Verisign Plans DNS Changes

NetWizard writes "According to a recent NANOG post and an InfoWorld story, 'Verisign will change the serial number format and "minimum" value in the .com and .net zones' SOA records on or shortly after 9 February 2004'. They seemed to have learned their lesson, from the post: 'There should be no end-user impact resulting from these changes (though it's conceivable that some people have processes that rely on the semantics of the .com/.net serial number.) But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.)'"

Trying to regain trust?

[netsharc]

But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.

The last sentence sounds like they want to emphasize that they're announcing this so early so the no one panics when all of a sudden something changes, I guess it's good that they're trying to rebuild trust.

"There should be no end-user impact"

[Fortunato_NC]

And then they go and cite an example where there WOULD be an end user impact.

Although unlikeley, there is a potential for collateral damage here. Is there anyone at Verisign willing to post the logic behind making the changes in the fist place? I can't see where there would be a business case when someone would jump up and say "We could make a billion dollars, but only if we change the way we determine DNS serial numbers for the .COM and .ORG domain. I guess we're screwed, guys!" Then the brave tech raises his hand and says "You know, with my Dell laptop and wireless LAN, I can change the way the serial number is incremented from anywhere."

I've been watching too many Dell commercials lately...

More transparent decisions and pre-announcements

[WebTurtle]

This announcement is important in that Verisign finally seems to recognize that they are part of a larger community, that those DNS records are not just some corporate asset sitting in a couple of computers in the corner.

Changes affect administrators around the globe. As part of a community, they have a responsibility to make their decisions transparent to the community, and to announce changes well-enough in advance that those who are affected have time to prepare.

This is not just a Verisign issue. The need for major Internet organizations to recognize the larger public as important stakeholders within the community is important. Awareness of the larger community should be followed by communication and actions that reflect that awareness, thus signalling a willingness to truly be a part of that community.

Verisign seems to be exhibiting a newfound awareness of community that ICANN seems to have abandoned.

I hope Verisign continues to be a good memeber of the community. Perhaps others can follow their lead.

Why do Verisign have this level of access anyway?

[nighty5]

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings. This change seems dubious at best, considering Verisigns previous efforts of domain sitting, which, would break applications lets ensure we keep them in their place.

Re:Why do Verisign have this level of access anywa

That is why the UN should have it.

Is it just me?

[armando_wall]

From Infoworld: But the company did allow that "processes that rely on the semantics of the .com/.net serial number" could be affected.

For example, companies that have created scripts to monitor domain change on .com and .net will almost certainly need to make changes to account for the serial number change..."The damage won't be catastrophic, but some DNS servers could stop receiving updates,"

And they are planning to do this next Feb 9? Isn't that like too little time for organizations to update their systems?

I don't trust Verisign... the fact that they control such an important database accesed by millions of people around the world really frightens me. They screwed it once, they can do it again.

They should have that power removed from them. It should be on another organization (i.e. a non-profit one) that better serves internet community.

Re:Why do Verisign have this level of access anywa

[mongbot]

History, I suppose.

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings.

That was what the recent UN conference was about I suppose. But everyone wanted to dismiss that as being useless.

Y2038 bug?

[AndroidCat]

Doesn't the UNIX 'seconds since 1/1/1970' break in 2038 or so? I could be wrong. It's hard to remember all the various time/date glitch dates.

Re:ISO 8601 specifies YYYYMMDD

[AndroidCat]

And if you want resolution smaller than a day? The NN tacked on to the end is kind of kludgy.

The real question is why is Verisign prepping to increase the update cycle, and is this a good thing?

Why I don't read the tech press

[swb]

"Also, companies that have incorrectly formatted their DNS servers to get information directly from the DNS root servers maintained by VeriSign will stop receiving updates on Feb. 9, leaving those servers and the Internet users who rely on them out of step with the rest of the Internet, he said."

I so seldom read even the tech press because of this kind of statement. What does it mean? AFAIK the root servers just have NS records pointing to the 2nd level domains, but querying the root servers is how you find them and this is essentially how DNS is *supposed* to work. There was no further context in the story to indicate what they're talking about.

Are there other queryable DNS servers maintained just by verisign for .com and .net for distribution to the usual root servers? Or have I been running DNS wrong all along?

My serial number format lasts longer

[Skapare]

My serial number format lasts longer than Verisign's, and I still get more than 100 updates a day out of it. In fact it will last until 07:06:36 Tuesday 2 October 2096 while staying in just 9 digits (which it has been since 15:06:40 Saturday 4 September 1982). After that it goes to 10 digits, but still remains a positive signed 32 bit integer until 12:56:28 Wednesday 16 March 2242, and if unsigned 32 bit integer works everywhere else, it will go all the way to 01:53:00 Wednesday 30 May 2514.

Instead of being the count of number of seconds, as Verisign plans to use, mine is 1/4 of that value. Basically, I take the system time() value and divide by 4. By treating that value as an unsigned quantity, I won't have the Y2038 bug, either. That logic will work until 06:28:15 Sunday 7 February 2106 (past the 9 digit limit). And I can do 21600 updates a day (one every 4 seconds).

dig linuxhomepage.com. soa

Re:ISO 8601 specifies YYYYMMDD

[Tony+Hoyle]

It'd better bl$$dy well not be a 32bit integer otherwise DNS is screwed in 2038...

Luckily I know it isn't. Unfortunately I suspect the verisign way will break stuff unless they're careful eg.

Today is:

2004011001 in DNS time
1073760813 in Unix time

DNS time > Unix time... a lot of DNS systems (bind does this for example) will take the record with the largest number - there's scope for masses of confusion here.

Re:Why is always the question

[MCZapf]

Who on earth needs a domain name working so quickly? Spammers, perhaps. Squatters. Anyone else?