is WAY more complicated.

Belloc

Re:Getting root.hints

[mamahuhu]

I just updated my DNS and re-read the DNS howto on LinuxDoc. In the Keeping it working section there is information about keeping your root.hints up-to-date.... though if this is the first change in 5 years perhpas not so vital.

I'll post the page below.... but the pertinent point here is this: -

Some of you might have picked up that the root.hints file is also available by ftp from Internic. Please don't use ftp to update root.hints, the above method is much more friendly to the net, and Internic.

If though this is a little out of date (BIND 8) it is still valid in principle. Try the script included....

Keeping it working.

There is one maintenance task you have to do on nameds, other than keeping them running. That's keeping the root.hints file updated. The easiest way is using dig. First run dig with no arguments you will get the root.hints according to your own server. Then ask one of the listed root servers with dig @rootserver. You will note that the output looks terribly like a root.hints file. Save it to a file (dig @e.root-servers.net . ns >root.hints.new) and replace the old root.hints with it.

Remember to reload named after replacing the cache file.

Al Longyear sent me this script that can be run automatically to update root.hints. Install a crontab entry to run it once a month and forget it. The script assumes you have mail working and that the mail-alias `hostmaster' is defined. You must hack it to suit your setup.

Note - go to LinuxDocs to get the script

Some of you might have picked up that the root.hints file is also available by ftp from Internic. Please don't use ftp to update root.hints, the above method is much more friendly to the net, and Internic.

Re:Getting root.hints

[feronti]

even, even simpler:

$ dig > root.hints

dig without options pulls the hints by default.

Re:Getting root.hints

[Phroggy]

dig without options pulls the hints by default.

But doesn't that pull from your own nameserver's configuration, which may not match what the root servers have to say? That would mean "dig>root.hints" would be completely useless.

I could be wrong...

Re:Getting root.hints

[feronti]

Hadn't thought of that. D'oh... I stand corrected.

Re:protocols? Yeah - RFCs

It's all in the RFCs. Might want to spend less time doing Chicken Little and a bit more time on research/learning.

Not that big a deal

[ccandreva]

This post is leaving out some details that were brought up on the NANOG mailing list.

This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running.

Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".

This isn't a question of flipping a switch and everyone having to update their servers at once. A big public announcement would probably just have confused most users for no good reason.

Alert! Alert!

[wahay]

Make sure you point your network settings in windows to the new root server!

Re:He's already doing his job.

[buswolley]

fucking racist. You are bringing us down.

Doesn't seem to be working yet

I wait a few days before switching. 192.158.128.30 doesn't seem to be answering nslookups yet. The old address still works though.

Somehow I find that not surprising considering its Verisign.

Apparently there was also a change today

[Kj0n]

Since when I look up the SOA record for the root domain, it gives a serial number of 2002110700 instead of 2002220501.

Re:Apparently there was also a change today

[jroysdon]

The root zone SOA is incremented EVERY day. The zone itself is rather stable (how often do new CC or domains come into existance or need to get removed?). It was the root.hints file that was updated on the 5th as the actual J root server IP changed, and this is the rare occurance.

Re:Apparently there was also a change today

[bill_mcgonigle]

2002220501

That serial doesn't make sense. Did you just typo or was that really the serial for a while (they typo'd)? If that was the serial, the 'net is going to be horked until Jan 1, at least in theory (major simultaneous root server catastrophies).

Re:Apparently there was also a change today

[scottj]

That's funny. The serial I get now is 2002111001. I wonder if they change it often.

DON'T /. THE NAMED.ROOT FILES!!!!

[PacketMaster]

Please don't /. the named.root files Don't click on it just because you're curious to see what they look like. People need to legitimately access those files to update their DNS servers and flooding the FTP with meaningless requests is highly counterproductive.

Also, Slashdot editors, why even let those links get posted? Every person with a browser is clicking on those to see what they look like and making them inaccessable to people who need them. People who need to see them or access them know where they're at already and people who are that curious should exercise a little personal initiative and go find out where to get them. It's irresponsible on the part of /. to let this happen. Slashdotting a news site is one thing, but Slashdotting internic is a very different can.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

I don't know, I clicked on the link 100 times and it worked ok for me.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[sys$manager]

Nobody needs to legitimately access those files to update their DNS servers. Everything will continue to work fine even if nobody could access those files. Even if you NEEDED to update your root hints file (which you don't), you can always lookup the NS records on another root server and output it to your hints file.

Nice troll though, it went totally unnoticed until now.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

Why are you even posting if the inevitable is bound to happen? Do you really think you'll see a drop off in attempts via this post? Work on the source of the problem, which is poor communication and supposed traffic management, than whining. If you're that concerned about traffic then perhaps an infrastructure/architecture change for how these statements are announced should be under review.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[edA-qa]

Why shouldn't somebody look if they are curious? I often hear about problems resulting from people not knowing enough about computers and the internet, perhaps looking at these root files is a good thing -- certainly some people will just be confused, but others might actually be even more curious and try to figure out what they mean.

Any extra bit of knowledge anybody has about the internet probably helps everybody in the long run.

And in any case, since nobody needs this root file immediately, and since the /. effect disappears in a few days, there shouldn't be any concern. At very least, consider this a fair test of the system, we wouldn't want our root name servers running on anything not-up-to-the-job, would we?

Re:DON'T /. THE NAMED.ROOT FILES!!!!

Oh yeah, that little text file being downloaded is just going to kill the server.

Apparently some people are so taken by this mythical "Slashdot effect" that all reason begins to fail them. Those servers survived a massive DoS attack. The "Slashdot effect" only kills servers which are hosting large pages.

Get a grip. Those servers probably get bombarded by requests more often than any Slashdot viewer could possibly imagine. They are not fragile little flowers and Slashdot isn't nearly popular enough to come close to DoSing it.

Next you're going to be telling us the sky is falling.

Ben

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[Phroggy]

People need to legitimately access those files to update their DNS servers and flooding the FTP with meaningless requests is highly counterproductive.

No they don't. People need to type:
dig @a.root-servers.net > root.hints
and they'll get exactly the same thing. Much faster and easier, and you can't tell me we're going to slashdot a root nameserver by sending it a bunch of DNS queries like this - that's what root nameservers handle all day.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[maw]

Nobody needs to legitimately access those files to update their DNS servers.

Wrong. Well-written dns servers will not accept out-of-bailiwick information, since that leaves them susceptable to cache poisoning.

Even if you NEEDED to update your root hints file (which you don't)....

You do need to update them. It isn't likely that the rest of the root servers will change tomorrow or next week or next month, but it will happen eventually. Keeping your site's list of root servers current is essential for reliability. Otherwise, the (caveated) guarantees of reliability in the dns are lost.

Nice troll though, it went totally unnoticed until now.

Not a troll, just naive.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[ryanvm]

Please don't /. the named.root files.

Oh get serious.

1) Slashdot is not that big. I think the Internet's root servers just might be able to handle a bigger load than you think.

2) There are 12 (?) other root servers out there to get your root hints from. If any sysadmins out there give up on downloading the root hints because one freakin' server doesn't respond - well, they've got bigger problems.

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[MikeBabcock]

The root servers only have to serve relatively small UDP results for the most part; you can compare the size of the UDP results to a DNS query with the size of the roots file and determine if there's a load difference or not ...

Re:DON'T /. THE NAMED.ROOT FILES!!!!

[MikeBabcock]

Download the tools from cr.yp.to for doing DNS queries (if you're running a *nix variant) and do a

dnstrace a www.slashdot.org a.root-servers.net | dnstracesort | less

and watch the results.

The results are available on my website as a text file; take a look if you don't have the tools above.

dnstrace is a great program for seeing how DNS resolvers resolve names to IP addresses. To see a visual diagram try dnsbajaj. It gives a graph of how it got to a domain from a root server, and which nameservers are qualified to answer for those queries.

Poor trees

The trees should be really upset by this. They have used the same zone for millions of years.

Try Flowers netx time

[RatBastard]

I hear flowers and or chocolates will reduce the number of macings a geek will suffer in his lifetime.

You could also ask before you go rooting around the garden.

Re:Try Flowers netx time

[grub]

You could also ask before..

Ask? Generally the first exchange of words is "Hey! You in the bushes!"

Re:Try Flowers netx time

Dating advice for geeks:

Don't bring a girl chocolates. None of them like it and it can only get you in trouble. If they're in a heart shaped box, girls will think it's retarded and cliche.

Flowers are another story. Flowers can help you out early on in the relationship and get you out of jams later on. There are a few rules thought. Roses are cliche, but still nice. They show effort but not imagination. Carnations scream that you're broke or cheap. And rule three, make sure you don't buy a funeral boquet. Beyond that, it's pretty hard to go wrong. If the woman at the flower shop is under 65, your best bet is to give her a price range and let her do her thing.

Yeah, it's off topic. But most geeks really need to know this stuff and almost none of them do.

Re:Try Flowers netx time

Girls don't like chocolate? Now that's a funny one. The only thing they don't like about it is what it does to their waist line.

If you want to be a relly clever male, invent calorie free chocolate that tastes just like the real stuff, with no side effects, and you will have all the women (and money) that you could ever hope to have.

Re:Try Flowers netx time

[HiredMan]

While we're wildly off-topic...

"Just once I'd like somebody to call me 'Sir' without adding 'you're making a scene!'".
-Homer Simpson

"In college I was shy. Now they call it stalking - but I was shy..."
-Comic whose name escapes me.

=tkk

Re:Try Flowers netx time

Oh girls like chocolate. The just don't want you to buy them chocolate.

Re:Try Flowers netx time

"In college I was shy. Now they call it stalking - but I was shy..."

Sounds like redmeat

The Change is not reflected at WHOIS

[OS/390]$ whois root-servers.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: ROOT-SERVERS.NET
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: A.ROOT-SERVERS.NET
Name Server: F.ROOT-SERVERS.NET
Name Server: J.ROOT-SERVERS.NET
Name Server: K.ROOT-SERVERS.NET
Updated Date: 23-aug-2002

>>> Last update of whois database: Thu, 7 Nov 2002 05:05:26 EST <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[whois.networksolutions.com]
The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information about
or related to a domain name registration record. VeriSign does not guarantee
its accuracy. Additionally, the data may not reflect updates to billing contact
information. By submitting a WHOIS query, you agree to use this Data only
for lawful purposes and that under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail, telephone, or facsimile; or
(2) enable high volume, automated, electronic processes that apply to VeriSign
(or its computer systems). The compilation, repackaging, dissemination or
other use of this Data is expressly prohibited without the prior written
consent of VeriSign. VeriSign reserves the right to terminate your access to
the VeriSign Registrar WHOIS database in its sole discretion, including
without limitation, for excessive querying of the WHOIS database or for failure
to otherwise abide by this policy. VeriSign reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by this policy.

Registrant:
VERISIGN GLOBAL REGISTRY SERVICES (ROOT-SERVERS-DOM)
21345 Ridgetop Circle
Dulles, VA 20166
US

Domain Name: ROOT-SERVERS.NET

Administrative Contact:
Internet Assigned Numbers Authority (IANA) iana@IANA.ORG
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
US
310-823-9358
Fax- 310-823-8649
Technical Contact:
VeriSign Global Registry Services (REGISTRY) nocnoc@VERISIGN.COM
21345 Ridgetop Circle
Dulles, VA 20166
US
703-948-7064
Fax-703-421-6703

Record expires on 05-Jul-2005.
Record created on 04-Jul-1995.
Database last updated on 7-Nov-2002 15:25:52 EST.

Domain servers in listed order:

A.ROOT-SERVERS.NET 198.41.0.4
F.ROOT-SERVERS.NET 192.5.5.241
J.ROOT-SERVERS.NET 198.41.0.10
K.ROOT-SERVERS.NET 193.0.14.129

Re:The Change is not reflected at WHOIS

[jroysdon]

I'm sure they'll get to it eventually. But as you may know, WHOIS data isn't what matters and is solely for informational reference.

Pulled up by the roots

[Gizzmonic]

You know, this reminds me a lot of the C.S Lewis classic, The Silver Chair. The enchanted Prince Rilian is only sane for one hour, when he is tied to his enchanted silver chair.

It makes me wonder-is DNS only sane when the world root servers are switching. Is this the time for the Puddleglums and Poles of the world to sally forth and cut the cords of DNS for good?

Re:Pulled up by the roots

[ethereal]

Favorite line from the book:

"Resh-PECK-O-Biggle!" -- a very drunk Puddlegum

newspaper had it

[jeavis]

A short blurb on this appeared in my local paper today (they don't have it online, sorry). The gist of it is Verisign physically relocated the server to another building on their campus. The stated intent was (1) to move it to an undisclosed location in the interest of physical security, and (2) to get it off a network segment that another root server (a.root-servers.net) was already on.

Too many moves, too many critical paths

[1984]

"I wonder why we did not use this as an opportunity to redress the imbalance of root server placement"

I'm guessing (and yes, guessing) that it was just to be conservative. There's probably a lot less to do, far fewer people to involve to move a machine across town, that to implement a geographically distributed bunch of servers. Setting up a DNS server and plugging it in might be easy, but coordinating different teams, new locations, procedures, languages for administration etc. isn't trivial.

In fact it's probably a little fiddly procedurally, and a lot fiddly politically. Probably one of those things that gets mired for years.

Re:Too many moves, too many critical paths

[valdis]

Quite correct - there's only a little bit of procedurally/technically fiddly about it.

Your average root nameserver gets hit for about 100M queries per day (or on the order of 1,500 per second). See http://www.caida.org/~kkeys/dns/ for details. A root nameserver is expected to get pounded on by *mostly* invalid queries (see http://www.nanog.org/mtg-0210/wessels.html). The Wessels data was *normal production* workload, not during a DDoS.

All the usual considerations regarding BGP multihoming and hardware redundancy apply. There's reasons why the servers are Sun E10K or large IBM boxes or similar big iron, and why people who have just a T-1 from Barney's ISP, Bait, and Tackle Shop need not apply.

Of course, there's nothing in the above that can't be solved by applying clue and dollars. However...

Ever priced a E10K? And noticed that most of the root nameservers are basically donated by their hosts? That's where the politically fiddly comes in - the number of places that are clued enough to run a root DNS, network connected well enough to be worth it, and willing to donate the resources to do it, is a lot smaller than you might expect...

DDOS

[dirvish]

Does this have to do with the DDOS attacks that happened a couple weeks ago? Why else would they not make an announcement? OTOH, the perpetrators of the attacks wouldn't be fooled for long by a name change.

Re:DDOS

[winnetou]

Does this have to do with the DDOS attacks that happened a couple weeks ago?
Possibly, a and j.root-servers.net are now in different netblocks, making a DDoS a bit more difficult.

Why else would they not make an announcement?
Because nameservers use the "hints" zone as a hints zone, i.e. they will fetch the authoritative nameservers using the IP addresses in the "hints" zone to find an answering nameserver.
Since j.root-servers.net will continue to answer at the old address, no one will notice the change.

Re:DDOS

[TheSHAD0W]

> Since j.root-servers.net will continue to answer at
> the old address, no one will notice the change.

Wouldn't that mean you could STILL DDoS both A and J at the same time?

Re:DDOS

[puetzk]

there is a new J, in a different block.

There is also the machine & IP which used to be J, which is still present, will be kept up-to-date, and will still answer you (for some period of time), though it is no longer the official J root nameserver.

Imagine the excitement this news will cause...

[slipgun]

The server j.root-servers.net has changed IP address to 192.58.128.30.

Wow, that's pretty close to my home network address!

Re:Imagine the excitement this news will cause...

[Nintendork]

Same here. Although my main IP address is 127.0.0.1

I dare you all to hack me!

Re:Imagine the excitement this news will cause...

[jemoody]

"Hello? You want a what resolved? Who are you looking for? No no no, this is one-nine-*one* dot five-eight dot one-two-eight dot thirty. No problem. Good luck. Bye."

Re:Imagine the excitement this news will cause...

[isorox]

my main IP address is 127.0.0.1
I dare you all to hack me!

Dude, you're computer is as wide open as the goatse man - and you've got at least 3 trojans installed!

Re:Imagine the excitement this news will cause...

[AndroidCat]

And he's got all the sekret scientology stuff on it: 127.0.0.1

How about query response times?

[whovian]

http://www.cymru.com/DNS/dns.html

j.root-servers.net did not change hands.

[winnetou]

j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
j.root-servers.net is 192.58.128.30 now, in 192.58.128.0/24, owned by VeriSign Global Registry Services.
Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
See ARIN and ARIN again.

Paid to look at porn

[IIEFreeMan]

Yup see this article on k5 : Get Paid To Look At Porn !

Wow..

[NicolaiBSD]

My God. A DNS change. Life is great.

If only everyone was as easily excited as a geek, i'd actually have a sexlife.

"Verisign causing instability as usual"

Nice trolling line there, michael, you fucking twat.

In case ol' mikey gets it into his head to delete cetan's educational journal entry, here it is:

I'm writing this entry to point my new sig to effectively. This link will take you to a thread in a seemingly small article. What's important to understand is that the /. editor, michael, decided to yet again abuse the moderation system by modding every single one of my posts to -1. He removed 30 karma points in one article because I did not like his extra "comment" at the end of the article he posted. It's sad how pathetic michael is.

Here's the link: http://slashdot.org/comments.pl?sid=40037&threshol d=-1&commentsort=0&tid=134&mode=nested&cid=4267381

Re:"Verisign causing instability as usual"

[arctuniol]

13 root servers maintain the records that every other DNS server looks at. They synchronize depending on your TTL settings. If a root servers is moved it will update the rest of the world in about 72 hours,without having to make any changes to your DNS settings or local files.

That is one of the benefits of using the DNS system rather then every machine keep a record of data locally in your .host file or whatever.

Whoa.

[StupidKatz]

$ ftp rs.internic.net
Connected to rs.internic.net (198.41.0.6).
in.ftpd: error in loading shared libraries: libdl.so.2: cannot open shared object file: Error 23
ftp>

Slashdotted an FTP server. On some sort of *nix. Ouch.

Bind Root Zone Migration HOWTO

[nsushkin]

[root@localhost named]# perl -pi.orig -e "s'198.41.0.10'192.58.128.30'" /var/named/named.ca

[root@localhost named]# diff /var/named/named.ca /var/named/named.ca.orig
67c67
< J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
---
> J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10

It doesn't matter anyways...

[GLX]

When the change was announced, they noted specifically that the current J.ROOT-SERVERS.NET will stay in existance with it's current IP (just no direct DNS entry) and the new one has been moved to a different IP block for DoS protection... The current one will exist for awhile to come.

This isn't really news...

Well now that you've made it sound naughty....

[NigelJohnstone]

I wasn't going to click the link, but you make it sound soooooo naughty... ;)

Related to Problems?

[Mr+Bubble]

OK, this will probably mark me as a clueless newbie, but could this be remotely responsible for three separate issues of clients unable to resolve perfectly healthy domain names today and yesterday?

Pinging the sites from their machines returned an "unknown host".

Re:Related to Problems?

[Mr+Bubble]

Why is this a troll?

We had multiple users with domain name issues yesterday on perfectly stable sites. I am asking is anyone can tell me if this could have anything to do with the subject of the story.

Re:Related to Problems?

No, it didn't. There were other seriously broken things on the internet yesterday rendering lots of eurpoean sites unreachable for a while.

Re:Related to Problems?

[Christianfreak]

Well there's not a 'clueless' moderation .. :) I'm kidding,

to answer your question: No. As many other comments have stated there are 13 root servers, if one went down your client's request would simply go to another one. But even 'J' has not completely switched over yet as it will still respond to the old IP address, according to the article for hte "foreseeable future".

So no your DNS problems are probably related to Windows or clueless users or a combination of the two.

just because I'm too lazy to search...

[mblase]

As long as one of the 13 servers in your hints/cache file responds, your name server will download the updated list on startup.

Can someone tell me why thirteen is the magic number of servers? And why that number apparently hasn't changed in all these years?

Re:just because I'm too lazy to search...

[digitalsushi]

Baker's Dozen.

The Root Server RFC mandates a triple redundancy, so you have your 4 root servers triplicated.

Re:just because I'm too lazy to search...

[longhairedgnome]

its lucky

Re:just because I'm too lazy to search...

[huskymo]

The maximum size of a DNS message over UDP is 512 bytes (unless you're using EDNS0, which is relatively new). 13 NS records and the 13 corresponding A records just fits into 512 bytes, assuming domain name compression is working as efficiently as possible. And to make compression work as efficiently as possible, the domain names in the NS records should be as similar as possible, as in [a-m].root-servers.net.

If you've been around the Internet long enough, you might remember a time when the root name servers had names like ns.nasa.gov, and there were fewer of them. Changing the names to [a-m].root-servers.net bought us room for 13.

Hoax!

[First_In_Hell]

192.58.128.30

? Everyone and their bastard child knows that is a NATTED IP address. Someone is playing you for a fool!

Re:Hoax!

[Tony+Hoyle]

Score -1: Clueless....

(hint: Read RFC1918 before posting)

Re:Hoax!

[ohboy-sleep]

I thought NAT IPs were all 192.168.x.x

I could be very wrong, anyone know for sure?

Re:Hoax!

Idiot. Just because it starts with 192 doesn't mean its natted.

Re:Hoax!

[.smoke]

You are correct... The following are for private IP addresses (e.g. for NATing):

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

This is according to RFC 1918.

B*B,
-Smoke.

Re:Hoax!

[Junta]

If that was intended as a joke, it sucked.

If not, it is stupid.

The IP addresses that are reserved for private use are:

10.0.0.0/8 (10.x.x.x)
192.168.0.0/16 (192.*168*.x.x)
172.16.0.0/12 (172.16-31.x.x)

Quite frankly, I'm not sure why 99.9% of the network administrators gravitate towards 192.168.1.0/24 as their private network address... Even I chose 192.168.123.0/24 as my network, so I'm partially guilty....

If it is going to always stay a private network, why not just use the full class B? If trying to plan for communications with other private networks in the class B range, why pick something so common?

I personally have started using 10.(random).(random).0/24 when setting up class C networks. When *really* limited use, I constrict it to /26 or so. This way the chances are low that any private network I want to set up a tunnel with will conflict with my address space...

Of course I have yet to see 172.16.0.0/12 used by anyone, it's just too damn weird. What's the point? Some routers can't even handle non class a/b/c addresses... But saying you used the class B and a half private network should earn points on some scale..

Re:Hoax!

Quite frankly, I'm not sure why 99.9% of the network administrators gravitate towards 192.168.1.0/24 as their private network address... Even I chose 192.168.123.0/24 as my network, so I'm partially guilty....

So why don't you just ask yourself you silly little fucktard?

Re:Hoax!

[cjpez]

We're using part of the 172.16.0.0/12 where I am currently . . .

Re:Hoax!

[gaudior]

A data center I worked in used all three classes for various functions. the 192 network was for all the desktops and small department servers in the corporate network. The big HP unix application and database servers in the ASP were on both the 172 and the 10 network. All the Linux and MS servers were on the 10 network.

Re:Hoax!

[ShavenYak]

We use the 172.16.0.0/12 range where I work now. My last place of employment used 10.0.0.0/8, but with about 30 locations across the US, they had a good reason. The second byte was used to indicate which site a machine was at, so each site had two bytes of address space to assign numbers sensibly.

Re:Hoax!

[feronti]

We use 172.16.x.x/31 (yeah, like I'd really give you any extra info) for a PtP link to one of our outside processors... we nat to them, they nat to us.

Re:Hoax!

[MikeBabcock]

We use 172.x.y.0/24 here ... :)

I changed the text a little.

I was getting tired of "cunt".

michael, is a flamebaiting twat.

In case ol' mikey gets it into his head to delete cetan's educational journal entry, here it is:

I'm writing this entry to point my new sig to effectively. This link will take you to a thread in a seemingly small article. What's important to understand is that the /. editor, michael, decided to yet again abuse the moderation system by modding every single one of my posts to -1. He removed 30 karma points in one article because I did not like his extra "comment" at the end of the article he posted. It's sad how pathetic michael is.

Here's the link: http://slashdot.org/comments.pl?sid=40037&threshol d=-1&commentsort=0&tid=134&mode=nested&cid=4267381

what it means?

The internet gets a new nodelist

Instability? WTF?

[alexjohns]

"verisign-causing-instability-as-usual dept."
Michael Sims, you're a fucking idiot. You know nothing about the way the internet works. In no way, shape, or form does this cause any instability whatsoever. It improves stability, however slightly.

You might want to stick to articles about politics or censorship or something. Technical issues don't appear to be your forté.

Re:Instability? WTF?

[alexjohns]

Wow. Score: 5. For calling someone an idiot. Perhaps there's too many mod points floating around. :)

Has anyone noticed that Michael likes to post snide insider-like comments in articles he posts? The problem is that they're sometimes wrong. It's like he's the outsider kid trying to get into the in-clique, but he keeps screwing it up.

Wonder how long it will be before he discovers this threads and super-mods me down to -1?

For DjbDNS users

[chrysalis]

You must put this in your /etc/dnscache/root/servers/@ file :

128.63.2.53
128.8.10.90
128.9.0.107
192.112.3 6.4
192.203.230.10
192.33.4.12
192.36.148.17
1 92.5.5.241
192.58.128.30
193.0.14.129
198.32.64 .12
198.41.0.4
202.12.27.33

Re:For DjbDNS users

[PerryMason]

Alright fess up. Which of those is the goatse ip?

I dont know what it is, but I just get nervous around IPs on slashdot.;)

Re:For DjbDNS users

[messju]

hmm.

xargs -n1 host < @ | sort -f -k 5
4.0.41.198.IN-ADDR.ARPA domain name pointer a.root-servers.net
107.0.9.128.IN-ADDR.ARPA domain name pointer b.root-servers.net
12.4.33.192.IN-ADDR.ARPA domain name pointer c.root-servers.net
90.10.8.128.IN-ADDR.ARPA domain name pointer d.root-servers.net
10.230.203.192.IN-ADDR.ARPA domain name pointer E.ROOT-SERVERS.NET
241.5.5.192.IN-ADDR.ARPA domain name pointer f.root-servers.net
4.36.112.192.IN-ADDR.ARPA domain name pointer G.ROOT-SERVERS.NET
53.2.63.128.IN-ADDR.ARPA domain name pointer h.root-servers.net
17.148.36.192.IN-ADDR.ARPA domain name pointer i.root-servers.net
30.128.58.192.IN-ADDR.ARPA domain name pointer j.root-servers.net
129.14.0.193.IN-ADDR.ARPA domain name pointer k.root-servers.net
12.64.32.198.IN-ADDR.ARPA domain name pointer l.root-servers.net
33.27.12.202.IN-ADDR.ARPA domain name pointer m.root-servers.net
53.2.63.128.IN-ADDR.ARPA domain name pointer rns.arl.army.mil

looks okay to me :)

Re:For DjbDNS users

[MikeBabcock]

/etc/dnsroots.global is also valuable.

A message from America

[Qrlx]

Jiminy Cricket? The Cricket in Times Square? We still don't get it.

Re:A message from America

[raindrop#1]

um, it's a sport. With bats and balls, kind of like baseball except better and the games can last for up to five days and still end in a draw.

Re:A message from America

Sounds like a big letdown to me.

hmmm.....

[colnago]

Freudian?

Re:hmmm.....

[TheCeltic]

A whorehouse is much MUCH better than a warehouse full of MS! (hell, a dollhouse is more useful)

While you're at it, move to OpenNIC

[robbo]

If your DNS admin has some savvy, this link should work for you.
If not, visit
OpenNIC and then ask your DNS admin to support OpenNIC and erode ICANN's dictatorial regime.

Re:While you're at it, move to OpenNIC

[Blain]

I went and checked out OpenNIC a week or two ago, and it looked pretty cool. I set it up on my machine, and I can now reach cool tlds that I used to couldn't (although it can take a couple reloads to do it).

Slight downside -- there doesn't seem to be anything there right now.

But it works just as well as using ICANN's system for my purposes, so I'll keep it this way, and hope that somebody somewhere puts something in all these new tlds that's worth looking at.

Serial number?

[Phroggy]

The new zone serial number is 2002110501.

What was the old serial number?

Re:Serial number?

[rherbert]

The previous serial number was 1997082200, updated on August 22, 1997.

Re:Serial number?

I would guess the serial number would be whatever the date was when it was last changed with a couple digits after it.

Anyway, it doesn't matter. It is arbitrary. All that matters is that the number is higher than the last one. The date is used because it is easy to recognize and always goes up.

Re:Serial number?

[Jugalator]

> > The new zone serial number is 2002110501.
> What was the old serial number?

1997082200

They do now...

...now that it's on computers.

O'Reilly DNS and Bind book

[Skjellifetti]

How is this [named.root/db.cache] kept up to date? As the network administrator [of your local network], that's your responsibility. Some old versions of BIND did update this file periodically. That feature was disabled, though; apparently it didn't work as well as the authors had hoped. Sometimes the db.cache file is mailed to the bind-users or namedroppers list mailing list. If you are on one of those lists, you are likely to hear about changes. (pg 68)

Bottom line: If you run a nameserver it is your responsibility to keep it up to date. That includes knowing how changes are announced. BIND has also had several well known security problems. If you are running a version < 8.2.5 you should upgrade that as well.

I haven't been informed neither! So what?

[MavEtJu]

The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced.

The impact of this change is close to zero. The announcement is only necessary for people who distribute name-server software. Why?

- Only the hints-file needs to be changed. The hints file bootstraps the DNS software on where it can find the .-zone. After that has been found, this data is not needed anymore.

- There are still 12 other perfectly reachable servers in the hints-file. They give you all the information needed.

- On the old IP address, a server will keep running for a while.

- Unless you're working for an ISP, you don't need this information. The majority of the internet (windows users) don't have to change anything, they just run use their ISPs nameservers. The majority of the minority of the internet also use the nameservers of the ISP. Only a relative small group run their own servers.

So dear anonymous writer, don't be afraid, the internet is not going to break because of this. No reason for panic, all is fine.

So if I understand this correctly...

the j-th rootserver changes its address, but the 12 other didn't. Those 12 presumably know where J started to live, but still people running DNS services need to manually set the new IP-address in the next few years or so.

Why o why don't each of the 13 root-servers keep a small list with all the addresses of the other root servers? They bloody keep such lists for the entirety of the internet.

This only affects OS maintainers, not DNS admins

I'm surprised that only one poster has even noticed that Slashdotters are barking up the wrong tree, but even (s)he didn't quite make the connection.

For the most part, root.hints files are maintained by OS/Distribution maintainers, not DNS admins. The hints file is only used to bootstrap a DNS server which will (well, should) retrieve an authoritative copy of the root zone shortly after startup and then rely on that instead. As long as just one of the 13 root server IP addresses listed in a DNS server's root.hints file is correct, the server will successfully retrieve the updated root zone. At the rate at which changes are made to the root zone (or at least, to its delegated servers), it is likely that this condition will hold true for the next 10-20 years.

So, as long as DNS server admins perform an OS upgrade sometime between now and the year 2012, they need not touch their server configuration at all; the change will be handled automatically.

Almost but not quite...

[AndroidCat]

In the same way that requests go down the tree to find the server, requests go up the tree to the root servers. (Up the tree to the roots, hmm!)

If your immediate DNS handled a request for slashdot.org two seconds previously, it should still be cached -- no need to bother a root server over that. Any request would have go up several levels before a root server would be bothered with it. (Otherwise they'd be continually /.'ed :^)

The root servers could all disappear without a lot of disruption, but only for a short time until the cache entries started timing out.

My backup plan is to toss the entire name space into my local hosts file. I've already got DoubleClick in there for testing. :^)

Re:Almost but not quite...

[jez9999]

My backup plan is to toss the entire name space into my local hosts file.

Your backup plan for what? If there was a global nuclear and biological war?

Re:Almost but not quite...

[AndroidCat]

Your backup plan for what? If there was a global nuclear and biological war?

Was joke. DoubleClick is in my hosts file -- at IPA 127.0.0.1.

DNS Server Moved

[Steve0987]

As the href="http://computerworld.com/newsletter/0%2C4902 %2C75711%2C0.html?nlid=AM"article in Computer World explains, the move of the DNS server was done for both physical seperation and to move it onto a different LAN segment.

your wife has moved

your wife has moved the Yellow Pages to a different room in the house

A mover from the Yellow Pages roomed with my wife in a different house.

Spelling does not seem to be your forte

[jCaT]

Oh the irony in that... you try to sound so smart by tacking on an accent, but end up sounding stupid in the process. There is and never has been an accent anywhere in that word, as it is not supposed to be pronounced with one. The mispronunciation of the word has become so widespread that it is now accepted, but it's still not proper usage. The correct pronunciation is FORT, and since you seem to be such a fan of accents, that would be fôrt.

Go read this, and get off your high horse, jackass.

Re:Spelling does not seem to be your forte

The correct pronunciation is FORT

not in Italiano.

Of course, the guy who tacked on an accent still is an idiot.

Re:Spelling does not seem to be your forte

[Huge+Pi+Removal]

Ummmm....

1. Thanks for pointing that out, I never realised 'forte' meaning 'strong point' came from the French (my British-English etymological dictionary bears that out as well). Interesting.

2. Did you have to be so damn rude about it? I very nearly modded you down as a troll...

Re:Spelling does not seem to be your forte

[jCaT]

1. I had a teacher in high school whose only gig was vocabulary. I absolutely hated it then, but I do know a lot of words now...

2. No, but it sure was fun.. and he was being a jackass, so I was just speaking his language. I've been here long enough to not be afraid of the moderators (hell, I am one most of the time), otherwise I would have checked the "no +1 bonus" and "post anonymously" boxes.

Re:Spelling does not seem to be your forte

Despite this thread being totally off topic. Please notice, no accent.

Source: Oxford English Dictionary 6th Edition 10 Impression (1980).

Fort: noun. Fortified building or position; trading-station, orig. fortified; hold the ~, act as temporary substitute, cope with emergency.

Forte (1): noun. Person's strong point. Part of a sword blade from the hilt to middle (cf. FOIBLE)

For'te (2) adv. Performed loudly; ~ piano, loud(ly) [lit = strong, loud]

Re:Spelling does not seem to be your forte

[alexjohns]

Hmm, the bartleby page has, as the very first pronunciation, the two-syllable one that you say is wrong. Etomologically, you're correct, it should be fort, but 74% of people in their 'Usage Panel' use the two-syllable form. Word pronunciations change over time. We don't often say 'thou' or 'thee' anymore. (At least not the people I know.) From this page:

This word, meaning "strong point," from French fort, meaning "strong," can be pronounced with one syllable, like the English word fort, or with two syllables. The two-syllable pronunciation, (fôrt), is probably the most common in American English, but some people dislike it, arguing that it properly belongs to the music term forte from Italian.

It was discussed on alt.english.usage a long time ago, and I have taken it upon myself to add an accent, similar to café to show what I consider the correct pronunciation, at least on my side of the pond. Every time I hear it here (mid-Atlantic region of the US), it's two syllables.

Slashdot is a global communication device. I try not to judge people based on their spelling or grammar. I was lambasting someone for making snide comments about technological issues, when they were obviously lacking in knowledge on those issues. I think, although perhaps rude, that I was, technically, correct. You, however, make the assumption that everyone lives in your neighborhood, went to your school, dresses like you, acts like you, and should therefore think (and speak) like you.

It's OK to flame someone for a spelling mistake if they were in turn flaming someone for a spelling mistake. If you think you 'won' the argument by pointing out a technical flaw in my writing, perhaps you should take a course in logic and reasoning.

P.S. I consider the OED to be the final word on these kinds of disputes. The OED says the two-syllable pronunciation is just fine. The accent mark is my own little attempt to change the world. Have a nice day.

we use all 3 of the reserved ranges

[Indy1]

our company www.mobilepenguins.com uses all 3 of the reserved ranges. We handle the network for an accounting company next door, and have two seperate lans internally. We decided to use all 3 ranges so its super easy to tell where a computer is when checking logs ("oh, its a 10.x.x.x. box, must be a bean counter").

[OT] Cricket

[tpv]

Cricket is a thing of beauty.

The English team is a big letdown.

Hot off the press.... (ftp site)

[nsushkin]

; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

Re:Hot off the press.... (ftp site)

[nsushkin]

I just noticed that the new file is no longer available via gopher ;)

Old file:...

under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root

New file:
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET

info on why the servers were moved

[xcellz]

http://www.cnn.com/2002/TECH/internet/11/07/intern et.attacks.ap/index.html

Err.. no...

[mindstrm]

A couple of points.

First, J is not more important than the rest; it's just one of the root servers, period. All the others do not "get their info" from J. (unless I'm missing something)

When a dns lookup happens.... the querying dns server, if it doesn't know the answer, asks one of the root servers for the NS record.

Let's pick an address, like www.slashdot.org

I ping www.slashdot.org
My computer's resolver asks it's specified nameserver for the A record for www.slashdot.org
As I haven't looked at slashdot for a while, and my nameserver doens't have the answer cached, it doesn't know, so it then asks one of the ROOT SERVERS for the NS record for www.slashdot.org
(it does not simply ask for .org).

The root server returns the closest match it has... which in this case is a list of I think 13 servers (A through M) .GTLD-SERVERS.NET. that server .org.

It then sends a query to one of THOSE nameservers, asking the exact same thing... getting a better answer each time.

In each case, the server actually requests the full domain... not just a piece.. as it narrows in on the right server to get the answer from.

4R, nmap T00K T3N S3C0NDS!

[DrStrangeLoop]

PR3P4R3 T0 G3T R00T3D!
in the meantime, try mine.
dns spoofing for the lazy.

--strangeloop

Slashdotted already!

[cwis42]

<humor> Huh, I think we got http://J.ROOT-NET.NET already slashdotted! </humor>

not a big deal to even DNS Admins

[sjanich]

The hints file is just that: hints. When a DNS server starts up, it looks to the hints file to find a possible root server IP address. It then contact the root DNS server to get a list of the current root servers. There really isn't a need to rush around up date all of these hints file. It is not a big deal.

That's quite simple

[BrunoC]

Just a few points here: - I don't think there's a conspiracy here. J is moving and that's it. ICANN does not have to go "stop the presses! J ROOT SERVER is moving". They just have to release the new hints file. There's no need to panic, as someone posted before. - The 13 root servers were attacked, A (hosted by Verisign at undisclosed location ) survived the attack and J didn't. Why not move J to a safer place? - Improving the security of the root servers is a *good* thing, not a bad one. The root servers network is a sensitive one, and everything done there must be done very carefully, especially after the DDoS. - Go get some sleep, the root servers around the world will grant you the right to translate IP addresses :)

Re:This only affects OS maintainers, not DNS admin

True, the next rev of code that dns software makers roll out will probably have updated hints files, but it is a bad thing to have lame delegations in your config... Especially lame root name server delegations.. I've already changed all mine. :-)

Wrong dot

[kasperd]

So they say they are the dot in dot com, but they should really say they are the dot in dot com dot, because they are really the dot after com not the dot before com. However this last dot is often forgotten, it really means the name is absolute rather than relative. This is very much like the leading slash in paths to files.

Hmm, now I'm writing on slashdot about leading slashes and trailing dots, what a coincidence.

Re:Wrong dot

[jez9999]

Whaddyaknow?! It works.

Re:Wrong dot

[Strog]

I considered putting an extra period in my comment so the one after com could be the correct dot. It may be often forgotten but it was on my mind when I posted.

Curious...

[LondonLawyer]

Don't know anything about how these things work but 'secret' changes to infrastructures hit my paranoia nerve. What is now at the old address? Presumably until they are updated, there will be a lot of machines trying to access the list there? If the move has been made for security reasons, would there be anything to gain by this (for instance, putting a substitute system at that address - seeing as everyone is still pointed at it)>

The Nerdy Way

[AftanGustur]

dig . soa > /var/named/named.ca

And restart your nameserver.

No reverse

Hi there

192.58.128.30 doesn't have a reverse lookup. This makes j.root-servers.net the only root server which doesn't.

Regards,
Rob

Re:Goals of the company

[MikeBabcock]

There's a fairly terse intro to how DNS actually works at http://cr.yp.to/djbdns/intro-dns.html.

The documentation uses examples in tinydns data format, as it is the software the author has written to handle DNS queries.

Re:See, it's like this...

Self flagelation will send you blind....

Last Post!

[alpg]

Winnuke in one line? No problem:
perl -MIO::Socket -e 'IO::Socket::INET->new(PeerAddr=>"bad.dude.com:139 ")->send("bye",MSG_OOB)'

And formatted so it's a little easier to read:

#!/usr/bin/perl
use IO::Socket;
IO::Socket::INET
->new(PeerAddr=>"bad.dude.com:139")
->send("bye", MSG_OOB);

-- Randal Schwartz

- this post brought to you by the Automated Last Post Generator...