Slashdot Mirror

← Back to Stories (view on slashdot.org)

Root Zone Changed

Posted by ryuzaki0 on from the verisign-causing-instability-as-usual dept.

An anonymous reader writes "The day before yesterday the root zone was silently changed for the first time in 5 years. The change was to J.ROOT-SERVERS.NET that is now managed by Verisign. The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced. An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

35 of 298 comments (clear)

  1. Why should we care? by Disoriented · · Score: 4, Interesting

    Maybe someone could explain to us newbies how this affects the operation of the Internet.

    1. Re:Why should we care? by nelsonal · · Score: 5, Informative

      The root servers are the master list of domain names for the Internet. The computers still use IP addresses to talk, but us Humans prefer remembering slashdot.org to 66.35.250.150. In meatspace terms, I think this is along the lines of a construction company changing the composition of their concrete for use on the Highway system, you might not notice the change as a user, but it could be a bad decision.
      All I want to know is if Sun is back to being the . in .com? :)

      --
      Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
    2. Re:Why should we care? by a+(+h+3+r+0+n · · Score: 5, Informative
      The root zones are where are all top-level DNS queries start. Think of the internet domain system as one giant honkin' tree. The root servers at the top manage domain information for the top level zones, and they pass off queries down the tree until the query hits an authoritative DNS server for the domain in question.

      This affects administrators of DNS servers, because in the DNS config is a list of the IP addresses where these root servers can be found.

      Why should you care? You probably don't. It doesn't affect you directly. That is, unless all the root servers mysteriously die one day. That would make surfing for your pr0n a thing of near impossibility. :)

    3. Re:Why should we care? by KieranElby · · Score: 5, Informative

      > Maybe someone could explain to us newbies how this affects the operation of the Internet.

      Ok.

      Here's the usual (much simplified) explanation for how DNS (that is, maping hostnames to IP addresses) works:

      Let's assume we want to connect to www.slashdot.org. We need to know it's IP address in order to do this.

      What we do is:

      1) Ask one of the 13 root servers which server handles .org domains.

      2) Ask that server which server handles the slashdot.org domain.

      3)Ask that server which server handles the www.slashdot.org zone.

      However, this begs the question:

      "Where do the root servers get their info. from?"

      Well, as of yesterday they're getting it from 192.58.128.30.

      To some extent, 192.58.128.30 is now the most important address on the internet since it is the highest authority for the rather important business of looking up addresses.

    4. Re:Why should we care? by Anonymous Coward · · Score: 5, Informative

      Not exactly. The question is actually "how do we find the root servers to ask them who handles .org" aka, "how do we find out who handles '.'".

      The answer is to keep a list of the 13 root servers' IPs on disk, in a file called (appropriately enough) "root.hints".

      J is *one* of the root servers, and it has changed its IP. Therefore at some point people should update their root.hints files to reflect this change.

      There's no hurry, because the other 12 haven't moved, and over time the update will tend to happen without any special help as you upgrade your DNS install, etc.

    5. Re:Why should we care? by Shagg · · Score: 4, Insightful

      Think of it like this:

      If you are looking for the phone number for a company you've never called before, you want to look in the Yellow Pages to find it. Now if your wife has moved the Yellow Pages to a different room in the house, you need to know where she put it. However, in this case it's more like there are 13 copies of the Yellow Pages in your home, and she's only moved one of them... so it's not too big of a deal. It's also not something you need to know unless you run a DNS server.

      --
      Unix is user friendly, it's just selective about who its friends are.
    6. Re:Why should we care? by SacredNaCl · · Score: 5, Insightful

      I wonder if this has anything to do with the recent denial of service attacks against the root servers?

      Just speculating that maybe the attackers used a worm/trojan that was preset to attack them at the previous IP on certain dates? Similar to some things we have seen in the past...

      --
      Freedom is merely privilege extended unless enjoyed by one and all.
    7. Re:Why should we care? by Strog · · Score: 5, Informative

      A.ROOT-SERVERS.NET is considered the ultimate authority in DNS. It is also called "dot" and used to be a healthy Sun box. So they really were the "dot" in .com in a sense and that's what made it so funny. That box was replaced with an IBM box and now IBM could say they are the "dot" in .com.

      Link here

    8. Re:Why should we care? by br0ck · · Score: 5, Informative

      I think your suspicion has been confirmed by a this recent New Scientist article. It says one of the Versign root servers was actually moved to a new location so that two servers wouldn't be relying on the same infrastructure. It does not mention the IP change, but it seems to make sense.

  2. Thanks Micheal, you're gonna /. by Hairy_Potter · · Score: 5, Funny

    the internet. Don't every one go J.ROOT-NET.NET now.

    1. Re:Thanks Micheal, you're gonna /. by br0ck · · Score: 4, Informative

      Oddly, the reply to the NANOG post about the change encourages people to hold off on downloding the hints file to prevent Slashdotting internic.net since. The reply claims that the update is not at all critical.

  3. bah. by grub · · Score: 5, Funny


    Whenever I go near a "root zone" I end up getting pepper sprayed and charged with sexual assault.

    --
    Trolling is a art,
  4. It was announced on NANOG..... by dannyp · · Score: 5, Informative

    ....the day before. See the message. Granted not much warning, but it wasn't silent.

    1. Re:It was announced on NANOG..... by l1_wulf · · Score: 5, Informative
      As it has been pointed out further down (for those of us that sort by score), this is truly a non-event and makes no significant impact on the typical /. reader. I will not take credit for the following information, but will quote someone that I think summed up the situation enough to hopefully keep the average Joe from /.ing any of the links posted in the article above. ccandreva posted
      This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running. Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".
      Essentially, unless you know specifically that you are directly affected by this change, and can explain in detail why exactly you need this information right now, there is no need to /. any of the links above. If you run a linux box and keep your builds rather current, then I can assure you that there is no need to update. Think about it, the last change was 5 years ago, there should not be a major rush to update for the majority of us.
  5. Verisign? Does that mean by myowntrueself · · Score: 5, Funny

    that we are going to need Microsoft passport to make changes to DNS now?

    --
    In the free world the media isn't government run; the government is media run.
    1. Re:Verisign? Does that mean by TheCeltic · · Score: 5, Funny

      Not unless at least one of the Root servers changes from being UNIX based... Come now.. can you imagine the size of the windows cluster needed to offer a stable Root server? It would fill a warehouse!

      --
      =-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
  6. a quick theory by cr@ckwhore · · Score: 5, Insightful

    Following the recent DOS attacks against the root servers, it wouldn't surprise me if this move is only a small part of a bigger story. I'm willing to bet that modifications are being made to the networking and security of the root servers that will better prepare the entire root system for future attacks. The move of J. is probably just the tip of the clandestine "ice berg".

    --
    Skiers and Riders -- http://www.snowjournal.com
  7. This doesn't matter. Really. by toastyman · · Score: 5, Informative
    To quote Sean Donelan's post on NANOG:

    Since its been 5 years since the hints/cache boot file has changed,
    it may be useful to remind people an immediate change to your
    local configuration files is not required. You don't need to
    slashdot internic.net tomorrow morning trying to download the file.

    As long as 1 listed IP address responds with the current list of root
    servers, the server doesn't even need to be a root server itself, your
    name server should figure out who are the current roots. In the 1980's
    and 1990's when the hints/cache file changed regularly, some people when
    years without updating it. Or only updated it when they upgraded their
    name server code.

    Don't Panic.


    To sum up: You don't need to change anything. As long as one of the 13 servers in your hints/cache file responds, your name server will download the updated list on startup. You only have to worry if you've put off updating it so long that all 13 servers have changed IP's. Pretty unlikely, since that would be a hints file that's more than 10 years old at least. (You're not running Linux, anyway...)

    And no, this isn't verisign-causing-instability-as-usual. They're actually trying to help it. Before this change, both a.root-servers.net and j.root-servers.net were in the same /24 and in the same BGP annoucement. They're moving things around a bit(presumably) to increase reliability and redundancy.
  8. Anyone that cares... by pirodude · · Score: 5, Informative

    Anyone that cares and needs to know about it was properly notified. There was a post to NANOG 3 days ago about it:

    *****PLEASE NOTE*****
    This is an important Informational Message to the internet community:

    November 5, 2002, the IP address for J.root-servers.net will
    change in the authoritative NS set for "dot". The change will
    be reflected in zone serial # 2002110501.

    The new set of servers authoritative for "dot" will be:
    A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
    H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
    C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
    G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
    F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
    B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
    J.ROOT-SERVERS.NET. 5w6d16h IN A 192.58.128.30
    K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
    L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
    M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
    I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
    E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
    D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90

    This WILL require a change to your root hints file. The new
    file will be available via anonymous ftp from
    rs.internic.net:/domain/named.root as well as
    ftp.internic.net:/doamin/named.root starting 11/5/02 1700UTC (12pm
    EST/9am PST).

    Both the new and old j.root-servers.net IP space will provide
    answers in parallel for the foreseeable future.

    _________________________________________

    John Crain
    Manager of Technical Operations
    ICANN/IANA

    crain@icann.org
    1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7

    1. Re:Anyone that cares... by Tony+Hoyle · · Score: 4, Informative

      Oops (don't try that at home kids...)

      # dig @a.root-servers.net . ns >/etc/bind/db.root

  9. Don't panic - and there is no conspiricy by karl.auerbach · · Score: 5, Interesting

    This move is "a good thing".

    The J server shared a broadcast domain (i.e. it was on the same Ethernet) as the A root server. That's was clearly sub-optimal.

    So this move is good in that it creates a small bit of physical separation and a bit larger amount of net-topological separation between the J and A root servers.

    I hear that the old server will continue in operation for an indefinite period - so there is no need to rush out and update your "hints" file for your DNS resolvers - you can do it at your leasure and you probably won't notice even if you forget to do it.

    (Even if the old server is turned off - as long as a bogus server doesn't replace it, when DNS resolvers that are using the old hints file come up and look for a root zone definition, they will simply bypass the non-responsive absent server and try the other hints.)

    But there is another issue - A change in the "hints" is always a nuisance. And since we are incurring this nuisance, I wonder why we did not use this as an opportunity to redress the imbalance of root server placement - there are few root servers in Europe and Asia, and rather than simply moving the J server from one side of Herndon, Virginia to another, why wasn't it moved to Europe of Asia?

    1. Re:Don't panic - and there is no conspiricy by sam_handelman · · Score: 5, Funny

      If there's no conspiracy, why are we all crouching around a table in a smoke filled room going over printed transcripts of your VoIP conversations for the past week, huh, smart guy?

      Just because we at Verisign have no sinister motives in moving a god damned computer does NOT mean that we're not involved in any conspiracies!

      As another example, our co-conspirators at the NSA just closed a loophole that let members of their alien autopsy division take extra paid sickdays even if they've never been exposed to any alien tissue (and thus, to the space virus). This was a totally inoccuous cost cutting measure, and not part of their conspiracy to conceal the existence the aliens. Does this mean the conspiracy doesn't exist? Absolutely not!

      --
      The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
  10. stupid tagline by GigsVT · · Score: 5, Informative

    "Causing instability as usual"?

    You only need one root server, there are 12 others. In fact, it safe to just wait until the next time you upgrade BIND or your operating system... running an out of date file won't hurt anything.

    There was no reason to announce anything here. This is really a non-event.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  11. umm... by Triv · · Score: 5, Funny

    An anonymous reader writes

    Ok. I got that. Next.

    "The day before yesterday the root zone was silently changed for the first time in 5 years.

    That's english at least. Something changed. Hopefully the rest will tell me what.

    The change was to J.ROOT-SERVERS.NET that is now managed by Verisign.

    Verisign's evil, right?

    The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced.

    Conspiracies are bad, right?

    An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

    [Brain explodes]

    (Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?) ;)

    Triv

  12. Getting root.hints by image · · Score: 5, Informative

    > The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.

    For those running bind, you may want to try this instead:

    dig @e.root-servers.net . ns > root.hints

    It will generate the root list automatically, ready for you to drop into /var/named/ (or wherever you installed it).

  13. Not that big a deal by ccandreva · · Score: 5, Informative

    This post is leaving out some details that were brought up on the NANOG mailing list.

    This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running.

    Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".

    This isn't a question of flipping a switch and everyone having to update their servers at once. A big public announcement would probably just have confused most users for no good reason.

  14. Try Flowers netx time by RatBastard · · Score: 4, Funny

    I hear flowers and or chocolates will reduce the number of macings a geek will suffer in his lifetime.

    You could also ask before you go rooting around the garden.

    --
    Boobies never hurt anyone. - Sherry Glaser.
  15. j.root-servers.net did not change hands. by winnetou · · Score: 4, Informative

    j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
    j.root-servers.net is 192.58.128.30 now, in 192.58.128.0/24, owned by VeriSign Global Registry Services.
    Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
    See ARIN and ARIN again.

  16. It doesn't matter anyways... by GLX · · Score: 4, Informative

    When the change was announced, they noted specifically that the current J.ROOT-SERVERS.NET will stay in existance with it's current IP (just no direct DNS entry) and the new one has been moved to a different IP block for DoS protection... The current one will exist for awhile to come.

    This isn't really news...

    --
    Sig (appended to the end of comments you post, 120 chars)
  17. Re:Imagine the excitement this news will cause... by Nintendork · · Score: 4, Funny
    Same here. Although my main IP address is 127.0.0.1

    I dare you all to hack me!

  18. Instability? WTF? by alexjohns · · Score: 4, Insightful
    "verisign-causing-instability-as-usual dept."
    Michael Sims, you're a fucking idiot. You know nothing about the way the internet works. In no way, shape, or form does this cause any instability whatsoever. It improves stability, however slightly.

    You might want to stick to articles about politics or censorship or something. Technical issues don't appear to be your forté.

  19. Re:Too many moves, too many critical paths by valdis · · Score: 4, Informative

    Quite correct - there's only a little bit of procedurally/technically fiddly about it.

    Your average root nameserver gets hit for about 100M queries per day (or on the order of 1,500 per second). See http://www.caida.org/~kkeys/dns/ for details. A root nameserver is expected to get pounded on by *mostly* invalid queries (see http://www.nanog.org/mtg-0210/wessels.html). The Wessels data was *normal production* workload, not during a DDoS.

    All the usual considerations regarding BGP multihoming and hardware redundancy apply. There's reasons why the servers are Sun E10K or large IBM boxes or similar big iron, and why people who have just a T-1 from Barney's ISP, Bait, and Tackle Shop need not apply.

    Of course, there's nothing in the above that can't be solved by applying clue and dollars. However...

    Ever priced a E10K? And noticed that most of the root nameservers are basically donated by their hosts? That's where the politically fiddly comes in - the number of places that are clued enough to run a root DNS, network connected well enough to be worth it, and willing to donate the resources to do it, is a lot smaller than you might expect...

  20. For DjbDNS users by chrysalis · · Score: 4, Informative

    You must put this in your /etc/dnscache/root/servers/@ file :

    128.63.2.53
    128.8.10.90
    128.9.0.107
    192.112.3 6.4
    192.203.230.10
    192.33.4.12
    192.36.148.17
    1 92.5.5.241
    192.58.128.30
    193.0.14.129
    198.32.64 .12
    198.41.0.4
    202.12.27.33

    --
    {{.sig}}
  21. Almost but not quite... by AndroidCat · · Score: 5, Informative
    In the same way that requests go down the tree to find the server, requests go up the tree to the root servers. (Up the tree to the roots, hmm!)

    If your immediate DNS handled a request for slashdot.org two seconds previously, it should still be cached -- no need to bother a root server over that. Any request would have go up several levels before a root server would be bothered with it. (Otherwise they'd be continually /.'ed :^)

    The root servers could all disappear without a lot of disruption, but only for a short time until the cache entries started timing out.

    My backup plan is to toss the entire name space into my local hosts file. I've already got DoubleClick in there for testing. :^)

    --
    One line blog. I hear that they're called Twitters now.
  22. Wrong dot by kasperd · · Score: 5, Funny

    So they say they are the dot in dot com, but they should really say they are the dot in dot com dot, because they are really the dot after com not the dot before com. However this last dot is often forgotten, it really means the name is absolute rather than relative. This is very much like the leading slash in paths to files.

    Hmm, now I'm writing on slashdot about leading slashes and trailing dots, what a coincidence.

    --

    Do you care about the security of your wireless mouse?