Slashdot Mirror
Root Zone Changed
An anonymous reader writes "The day before yesterday the root zone was silently changed for the first time in 5 years. The change was to J.ROOT-SERVERS.NET that is now managed by Verisign. The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced. An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.
The new zone serial number is 2002110501."
....the day before. See the message. Granted not much warning, but it wasn't silent.
Without getting extremely technical with it, this mostly affects your ISP. If your ISP does not update their root zone files, when you attempt to resolve a website, your ISP has one less server for it to resolve the root server for and CC top level domains, as well as .com, .org, .net, etc.
Trying is the First Step to Failing --Homer Simpson
The root servers are the master list of domain names for the Internet. The computers still use IP addresses to talk, but us Humans prefer remembering slashdot.org to 66.35.250.150. In meatspace terms, I think this is along the lines of a construction company changing the composition of their concrete for use on the Highway system, you might not notice the change as a user, but it could be a bad decision. .com? :)
All I want to know is if Sun is back to being the . in
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
IANA made the decision and they are the appropriate authority to do such things.
To sum up: You don't need to change anything. As long as one of the 13 servers in your hints/cache file responds, your name server will download the updated list on startup. You only have to worry if you've put off updating it so long that all 13 servers have changed IP's. Pretty unlikely, since that would be a hints file that's more than 10 years old at least. (You're not running Linux, anyway...)
And no, this isn't verisign-causing-instability-as-usual. They're actually trying to help it. Before this change, both a.root-servers.net and j.root-servers.net were in the same
Anyone that cares and needs to know about it was properly notified. There was a post to NANOG 3 days ago about it:
*****PLEASE NOTE*****
This is an important Informational Message to the internet community:
November 5, 2002, the IP address for J.root-servers.net will
change in the authoritative NS set for "dot". The change will
be reflected in zone serial # 2002110501.
The new set of servers authoritative for "dot" will be:
A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
J.ROOT-SERVERS.NET. 5w6d16h IN A 192.58.128.30
K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90
This WILL require a change to your root hints file. The new
file will be available via anonymous ftp from
rs.internic.net:/domain/named.root as well as
ftp.internic.net:/doamin/named.root starting 11/5/02 1700UTC (12pm
EST/9am PST).
Both the new and old j.root-servers.net IP space will provide
answers in parallel for the foreseeable future.
_________________________________________
John Crain
Manager of Technical Operations
ICANN/IANA
crain@icann.org
1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7
This affects administrators of DNS servers, because in the DNS config is a list of the IP addresses where these root servers can be found.
Why should you care? You probably don't. It doesn't affect you directly. That is, unless all the root servers mysteriously die one day. That would make surfing for your pr0n a thing of near impossibility. :)
"Causing instability as usual"?
You only need one root server, there are 12 others. In fact, it safe to just wait until the next time you upgrade BIND or your operating system... running an out of date file won't hurt anything.
There was no reason to announce anything here. This is really a non-event.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Oddly, the reply to the NANOG post about the change encourages people to hold off on downloding the hints file to prevent Slashdotting internic.net since. The reply claims that the update is not at all critical.
> The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.
/var/named/ (or wherever you installed it).
For those running bind, you may want to try this instead:
dig @e.root-servers.net . ns > root.hints
It will generate the root list automatically, ready for you to drop into
It's all in the RFCs. Might want to spend less time doing Chicken Little and a bit more time on research/learning.
This post is leaving out some details that were brought up on the NANOG mailing list.
This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running.
Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".
This isn't a question of flipping a switch and everyone having to update their servers at once. A big public announcement would probably just have confused most users for no good reason.
> Maybe someone could explain to us newbies how this affects the operation of the Internet.
.org domains.
Ok.
Here's the usual (much simplified) explanation for how DNS (that is, maping hostnames to IP addresses) works:
Let's assume we want to connect to www.slashdot.org. We need to know it's IP address in order to do this.
What we do is:
1) Ask one of the 13 root servers which server handles
2) Ask that server which server handles the slashdot.org domain.
3)Ask that server which server handles the www.slashdot.org zone.
However, this begs the question:
"Where do the root servers get their info. from?"
Well, as of yesterday they're getting it from 192.58.128.30.
To some extent, 192.58.128.30 is now the most important address on the internet since it is the highest authority for the rather important business of looking up addresses.
The root zone corresponds to the '.' at the very end of the domain names. The root name servers have records for .com,.org, and the national (.uk,.dk etc.) etc. DNS servers. If you ping cr.yp.to (DJB's domain), for example, and your DNS server has never seen a .to domain before, it'll query one of the root name servers for a name server authoritative for .to.
[OS/390]$ whois root-servers.net
.com, .net, and .org domains can now be registered
.COM, .NET, .ORG, .EDU domains and
[whois.crsnic.net]
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: ROOT-SERVERS.NET
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: A.ROOT-SERVERS.NET
Name Server: F.ROOT-SERVERS.NET
Name Server: J.ROOT-SERVERS.NET
Name Server: K.ROOT-SERVERS.NET
Updated Date: 23-aug-2002
>>> Last update of whois database: Thu, 7 Nov 2002 05:05:26 EST <<<
The Registry database contains ONLY
Registrars.
[whois.networksolutions.com]
The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information about
or related to a domain name registration record. VeriSign does not guarantee
its accuracy. Additionally, the data may not reflect updates to billing contact
information. By submitting a WHOIS query, you agree to use this Data only
for lawful purposes and that under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail, telephone, or facsimile; or
(2) enable high volume, automated, electronic processes that apply to VeriSign
(or its computer systems). The compilation, repackaging, dissemination or
other use of this Data is expressly prohibited without the prior written
consent of VeriSign. VeriSign reserves the right to terminate your access to
the VeriSign Registrar WHOIS database in its sole discretion, including
without limitation, for excessive querying of the WHOIS database or for failure
to otherwise abide by this policy. VeriSign reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by this policy.
Registrant:
VERISIGN GLOBAL REGISTRY SERVICES (ROOT-SERVERS-DOM)
21345 Ridgetop Circle
Dulles, VA 20166
US
Domain Name: ROOT-SERVERS.NET
Administrative Contact:
Internet Assigned Numbers Authority (IANA) iana@IANA.ORG
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
US
310-823-9358
Fax- 310-823-8649
Technical Contact:
VeriSign Global Registry Services (REGISTRY) nocnoc@VERISIGN.COM
21345 Ridgetop Circle
Dulles, VA 20166
US
703-948-7064
Fax-703-421-6703
Record expires on 05-Jul-2005.
Record created on 04-Jul-1995.
Database last updated on 7-Nov-2002 15:25:52 EST.
Domain servers in listed order:
A.ROOT-SERVERS.NET 198.41.0.4
F.ROOT-SERVERS.NET 192.5.5.241
J.ROOT-SERVERS.NET 198.41.0.10
K.ROOT-SERVERS.NET 193.0.14.129
A short blurb on this appeared in my local paper today (they don't have it online, sorry). The gist of it is Verisign physically relocated the server to another building on their campus. The stated intent was (1) to move it to an undisclosed location in the interest of physical security, and (2) to get it off a network segment that another root server (a.root-servers.net) was already on.
j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
j.root-servers.net is 192.58.128.30 now, in 192.58.128.0/24, owned by VeriSign Global Registry Services.
Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
See ARIN and ARIN again.
Simple: You know there is a nameserver for slashdot.org, right? You find that nameserver by asking the org nameserver where it is. And how do you find the org nameserver? You ask the root nameservers. The zoot zone is the base zone of the Internet (just like / is the base of the file system in Unix).
'Sensible' is a curse word.
No, it doesn't "beg the question." It inspires the question, it raises or prompts the question, but it does not beg the question. HTH.
Possibly, a and j.root-servers.net are now in different netblocks, making a DDoS a bit more difficult.
Why else would they not make an announcement?
Because nameservers use the "hints" zone as a hints zone, i.e. they will fetch the authoritative nameservers using the IP addresses in the "hints" zone to find an answering nameserver.
Since j.root-servers.net will continue to answer at the old address, no one will notice the change.
[root@localhost named]# perl -pi.orig -e "s'198.41.0.10'192.58.128.30'" /var/named/named.ca
/var/named/named.ca /var/named/named.ca.orig
[root@localhost named]# diff
67c67
< J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
---
> J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
Not exactly. The question is actually "how do we find the root servers to ask them who handles .org" aka, "how do we find out who handles '.'".
The answer is to keep a list of the 13 root servers' IPs on disk, in a file called (appropriately enough) "root.hints".
J is *one* of the root servers, and it has changed its IP. Therefore at some point people should update their root.hints files to reflect this change.
There's no hurry, because the other 12 haven't moved, and over time the update will tend to happen without any special help as you upgrade your DNS install, etc.
When the change was announced, they noted specifically that the current J.ROOT-SERVERS.NET will stay in existance with it's current IP (just no direct DNS entry) and the new one has been moved to a different IP block for DoS protection... The current one will exist for awhile to come.
This isn't really news...
Sig (appended to the end of comments you post, 120 chars)
See the CNET article, Key Internet server moved for security, tho Verisign claims that the timing was coincidental.
We have found the enemy and he is us. - Pogo
Quite correct - there's only a little bit of procedurally/technically fiddly about it.
Your average root nameserver gets hit for about 100M queries per day (or on the order of 1,500 per second). See http://www.caida.org/~kkeys/dns/ for details. A root nameserver is expected to get pounded on by *mostly* invalid queries (see http://www.nanog.org/mtg-0210/wessels.html). The Wessels data was *normal production* workload, not during a DDoS.
All the usual considerations regarding BGP multihoming and hardware redundancy apply. There's reasons why the servers are Sun E10K or large IBM boxes or similar big iron, and why people who have just a T-1 from Barney's ISP, Bait, and Tackle Shop need not apply.
Of course, there's nothing in the above that can't be solved by applying clue and dollars. However...
Ever priced a E10K? And noticed that most of the root nameservers are basically donated by their hosts? That's where the politically fiddly comes in - the number of places that are clued enough to run a root DNS, network connected well enough to be worth it, and willing to donate the resources to do it, is a lot smaller than you might expect...
You must put this in your /etc/dnscache/root/servers/@ file :
3 6.4
1 92.5.5.2414 .12
128.63.2.53
128.8.10.90
128.9.0.107
192.112.
192.203.230.10
192.33.4.12
192.36.148.17
192.58.128.30
193.0.14.129
198.32.6
198.41.0.4
202.12.27.33
{{.sig}}
Idiot. Just because it starts with 192 doesn't mean its natted.
A.ROOT-SERVERS.NET is considered the ultimate authority in DNS. It is also called "dot" and used to be a healthy Sun box. So they really were the "dot" in .com in a sense and that's what made it so funny. That box was replaced with an IBM box and now IBM could say they are the "dot" in .com.
Link here
How is this [named.root/db.cache] kept up to date? As the network administrator [of your local network], that's your responsibility. Some old versions of BIND did update this file periodically. That feature was disabled, though; apparently it didn't work as well as the authors had hoped. Sometimes the db.cache file is mailed to the bind-users or namedroppers list mailing list. If you are on one of those lists, you are likely to hear about changes. (pg 68)
Bottom line: If you run a nameserver it is your responsibility to keep it up to date. That includes knowing how changes are announced. BIND has also had several well known security problems. If you are running a version < 8.2.5 you should upgrade that as well.
FreeSpeech.org
I think your suspicion has been confirmed by a this recent New Scientist article. It says one of the Versign root servers was actually moved to a new location so that two servers wouldn't be relying on the same infrastructure. It does not mention the IP change, but it seems to make sense.
I'm surprised that only one poster has even noticed that Slashdotters are barking up the wrong tree, but even (s)he didn't quite make the connection.
For the most part, root.hints files are maintained by OS/Distribution maintainers, not DNS admins. The hints file is only used to bootstrap a DNS server which will (well, should) retrieve an authoritative copy of the root zone shortly after startup and then rely on that instead. As long as just one of the 13 root server IP addresses listed in a DNS server's root.hints file is correct, the server will successfully retrieve the updated root zone. At the rate at which changes are made to the root zone (or at least, to its delegated servers), it is likely that this condition will hold true for the next 10-20 years.
So, as long as DNS server admins perform an OS upgrade sometime between now and the year 2012, they need not touch their server configuration at all; the change will be handled automatically.
If your immediate DNS handled a request for slashdot.org two seconds previously, it should still be cached -- no need to bother a root server over that. Any request would have go up several levels before a root server would be bothered with it. (Otherwise they'd be continually /.'ed :^)
The root servers could all disappear without a lot of disruption, but only for a short time until the cache entries started timing out.
My backup plan is to toss the entire name space into my local hosts file. I've already got DoubleClick in there for testing. :^)
One line blog. I hear that they're called Twitters now.
As the href="http://computerworld.com/newsletter/0%2C4902 %2C75711%2C0.html?nlid=AM"article in Computer World explains, the move of the DNS server was done for both physical seperation and to move it onto a different LAN segment.
The previous serial number was 1997082200, updated on August 22, 1997.
> > The new zone serial number is 2002110501.
> What was the old serial number?
1997082200
Beware: In C++, your friends can see your privates!
Please don't /. the named.root files.
Oh get serious.
1) Slashdot is not that big. I think the Internet's root servers just might be able to handle a bigger load than you think.
2) There are 12 (?) other root servers out there to get your root hints from. If any sysadmins out there give up on downloading the root hints because one freakin' server doesn't respond - well, they've got bigger problems.
http://www.cnn.com/2002/TECH/internet/11/07/intern et.attacks.ap/index.html