Verisign Plans DNS Changes

NetWizard writes "According to a recent NANOG post and an InfoWorld story, 'Verisign will change the serial number format and "minimum" value in the .com and .net zones' SOA records on or shortly after 9 February 2004'. They seemed to have learned their lesson, from the post: 'There should be no end-user impact resulting from these changes (though it's conceivable that some people have processes that rely on the semantics of the .com/.net serial number.) But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.)'"

Stop Changing DNS

[Blackknight]

God damn it ICANN, you need to take away Verisign's authority over DNS. Every time they change something it's a major pain in the ass for anybody that works in an ISP, web hosting, etc.

STOP FUCKING CHANGING THINGS!

Re:Stop Changing DNS

[johnburton]

I don't see anything wrong with this particular change. Even if they'd not announced it it wouldn't have broken anything that should have been using it.

Re:Stop Changing DNS

How the hell will this be a pain in the ass? Any software that relies on .com's serial number remaining static is broken and needs to be fixed. Complain to the software developers, as Verisign is not at fault this time.

Re:Stop Changing DNS

[CarrionBird]

Maybe, but everything is working now, and there's no reason to change it other than breaking these "broken" programs.

Re:Stop Changing DNS

[TubeSteak]

Yes, but software engineers have a knack for taking shortcuts where you least expect them. Kinda like MS and their broken implementation of standards. Even if you do code your html/etc properly, that doesn't guarantee it'll come out right. So the point being, just because you weren't supposed to, doesn't mean you didn't.

The above isn't meant as an excuse, just an explanation as to why this will undoubtly break someone's something. Then you get back to the old 'change is good' but not if it causes trouble, then 'change is bad'[tm]. At some point we're going to have to make big changes to the infrastructure and things will break regardless of compatability. we might as well get used to it (though as always, having a decent explanation wouldn't be a bad thing[tm])

Re:Stop Changing DNS

[AndroidCat]

No worries--give the authority to the United Nations like the UN was whining about last year.

Then you won't see any change.

Re:Stop Changing DNS

Change is good. You don't even want to imagine how the internet would look today if things were still run the way they were 10 years ago. The users are changing, so the net will have to follow.

Re:Stop Changing DNS

[jrumney]

Reading between the lines, it looks to me like Verisign want to start providing real time DNS updates, in which case there is a reason for change it. Currently they update the database twice a day, which is well within the limits of the current serial number scheme. But with real time updates, they could easily get to 100 updates in a day.

Re:Stop Changing DNS

So the point being, just because you weren't supposed to, doesn't mean you didn't

A triple negative. Go TubeSteak!

Re:Stop Changing DNS

[CarrionBird]

If thats the case, then it's a good thing. What gets me is when people change things solely to break others nonstandard code.

Re:Stop Changing DNS

Part of an older meaning for hacker was someone who fixes things that aren't broken. Verisign has hackers working on this one. We don't use YYYYMMDDHHSS for serials, we use an increasing serial maintained by a script that does not contain an overloaded date meaning. If you want the serial to be the number of seconds since beginning of an epoch, then change the RFC through normal means, not by some corporate edict. Hackers they are, in the old sense.

Re:Stop Changing DNS

Ah, but they're only changing their own use of the field. They're free to do so in zones they maintain as long as it's an RFC compliant change. They're also free to change the minimum with an RFC compliant change. How much will load change on .com and .org nameservers?

Re:Stop Changing DNS

yes, but wasn't it gramatically correct?

Re:Stop Changing DNS

[Loconut1389]

scary thought!

Re:Stop Changing DNS

[Blkdeath]

Reading between the lines, it looks to me like Verisign want to start providing real time DNS updates, in which case there is a reason for change it. Currently they update the database twice a day, which is well within the limits of the current serial number scheme. But with real time updates, they could easily get to 100 updates in a day.

I've always had a problem with change for the sake of change. The current system allows them, in their semantic "the SOA value must represent the date" methodology already allows them 100 updates per day. Why do they think they require more??!

With their new timeout values (900 seconds), 86400 seconds being in a day, they only have a reasonable set of 96 update cycles anyways, otherwise they'd be changing the zone so frequently every other update would be missed by half the world.

Ok, so the new format permits them 86400 changes in a day. My question is this; why are they, a "responsible" domain authority, making so many changes, and furthermore what is the utility of each change?

Re:Stop Changing DNS

[You're+All+Wrong]

You say :
"with real time updates, they could easily get to 100 updates in a day."

They say :
"The current serial number format is YYYYMMDDNN"

Why 4 insightful? Surely you're being funny?

YAW.

Re:Stop Changing DNS

The above isn't meant as an excuse, just an explanation as to why this will undoubtly break someone's something.

Well, then, it sounds like "someones" fault, not Verisigns, eh?

Re:Stop Changing DNS

[Smack]

If you can get to 100, then NN is not sufficient (unless it's hex digits).

Trying to regain trust?

[netsharc]

But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.

The last sentence sounds like they want to emphasize that they're announcing this so early so the no one panics when all of a sudden something changes, I guess it's good that they're trying to rebuild trust.

Re:Trying to regain trust?

[RobertTaylor]

SOA records on or shortly after 9 February 2004'

Yup, 30 days notice. Probably the minimum notice period allowed! Hardly 'early' :)

Re:Trying to regain trust?

[gnu-generation-one]

Do we have to repost everything from NANOG on slashdot? The conclusion was that nobody outside verisign itself would be affected. It doesn't even break RFCs.

SEMANTICS.

[Mod+Me+God]

Inverted commas were used where sheech marks should have been. Speech marks were used where inverted commas should have been. One bracket was opened, but two were closed. Punctuation (fall stops) were inside the bracket when they should be outside.

ARGHHHHHHHHHHHHHHHH!

Re:SEMANTICS.

[operagost]

Thanks for the info. Now, tell me what the hell speech marks, inverted commas, and fall stops are!

Do you mean quotation marks (") and apostrophes (')? I haven't a clue what you mean by fall stops.

"There should be no end-user impact"

[Fortunato_NC]

And then they go and cite an example where there WOULD be an end user impact.

Although unlikeley, there is a potential for collateral damage here. Is there anyone at Verisign willing to post the logic behind making the changes in the fist place? I can't see where there would be a business case when someone would jump up and say "We could make a billion dollars, but only if we change the way we determine DNS serial numbers for the .COM and .ORG domain. I guess we're screwed, guys!" Then the brave tech raises his hand and says "You know, with my Dell laptop and wireless LAN, I can change the way the serial number is incremented from anywhere."

I've been watching too many Dell commercials lately...

Re:"There should be no end-user impact"

[resiak]

I'm not someone at Verisign, but I am willing to suggest possible logic in this change.

The previous format, YYYYMMDDNN (where NN is an arbitrary sequence number), conforms to no standard but its own. The UNIX timestamp format is recognised by any date/time manipulation tool worth using, as well as being a standard (de facto or otherwise, I don't know). While switching format now is a PITA for those who have already written tools that work with it, it will make future development fractionally easier, as well as allowing more accuracy than could practically be used.

Then again, they could just leave things alone.

Re:"There should be no end-user impact"

[gavcam]

Is there anyone at Verisign willing to post the logic behind making the changes in the fist place?

RTFA...

The .com and .net zones will still be generated twice per day, but this serial number format change is in preparation for potentially more frequent updates to these zones.

Re:"There should be no end-user impact"

[Tayto]

To be honest, this makes reasonable sense to me. I can see the case for Verisign wanting to make new registrations available immediately, rather than at the next 12-hourly update.

Eventually, the zone data could be updated every time the contents of .COM or .ORG changed, with no real impact on the end user (because of DNS caching). The zone data could even be generated dynamically, directly from a database, with the serial set to the last time the database was updated. I know, historically, this isn't the way DNS servers have worked, but why not run a DNS server directly from a database? This would pave the way for that possibility for Verisign.

With the exception of this one-time hit on people who want to pretend to be slaves of .COM/.ORG, there should be minimal other effect, and does make it possible for faster (or let us say 'almost immediate') addition/removal of domains to occur.

Re:"There should be no end-user impact"

[AndroidCat]

One question I have, that wasn't answered in the FA: What format(s) are the other TLDs using for their DNS records?

If the format is different across various TLDs, anyone programming for just the .com/.net format was foolish. (Too lazy to haul out the Cricket book and check.)

Re:"There should be no end-user impact"

[tzanger]

I was under the impression that the *only* thing that the serial number stood for was a numeric sequence that the nameservers checked against to see if it had an older version of the record.

I know of several people who use straight numeric serial numbers (i.e. '1', '2', '3') and haven't had any issues since they still increment it when they make changes on the master and the slaves all see the serial # is different and update.

Re:"There should be no end-user impact"

[sumbry]

The zone data could even be generated dynamically, directly from a database, with the serial set to the last time the database was updated.

Check out Power DNS. Basically it's an authorative only nameserver that gets its results directly from a database (mySQL, Postgres, Oracle). Wanna update info for a zone, it's as simple as issuing an SQL UPDATE statement and viola, your changes are live.

Re:"There should be no end-user impact"

WTF don't they just move to YYYYMMDDhhmmss then? That'd hopefully make it a lot less hasslesome, and if they ever found the need to allow even more changes, they can always tack milliseconds on the end or something.

-- vranash

Re:"There should be no end-user impact"

[vendull]

The previous format, YYYYMMDDNN (where NN is an arbitrary sequence number), conforms to no standard but its own.

Actually, the YYYYMMDDNN syntax is recommended by RFC 1912, section 2.2. I dont have a problem with verisign making this change, but RFC 1912 does suggest using this syntax.

2.2 SOA records

...The recommended syntax is YYYYMMDDnn (YYYY=year, MM=month, DD=day, nn=revision number. This won't overflow until the year 4294.

Re:"There should be no end-user impact"

[Dahan]

WTF don't they just move to YYYYMMDDhhmmss then?

Because that won't fit in a 32-bit integer. The serial number field is just that--a number. However, it's a 32-bit number, so it can't be greater than 4294967295. Other than that, who cares what format it's in, as long as it increases whenever the zone is changed?

Re:"There should be no end-user impact"

[mysticalreaper]

Why they are doing this: Versign used to do 2 updates per day, once every 12 hours. That means if you made any change that required new info in the .com zone, you were always waiting a long time before the changes actually happened. Verisign wanted to improve this, so they have developed a new system that they're going to roll out on Feb 9. The only visible effect of this change from the outside world is that the serial number format will change. So, in order to prevent paranoids from flipping out, they let people know before they made this change.

It's important to note that this WILL NOT affect the DNS system at all. This serial number is in an arbitrary format for any domain. Just because many administrators use the YYYYMMDDNN format in no way means that this is the only correct way to do it. The format only matters to the slave name servers, all of which are run by versign. And as for 'user impact', it's the same impact as if you were using a script to monitor a website, and then the website changed. You can't really blame the website for screwing up your script.

And Verisign should not be pre-hated. A technical action requires analysis on a technical level, and if you're level headed and have understanding of the situation, you will see that this change is harmless, and will actually IMPROVE the performance of the .com and .net domains. Falling into the trap of hating a company outright is zealotry. You need to look at this on a technical level, and make your decision.

Re:"There should be no end-user impact"

[mvl]

as long as it increases whenever the zone is changed?

Of course, it won't increase on the day this change is made. 1076370400 2004020900

Re:"There should be no end-user impact"

This makes me think of our bank, who's converting to a "new-and-improved" check-clearing system that can't handle check numbers with more than four digits. Therefore, all their long-time checking customers (like us--we've been with them for 25 years and have written hundreds of thousands of checks--egads!) will get new checks starting at 1001 the next time they run out.

Serial number format

[albalbo]

No-one cares what format the serial number is in, except those who have written software that relies on the current format (in disobedience of the RFCs...)

A serial number is just a 32-bit number, and is used to see if a domain has been updated. The specs. do not say anywhere that it should be in a specific format.

Re:Serial number format

[Trillan]

This looks like a good change to me. I can't imagine there would be an outcry over this if Verisign hadn't previously implemented the SiteFinder dung.

Re:Serial number format

True, but the number should be unique (among all of the zone's serial numbers) and should increase when you update the zone.

Re:Serial number format

[martok]

The only thing I can see breaking is the assumption that a serial number on a zone should be incremented on a zone update. This change from a number like 2004011000 to a time_t value like 1073773102 will result in a one-time serial decrement. Though this is allowed if I remember my rfc correctly, the procedure is cludgy and involves setting the serial near the end of the 32 bit boundary and then bringing it back down again.

Re:Serial number format

[oobar]

It's even less important than that. The only time the serial number is really used is when you are doing an IXFR from a secondary or mirroring DNS server, so that it can sync up to the master server by retrieving the updated zone data. Well guess what, Verisign runs the master and all the slave servers. This only affects Verisign machines, nothing else. I'm sure it's conceivable that someone at some point in time wrote some app that uses the serial number of the com and net zones (such as a company that checks for newly registered domains) but unless those scripts were very poorly written this should have no effect. Each zone update will still have a unique serial number that's incremented each time it's updated. There's of course a single discontinuity when they switch formats, but its a one-time thing. And, the new method allows for more than 100 updates per day (a limitation of the YYYYMMDDNN format), so it could eventually mean domain info propagating much faster.

In short, this is a non-issue. There was some hoopla in NANOG because some readers misunderstood the implications. But in actuality, this won't break anything and it's quite an overreaction to compare this to SiteFinder -- which was despicable and deserved to die.

More transparent decisions and pre-announcements

[WebTurtle]

This announcement is important in that Verisign finally seems to recognize that they are part of a larger community, that those DNS records are not just some corporate asset sitting in a couple of computers in the corner.

Changes affect administrators around the globe. As part of a community, they have a responsibility to make their decisions transparent to the community, and to announce changes well-enough in advance that those who are affected have time to prepare.

This is not just a Verisign issue. The need for major Internet organizations to recognize the larger public as important stakeholders within the community is important. Awareness of the larger community should be followed by communication and actions that reflect that awareness, thus signalling a willingness to truly be a part of that community.

Verisign seems to be exhibiting a newfound awareness of community that ICANN seems to have abandoned.

I hope Verisign continues to be a good memeber of the community. Perhaps others can follow their lead.

Why do Verisign have this level of access anyway?

[nighty5]

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings. This change seems dubious at best, considering Verisigns previous efforts of domain sitting, which, would break applications lets ensure we keep them in their place.

Hey...

[Neophytus]

2038 anyone?

Re:Hey...

[Neophytus]

No, it isn't offtopic if you had RTFA. The new format will be the UTC time at the moment of zone generation encoded as the number of seconds since the UNIX epoch. (00:00:00 GMT, 1 January 1970.)

Re:Hey...

[kasperd]

2038 is a valid concern. But if DNS servers compare serial numbers according to RFC 1982 it is not going to be a problem.

Re:Hey...

The sequence number is unsigned, so they would have a Y2106 problem, not a Y2038 problem.

Plus another poster mentioned the RFC for wrap-around comparison. So they'll only have problems if they have data > 60 years old that hasn't expired.

Re:Hey...

[nutznboltz]

Yes wrap-around serial numbers will be no problem but the usefulness of a supposedly-date encoded serial number when it wraps will be questionable.

Aaww just great

[Rosco+P.+Coltrane]

Verisign will change the serial number format and "minimum" value in the .com and .net zones

Right, so when I fall on an unresolved address, I can't even return it under warranty because the serial number has changed, and even if they did reimburse me, they changed the value. That's just flipping great...

Re:Aaww just great

[Reziac]

Well then, file off the old serial number and etch a new one!

Warn us?

What would you need to warn us for? It is perfectly acceptable to add a wildcard with no warning - which resulted in many more problems than changing the serial number. You don't need to get any permission or review, just go ahead. If people don't like it, the most you'll get is a gentle hand-slap.

--
Pat Robertson says that God told him that Bush will win by a landslide.

Don't Be Silly.

[\\]

The end of the world is already scheduled for 12/21/2012.

Re:Why do Verisign have this level of access anywa

That is why the UN should have it.

Re:Why do Verisign have this level of access anywa

[Rosco+P.+Coltrane]

The internet infrastructure should be managed and run by the community

Yes I'm sure that would work.

they can't handle it

[__aaitqo8496]

They're changing stuff? They can't even keep my DNS and contact information correct. I can't wait till this "little" change is done so they have one more thing to fcuk up.

Transparency?

[heironymouscoward]

A man goes to a bakers, asks how much the bagels are. Baker replies "twelve for a dollar". Man replies, "at the bakers across the street, they're fourteen per dollar". Baker replies, "Yes, but they're sold out, no?" "Yes", answers the man. "Well," says the baker, "when my bagels are sold out, they're sixteen for a dollar!"

Moral: Verisign can hardly do anything wrong with this serial number change, so it's hardly proof of goodwill. When they stop messing with other, more delicate things, they will get some credit.

Re:Transparency?

i can't possibly imagine how that quote has anything to do with what you said following it. you win a cookie!

Re:Transparency?

1) Unrelated joke/anecdote
2) Moral that doesn't make any sense
3) Karma!

give parent a +5

this really is funny as balls

Is it just me?

[armando_wall]

From Infoworld: But the company did allow that "processes that rely on the semantics of the .com/.net serial number" could be affected.

For example, companies that have created scripts to monitor domain change on .com and .net will almost certainly need to make changes to account for the serial number change..."The damage won't be catastrophic, but some DNS servers could stop receiving updates,"

And they are planning to do this next Feb 9? Isn't that like too little time for organizations to update their systems?

I don't trust Verisign... the fact that they control such an important database accesed by millions of people around the world really frightens me. They screwed it once, they can do it again.

They should have that power removed from them. It should be on another organization (i.e. a non-profit one) that better serves internet community.

Re:Is it just me?

Isn't that like too little time for organizations to update their systems?

Who needs to update their systems? If it turns out that something wrongly relies on this, there's 30 days to say, "WAIT!"

Re:Why do Verisign have this level of access anywa

[mongbot]

History, I suppose.

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings.

That was what the recent UN conference was about I suppose. But everyone wanted to dismiss that as being useless.

I see a problem

[jcochran]

They will be changing their serial number from about 2004020900 to something about 1075680000 which according to the DNS system will be an older serial number because the difference is only 928340900 which is much less than half the range of a 32 bit number. They can make the change that they are planning if they make two changes with at least their cache interval amount of time between the changes. See RFC-1034.

Re:I see a problem

[91degrees]

Oh, don't worry. Everything will just sort itself out on the 3rd July 2033.

Re:I see a problem

[ripLizard]

2004020900 > 1075680000 from inspection, no need for maths. But less need not mean older, provided the semantics of the serial change are understood by all slaves. Verisign runs the slaves too, so it shouldn't be a major problem.

If managed properly it should go smoothly. I'll be bottling up my angst for their less sane proposals.

Re:I see a problem

[graf0z]

There is no problem.

Serial numbers only affect master-slave communication (and selfwritten scripts violating rfcs), but all masters and slaves for .com & .net belong to VS. See Paul Vixies reply to the same question on NANUG.

/graf0z.

Hmm... TTL900...

[Yaa+101]

With a TTL of 15 mins you have to generate a new zone 96 times a day to keep the zone visible during a whole day. I wonder if they want to speed up propogation time of new domain with this?

Re:Hmm... TTL900...

[espo812]

speed up propogation time of new domain with this

And the propogation time of erronous records as well.

Re:Hmm... TTL900...

[KevinM]

You clearly don't understand how DNS works. This change in no way requires a new zone 96 times a day. The TTL field is used by client accessing the zone to understand when they need to stop caching the retrieved data. Verisign could have a TTL of 15 minutes and never change the serial number, and nothing would break.

Y2038 bug?

[AndroidCat]

Doesn't the UNIX 'seconds since 1/1/1970' break in 2038 or so? I could be wrong. It's hard to remember all the various time/date glitch dates.

Re:Y2038 bug?

Thirty-two (32; I'm supposed to always write out numbers at the beginning of sentences according to an English style guide -- I'm trying to make Slashdot educational or something, heh) bit signed "seconds since 1/1/1970" break in 2038, yes. Sixty-four (64) bit signed "seconds since 1/1/1970" have a really really long time before they break. By 2038 we (define we to whatever you want) will have had ample time to switch to 64 bit values and/or platforms (if POSIX doesn't interfere, it can be done on native 32 bit platforms as well).

Re:Y2038 bug?

Also, I'm pretty that this DNS number is just used to create deltas (bignumber - smallnumber = difference). In which case, it'll still work even if they loop around to 0 with unsigned numbers. I haven't read this RFC because I'm lazy, so check it yourself if you want to be positive about this.

Re:Y2038 bug?

[dknj]

You are forgetting they run the slave servers as well.

-dk

Re:Y2038 bug?

You can't use slave anymore. It is .. Cat - Owner relationship.

Re:Y2038 bug?

[glitch23]

GMT 03:14:07, Tuesday, January 19, 2038. I know I'll be staying up to watch all the lights go out. I'll be about 60 then. I'll be up by 3am anyway.

Re:Why do Verisign have this level of access anywa

[Pendersempai]

The boxes have to sit on someone's desk. "The community," disorganized and disparate as it is, is remarkably poor at doing anything. You'd have to invent some sort of hierarchy. Maybe have a General Manager of the Internet, and he could have a board of directors under him or something. They would be elected by the nation's population at large, and they'd have the final say on internet issues.

But it's be silly to give EVERYONE an equal vote in their elections, as the great majority of people have no clue how the internet works, and the campaigns for these positions would be totally unable to focus on real issues. They'd have to dumb it down and sugar-coat it so that sixpack joe can digest what they're saying, and at that level of simplicity, who could tell a good candidate from a bad?

Okay, so let's find some way of making sure only highly competent people can vote. We can't give a test, since we'd need someone to create and administer it, and the potential for corruption is too high. The only thing I can think of is selling the votes: that way, every vote is going to represent an informed citizen. After all, who would buy a vote if they don't understand the technology?

So at the point where we've got a CEO, a Board of Managers, and an equity market, we may as well package the whole thing as a corporation and name it VeriSign.

Re:Why do Verisign have this level of access anywa

The means of production should belong to the working-class!

not anymore..

we want to let the Internet community know about the changes in advance.

theres no Internet community anymore, only a bunch of spammers and lots of frustrated people...

ISO 8601 specifies YYYYMMDD

[mec]

I got your international standard right here.

YYYY-MM-DD and YYYYMMDD are both standards-compliant.

Seriously, if you've never heard of this standard, read up. Whenever I need to stick a date or a time on something in text form, I just do it the ISO 8601 way.

Re:ISO 8601 specifies YYYYMMDD

[jrumney]

Where in ISO-8601 does the NN fit in? It doesn't.

Re:ISO 8601 specifies YYYYMMDD

[AndroidCat]

And if you want resolution smaller than a day? The NN tacked on to the end is kind of kludgy.

The real question is why is Verisign prepping to increase the update cycle, and is this a good thing?

Re:ISO 8601 specifies YYYYMMDD

[Anders1]

I'm all for ISO 8601, but it does not apply in this case. The serial number is not a textual representation of a date, it is a 32-bit unsigned integer in a DNS record that must be increased whenever the record is updated. A "YYYYMMDD" format, aside from resulting in a basically useless integer, would only change once per day. The UNIX timestamp format really does make the most sense here.

Re:ISO 8601 specifies YYYYMMDD

That standard is completely irrelevant. It specifies how to represent an unambiguous timestamp.

DNS serial numbers are opaque tokens. There's nothing in the DNS specs. that requires them to be timestamps. All they have to do is increment by an arbitrary amount when the relevant records are updated.

Quite frankly, I'm amazed anybody has bothered writing tools that pretend they are anything but opaque. It's like assuming certain values for an etag HTTP header or something.

Re:ISO 8601 specifies YYYYMMDD

[Lars+T.]

Too bad the serial number is a 32 bit unsigned integer, not a string. For heaven sakes, this YYYYMMDDNN thing only makes sense if you look at that value in decimal representation.

Anyway, the serial number is just a revision number intended for the DNS "system" (I'm being a little vague here) to know when a SOA record has changed. There are no end-user servicable parts inside. No human but the people directly handling the coonfiguration of that record needs to know about it - including how it is formed, if it is following specifications. Period.

Sure, if you have build your company based on that tool that tells people when a .com domain SOA record was last changed, you are fucked - for about that minute it takes to change the conversion from int->decimal string->date to UNIX timestamp->date.

Maybe all those complaining are using Windows, and they fear that it may actually take them a day to Google for a routine that does that, and they lose the competetive edge to those UNIX weenies? Sounds like what MS had to say about the Apple/HP iTunes/iPod deal.

Re:ISO 8601 specifies YYYYMMDD

[Tony+Hoyle]

It'd better bl$$dy well not be a 32bit integer otherwise DNS is screwed in 2038...

Luckily I know it isn't. Unfortunately I suspect the verisign way will break stuff unless they're careful eg.

Today is:

2004011001 in DNS time
1073760813 in Unix time

DNS time > Unix time... a lot of DNS systems (bind does this for example) will take the record with the largest number - there's scope for masses of confusion here.

Re:ISO 8601 specifies YYYYMMDD

[You're+All+Wrong]

That's called a counter. You know -- integers starting from zero.
I don't know if there's an international standard for counters,
but there's certainly a /de facto/ standard for them.

Lesson 2, "concatenation", to follow in my next post.

YAW.

Re:ISO 8601 specifies YYYYMMDD

[xA40D]

DNS time > Unix time... a lot of DNS systems (bind does this for example) will take the record with the largest number

But surely this applies only to the secondaries that transfer via AXFR? Most people deny general AXFRs and add explicit IPs of those who can, so they should know EXACTLY who needs to refresh the zones manually.

A couple of years ago I switched two standard DNS clusters onto a third unix epoch based DNS with no problems.

Re:ISO 8601 specifies YYYYMMDD

[Dwonis]

It'd better bl$$dy well not be a 32bit integer otherwise DNS is screwed in 2038...

The DNS spec specifically states that the value is to be compared using MOD 2**32 arithmetic. Besides, the serial number is only supposed to be used for DNS slaves to sync from the master, so it doesn't really matter.

Why I don't read the tech press

[swb]

"Also, companies that have incorrectly formatted their DNS servers to get information directly from the DNS root servers maintained by VeriSign will stop receiving updates on Feb. 9, leaving those servers and the Internet users who rely on them out of step with the rest of the Internet, he said."

I so seldom read even the tech press because of this kind of statement. What does it mean? AFAIK the root servers just have NS records pointing to the 2nd level domains, but querying the root servers is how you find them and this is essentially how DNS is *supposed* to work. There was no further context in the story to indicate what they're talking about.

Are there other queryable DNS servers maintained just by verisign for .com and .net for distribution to the usual root servers? Or have I been running DNS wrong all along?

Re:Why I don't read the tech press

[espo812]

Or have I been running DNS wrong all along?

Unless "you" are an ISP (and probably a major one), then yes you have. DNS is a hierarchical system, and you should be quering against the nearest level to you. Unless you are a major ISP, the root servers aren't the nearest ones - your ISP's DNS servers are. It's like totally p2p man.

Re:Why I don't read the tech press

[swb]

Umm, I'm not asking the roots for recursive queries (ie, requesting an A record for www.google.com). I ask *my* DNS server for that, it gets the NS for google.com from the root servers, and then it asks ns.google.com for the A record for www.google.com, and then returns it to me. The roots just provide references to the NS records for .com and .net 2nd level domains, which, as I said previously is how its supposed to work.

Querying my ISPs DNS would accomplish the same thing in the same way, except they may have cached responses for some common domains, eliminating one or two trips to the root servers. But, since my local DNS caches as well, at most its eliminating literally a handful of queries every couple of days, so I'm not crushing the root servers with my queries.

Re:Why I don't read the tech press

[Just+Some+Guy]

Were you serious or joking? I hope you were joking. You were, right?

Because if you weren't, you would be saying that if your ISP has 10,000 customers, and they all ran their own caching nameservers, and all of them decide to resolve "www.google.com", then the root nameservers wouldn't really be hit with 10,000 times as many queries as if all of your little servers were properly configured.

There are two reasons to query the root nameservers directly:

1. Your ISP's nameservers are broken.
2. Testing.

That's it. Hitting them directly for routine queries is wasteful, inconsiderate, and expensive. If you weren't joking: fix your configuration. Now.

Re:Why I don't read the tech press

I suspect they may be referring to people whose
DNS server is set up like a slave to the root
or gtld servers. When set up this way a zone
transfer is done only if the serial number
indicates that the master zone is newer than
what the slave currently has. I doubt they are
planning to prevent connections from other
authorized IP addresses for nonrecursive queries.

Re:Why I don't read the tech press

[swb]

So who decides who gets to query the roots for NS queries? My ISP is kind of small, only a few thousand customers -- should they be configuring THEIR name servers to foward to nameservers at their upstreams? Since their upstreams are major Tier 1 providers like UUNet, Qwest and Sprint, presumably my ISPs nameservers are the cause of untold THOUSANDS of unncessary queries against the root nameservers that could easily be satisfied by the caches at UUNet, Qwest and Sprint.

I don't plan on changing my config, thanks. I don't have reason to believe my ISPs DNS is more reliable or more secure against poisoning than my server is, nor do I particularly buy into the idea this is wasteful or expensive; the root servers are THERE to provide NS records for finishing queries.

Re:Why I don't read the tech press

[Just+Some+Guy]

So who decides who gets to query the roots for NS queries? My ISP is kind of small, only a few thousand customers -- should they be configuring THEIR name servers to foward to nameservers at their upstreams?

In a word: yes.

Since their upstreams are major Tier 1 providers like UUNet, Qwest and Sprint, presumably my ISPs nameservers are the cause of untold THOUSANDS of unncessary queries against the root nameservers that could easily be satisfied by the caches at UUNet, Qwest and Sprint.

If your ISP is well-managed, then they query their upstreams and not the root nameservers.

I don't plan on changing my config, thanks. I don't have reason to believe my ISPs DNS is more reliable or more secure against poisoning than my server is,

Don't thank me for your wasted resources. I have one reason to think that your ISP runs a better DNS service than you do: we don't know that they have mis-configured servers.

nor do I particularly buy into the idea this is wasteful or expensive; the root servers are THERE to provide NS records for finishing queries.

Wrong again. They are there to provide NS records to the highest tier of the DNS caching hierarchy, not every little personal system on the Internet.

Re:Why I don't read the tech press

[swb]

Can you show me a map of the DNS caching hierarchy? I didn't realize there was one.

Can you tell me why if this is so damaging to the 'net why Verisign or the root server operators don't block NS queries to the root servers?

Re:Why I don't read the tech press

[jroysdon]

Except if your ISP is PacBell/SBC. Their DNS servers are constantly having problems. I've always maintained my own DNS server on my ADSL account and I query it and two DNS servers I maintain at my office instead of PacBell's DNS servers.

Re:Why I don't read the tech press

[jroysdon]

If your ISP is well-managed, then they query their upstreams and not the root nameservers.

That's simply not true. Customers should use their ISP's DNS server, but I don't believe ISP's should ever be forwarding queries upstream. That's just asking for problems. ISP's buy wholesale bandwidth, not services like mail forwarding or DNS forwarding (not that one couldn't do it, but it is asking for an extra level of troubleshooting and delay).

Once a lookup to the .NET NS is cached from the root servers, it is cached the same for a Tier 1 ISP or a Tier 2, and it doesn't have to be done again. The root nameservers are able to handle the .NET, .COM, .US, etc. lookups just fine. Even the next-level .NET, .COM, .US nameservers are multi-homed and anycast globally and able to handle a huge load. There is no reason to risk problems with an upstream ISP vs. going right to the source for an NS record lookup. Once the NS info is cached for a TLD like msn.com, it's the msn.com NS servers (and the hundreds of thousands (?) of other TLD NS servers) that can each handle their own load just fine.

It's all meant to scale without having needless delay or problems introduced by forwarding queries to a DNS server you cannot control.

Perhaps you can point to an RFC that says Teir2/3 ISPs should forwad DNS queries to upstream providers? Nope, thought not, not even a best practice.

Re:Why I don't read the tech press

[xA40D]

Hitting them directly for routine queries is wasteful, inconsiderate, and expensive.

But could you not also say that running your own cache at the end of a leased line is better than everyone in your network querying your ISP to resolve every request?

I'd say it's cacheing and reasonable TTLs that contribute most to reducing the load on the DNS. But I've met DNS administrators who didn't have a clue about TTLs, setting them to "300" to make sure data that had not changed in years would always be "fresh". I've even seen implementations on DNS from an SQL DB that didnt even support the changing of the TTL.

Of course, ideally, you'd set your cache to forward first.

Re:Why I don't read the tech press

[Just+Some+Guy]

But could you not also say that running your own cache at the end of a leased line is better than everyone in your network querying your ISP to resolve every request?

Absolutely correct. In BIND, you configure your ISP's DNS in the "forwarders" option and point all of the machines on your LAN to your local server. It answers any requests it can, forwards everything else to your ISP, and then tries to resolve any requests that your ISP can't manage (if there server's down, for example). The key difference is that in this setup, your local caching DNS attempts to resolve queries by asking your ISP before trying by itself. It's the best of both worlds, really.

You're probably right about the TTLs, too. I almost always keep mine at 86400 unless I'm preparing to move a lot of hosts, in which case I'll back down to 3600 or so until the move is over, then bounce back up to 86400. The vast majority of my hosts keep the same address for years at a time, so it'd be pretty silly to tell clients to ask me every 5 minutes if I'm still at the same place.

Re:Why I don't read the tech press

Then you must think that the djb's dnscache program is evil? (Note that this doesn't mean I'm using it)

But consider a company that has its own AS, but isn't an ISP, and uses ISPs for transport only. Do you think that such a company should configure its DNS server to query the DNS servers of the ISPs?

Our company doesn't. And I don't think we should. Having our own AS means that we don't want to rely on ISPs for anything other than transport. We aren't huge, and we aren't an ISP, but I still think we have a right to be in charge of the reliability of our own networks and services.

Re:Why do Verisign have this level of access anywa

[flosofl]

I can understand what you're trying to say.
But...
Not so long ago in the US only male land-owners could vote, because it was felt only they had a vested interest governance. This seems like a similar thing.

I'm not sure an Republic of the Internet would really work. You'd create even more of a chasm between the technocrat and everyone else. I think people would be resentful of exclusion.

Also, I have always been very wary of trying to "centralize" the Internet. Yes, I know ICANN is sort of.. something.. but the Internet is still more of a rule by consensus for the most part. I create a technology, and as more and more people start to use it, it slowly becomes a standard. I can envision a day (in your Board of Directors scenario) when I can impliment nothing that falls outside of an Accepted Practices (unless I submit to a lengthy "approval process"). This is where I would see it going.

I am not saying what is in place is perfect. Hell, I hate the fact that an entity that finds itself in a powerful position (such as VeriSign) can make changes by fiat. But, on the whole, it seems better than any alternative I have heard to date

Like the metric system...

[Spoing]

I'd love to use that, though in the US people can't seem to grasp the concept...as easy as it actually is.

Re:Like the metric system...

[FireBreathingDog]

Metrics? For representing date information? Are you out of your fucking mind?

Yes, we Americans have "our own" date and time system that isn't metric. (Same with the rest of the world, by the way, except for those idiots at Swatch who just want to sell more cheesy plastic watches.) So I guess we're a bunch of assholes who are too damn stupid to figure out metrics, right??

Am I the only one here on Slashdot who's fed up with the knee-jerk America bashing???

Re:Like the metric system...

Shut up.

Re:Like the metric system...

[Spoing]

1. Metrics? For representing date information? Are you out of your fucking mind?

Oh, sorry, I ment "Like the metric system".

...erm...HEY! That's the title of my post! Would you look at that!

...and, HEY! I'm an Amercian of the U-S-A veriety too! Wow! Amazing!

Re:Like the metric system...

[FireBreathingDog]

Oh, sorry, I ment "Like the metric system".

If you take "metric system" to mean a system of measurement that's derived from base-10, then a system is either metric or not. It can't be "like metric". It either is or it isn't...

...and, HEY! I'm an Amercian of the U-S-A veriety too! Wow! Amazing!

First, so what? There are plenty of Americans who engage in America-bashing. And second, you said with respect to metrics "in the US people can't seem to grasp the concept", in effect saying, "those dumb Americans don't understand metrics"

That's like saying, "I'm Jewish, so I can say that all Jews are money-grubbers."

Anyway your point makes no sense: Isn't one of the arguments in favor of metrics is that it is easier to understand? So you're also saying "those dumb Americans don't understand metrics, they understand a system that's more complicated...those stupid Yankees!"

Re:Like the metric system...

[Spoing]

Good troll!

Re:Like the metric system...

[SEE]

Here's the thing that I love:

Both the U.S. and ISO standards, when truncated to just month and day, are identical. 12/11 or 12-11 is December 11th, whether you use the American or the international standard.

So any confusion of what day of the year a two-separated-numbers date means is entirely the fault of European stubbornness in refusing to adopt the international standard.

Get a grip man

[rs79]

The time/datestamp should have always been this way; more to the point do you know of any other TLD that at least attempts to be this communicative? They don't do this because ICANN, or anybody, makes them.

How bout .NAME ("oops, we were rooted") or .PRO ("Hi ICANN, I know we said we wouldn't sell SLD name but we're dying here, and we ask a second time can we sell SLD name pleeeeeeeease?") or .biz ("home of more spam since 2000! Yeah baby!!") or any of the cctlds that have (cough) lame servers.

Bitch at NSI all you want, they're still the model of a well, if not best run TLD.

And spare me the crap about sitefinder, 22 other tlds did this long before NSI did, .WS did it 3 years ago.

It's reasonable to whine when they do a bad thing (like agree to ICANN oversight, you folks have no idea how close they were to the, um "alternative") but for things that have little or no effect you're reacting to the corporate name not the actual change.

So, put NSI under greater ICANN control? NOT. Frankly we'd be better of if they put ICANN under NSI control.

Hey, is this one of those thigns you can't say because it's hersey?

"Duh. Double duh." - Weemba

Re:Why do Verisign have this level of access anywa

[TheSpoom]

Yes, but your argument is fundamentally flawed in that VeriSign is a corporation not created to monitor and improve the internet, VeriSign is, like most corporations, created to generate profit for itself and improve its value for its shareholders.

Remember, they were the ones who wanted to "commercialize" the root DNS servers and take them "out of the hands of the academics".

Why is always the question

[rabtech]

It appears that they are gearing up to start providing far more than two updates per day. This could mean that sometime in the future you could register a new domain name and have it up and running within 15-30 minutes.

Seems like a positive change to me.

Re:Why is always the question

[MCZapf]

Who on earth needs a domain name working so quickly? Spammers, perhaps. Squatters. Anyone else?

Re:Why is always the question

[balthan]

Who on earth needs a domain name?

Re:Why is always the question

[evilviper]

Who on earth needs a domain name working so quickly?

As always, you don't see people that need it because nobody can do it yet.

Perhaps it will become common to go to a registrar, and buy a domain on the spot for a single-day event, or something similar.

Perhaps people that are switching site ownership don't want to wait a week for anyone to get to the new site.

Or even more likely, perhaps companies want this as some sort of load-balancing/failover mechanism... It's not instant, but 15 minutes of excess load/downtime is a lot better than several days.

Evo;ve or die

[rs79]

Yes, it'll break a 32 bit counter which will wrap around in 2038.

If you're still using a 32 bit computer in 2038 you may as well right now, begin walking around with your thumb and finger making the shape of an L on your forehead.

Re:Evo;ve or die

[pe1chl]

It does not matter how many bits your computer has, it matters if the DNS protocol is still in use by then.

If it is, it will break because of this change. The older timestamp format had a much longer lifetime.

Of course there will be major problems in 2038, probably much worse than in 2000. This small issue will not contribute too much.

Re:Evo;ve or die

[La+Gris]

We are still using 8 bits computers in many devices. Btw a date format is independant of the cpu data and adresse bus bits size.

I am pretty sure we will still widely use 32 bits computers in many devices in 2038. Many devices will have IPv6 address, hostname and timestamps.

Re:Evo;ve or die

[iantri]

Said the programmers back in the 70's..

"If you're still using these computers in 2000 you mas as well right now, begin walking around with your thumb and finger making the shape of an L on your forehead."

Guess what happened?

Re:Evo;ve or die

[fishbowl]

>[Year 2000]
>Guess what happened?

Nothing?

Re:Why do Verisign have this level of access anywa

[/dev/trash]

Great! I vote for a TTL of 444ms.

My serial number format lasts longer

[Skapare]

My serial number format lasts longer than Verisign's, and I still get more than 100 updates a day out of it. In fact it will last until 07:06:36 Tuesday 2 October 2096 while staying in just 9 digits (which it has been since 15:06:40 Saturday 4 September 1982). After that it goes to 10 digits, but still remains a positive signed 32 bit integer until 12:56:28 Wednesday 16 March 2242, and if unsigned 32 bit integer works everywhere else, it will go all the way to 01:53:00 Wednesday 30 May 2514.

Instead of being the count of number of seconds, as Verisign plans to use, mine is 1/4 of that value. Basically, I take the system time() value and divide by 4. By treating that value as an unsigned quantity, I won't have the Y2038 bug, either. That logic will work until 06:28:15 Sunday 7 February 2106 (past the 9 digit limit). And I can do 21600 updates a day (one every 4 seconds).

dig linuxhomepage.com. soa

Re:My serial number format lasts longer

[Just+Some+Guy]

I haven't checked your math, but it seems right. However, why are you doing that instead of, say, setting your algorithm to "serial += 1"? Then you'd be constrained to making 2^32 updates before wrapping around, not 2^36 seconds (not that yours is such a small limit :) ).

Re:My serial number format lasts longer

[Skapare]

That could be done. But rather than have to process it like that and either store or parse the serial value to be updated, the way I do it to take the master file (not a normal zone format) I use to generate each zone, get its last modification date from the filesystem, and produce the serial number from that. This way, I can still derive the date and time, to a 4 second resolution, from the serial number, and back track it to the archived master files if there are any issues to figure out. It's basically simpler with more benefits.

Re:My serial number format lasts longer

[Just+Some+Guy]

Two words: CVS, Subversion. I used the former for configuration management in the past, and I'm now experimenting with the latter. It has all of the advantages of what you describe, except that someone else has already troubleshot (troubleshooted?) it, and it does a lot more for free. You might find either of those useful for your setup.

Re:My serial number format lasts longer

[Skapare]

I considered CVS, but in the end I wanted to have a whole archive with a sliding window expiration. CVS could have done that but the setup was more complex than I have now. For a much larger setup, maybe CVS would be better, but I'd probably end up doing it in MySQL instead (for more flexibility in managing the data). As for troubleshooting, I generally don't encounter that as a problem.

Re:My serial number format lasts longer

[mvl]

My serial number format lasts longer than Verisign's

Verisign's scheme will last indefinitely. First, the serial number is an unsigned value, so in seconds since the epoch, it will last until 2106.

More importantly, these are serial numbers, not integers. So when they wrap around, they still increase. 1000 > 4294967040

Re:My serial number format lasts longer

[RLaager]

rdiff-backup (http://rdiff-backup.stanford.edu) might be worth a look. You could backup your configuration files using rdiff-backup after each change. That would provide the archive. To do sliding window expiration (which I interpret as only saving the last X days of revisions) with the --remove-older-than flag.

Re:My serial number format lasts longer

[Skapare]

In this particular case, I do need to have my files visible as whole files. That was the big reason I didn't go with CVS. For what I needed to have it do, it wasn't that big a deal to implement it. I have done other projects by using some package to do it, and it usually ends up being more work than if I had just done it myself. The setup I have right now took about 1 hour to implement and has been virtually zero maintenance (5 minutes to add IPv6, another 5 minutes to add SPF).

Third reason

[Skapare]

Third reason:

3. Your caching nameservers just flushed cache or restarted, and thus they have no idea where any of the top level domains are, and have to ask the root servers (provided in the hints file) where they are. Also, this will happen again in 2 days when those NS records, and their corresponding A records, expire from the cache.

Re:Why do Verisign have this level of access anywa

[azuretek]

If all sysadmins want something they can make it happen. Remember when the internet filtered out that nasty verisign "helpfull search" yea, ISPs can fix the net and make big changes if they want to.

In reality Verisign isn't in control of "too much" if it came down to it we could all just start up our own registry database (mirrored from the existing) and make a transperent change in how computers resolve domains (OS developers would conform to the new standard). But right now I think they're doing fine and this issue shouldn't affect anyone anyway.

Re:Evolve or die - Let's do both!

Why should we use four digits for YearNumber? You don't think anybody is still going to be using this in the year 2000? Dream on Jenkins!

DNS protocol uses 32 bits for serial

[Skapare]

The DNS protocol uses 32 bits for serial number. So what you should be saying is that we should be upgrading the DNS protocol before 2038, with enough lead time so all the network operators will have time to make the switch. That means we need to expand the DNS protocol to more than 32 bits (40 bits should actually be enough) by around 2008.

Re:Why do Verisign have this level of access anywa

[larry+bagina]

The UN is a government of governments, beholden only to themselves. THAT is why the UN shouldn't have it.

Let me do it

[Skapare]

Let me do it. I'm not making any profit. I can run the root servers on my little Linux box. I'll just leave the phone dialed up all day long.

Re:Why do Verisign have this level of access anywa

It's amazing how well your comment translates to the current situation in America when you change just a few words here and there:

The laws have to sit on someone's desk. "The community," disorganized and disparate as it is, is remarkably poor at doing anything. You'd have to invent some sort of hierarchy. Maybe have a President, and he could have a Congress beside him or something. They would be elected by the nation's population at large, and they'd have the final say on law making issues.

But it's be silly to give EVERYONE an equal vote in their elections, as the great majority of people have no clue how the government works, and the campaigns for these positions would be totally unable to focus on real issues. They'd have to dumb it down and sugar-coat it so that sixpack joe can digest what they're saying, and at that level of simplicity, who could tell a good candidate from a bad?

Okay, so let's find some way of making sure only highly competent people can vote. We can't give a test, since we'd need someone to create and administer it, and the potential for corruption is too high. The only thing I can think of is selling the votes: that way, every vote is going to represent an informed citizen. After all, who would buy a vote if they don't understand the government systems?

[Sigh]

[Phong]

Wouldn't you know it? I just implemented a vim macro that lets me easily update the yyyymmddNN value in my zone files (after years of manual tweaking), and now this. Typical. Just typical.

Re:Aaww just great (actually no)

[Crypto+Gnome]

If you receive an unresolved address, you never got a serial number in the first place.

Even more so, when you request a name resolution for an address, they don't even (ever) give you a serial for it, just a TTL. (aka, no receipt required, we trust you, no refund,store exchange only within X seconds)

If it ain't broke, don't fix it.

Things have been working fine for years. Why the hell change this kind of thing now if it's not broke?

Their argument about "more frequent updates" is bogus -- when was the last time anyone had a problem because DNS updates weren't frequent enough?

Everybody knows that you need to have an overlap period where both the old IP and the new IP are operational during a switchover. More frequent updating won't change that basic fact, so why bother?

But more importantly, Verisign has proven beyond any doubt that they don't have a fucking clue what they're doing when they try to "improve" the Internet. There isn't a single competent Internet engineer in the entire world (not paid by Verisign) who thinks that NXDOMAIN hijacking is the architecturally correct way to provide a better user experience for 404 errors. Seriously, I challenge you to find even one competent engineer not paid by Verisign who would agree with Verisign on this issue after being presented all the arguments on both sides.

Verisign just can't be trusted to make changes like this. The evidence is plain and simple. ICANN needs to issue a directive to Verisign prohibiting any and all structural changes until their contract expires.

Re:Why do Verisign have this level of access anywa

[Reziac]

The fact that this got modded down to -1 is a good example of why Rosco is correct. "The community" isn't *necessarily* any more competent, nor any more interested in upholding standards that conflict with *its ideas* of Right and Proper, than anyone else -- as these examples (all pointing at stuff that some consider "part of The Community") illustrate.

The fact that Verisign abuses its position of power is not in itself an indication that someone else would do a better job. Someone else might, or might not. While I agree that Verisign should be stripped of its power, we should consider very carefully before handing that power to anyone else -- including "The Community". And just exactly to whom, or which part, of "The Community" do you propose to give that power? And who is going to finance it?

Nitpicking (was Re:Stop Changing DNS)

100 updates means "YYYYMMDD00" to "YYYYMMDD99"
so it is sufficient.

Of course, new scheme allows more than 100 updates
and I don't think changing the format a bad idea though.

Re: "fall" stops

A "full stop" is a limey term for "period" (i.e., ".").
And yes, he/she misspelled it.

P.S.

Writing "bracket" instead of "parenthesis" is also an indication of his/her dentally-deficient status.

Re:Why do Verisign have this level of access anywa

[evilviper]

The internet infrastructure should be managed and run by the community,

Sounds like a good idea to me. Why do you start going around, and telling the "community" that they need to start buying verisign stock... Pretty soon, the "community" will own and manage verisign.