Verisign Plans DNS Changes

NetWizard writes "According to a recent NANOG post and an InfoWorld story, 'Verisign will change the serial number format and "minimum" value in the .com and .net zones' SOA records on or shortly after 9 February 2004'. They seemed to have learned their lesson, from the post: 'There should be no end-user impact resulting from these changes (though it's conceivable that some people have processes that rely on the semantics of the .com/.net serial number.) But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.)'"

Stop Changing DNS

[Blackknight]

God damn it ICANN, you need to take away Verisign's authority over DNS. Every time they change something it's a major pain in the ass for anybody that works in an ISP, web hosting, etc.

STOP FUCKING CHANGING THINGS!

Re:Stop Changing DNS

How the hell will this be a pain in the ass? Any software that relies on .com's serial number remaining static is broken and needs to be fixed. Complain to the software developers, as Verisign is not at fault this time.

Re:Stop Changing DNS

[CarrionBird]

Maybe, but everything is working now, and there's no reason to change it other than breaking these "broken" programs.

Re:Stop Changing DNS

[TubeSteak]

Yes, but software engineers have a knack for taking shortcuts where you least expect them. Kinda like MS and their broken implementation of standards. Even if you do code your html/etc properly, that doesn't guarantee it'll come out right. So the point being, just because you weren't supposed to, doesn't mean you didn't.

The above isn't meant as an excuse, just an explanation as to why this will undoubtly break someone's something. Then you get back to the old 'change is good' but not if it causes trouble, then 'change is bad'[tm]. At some point we're going to have to make big changes to the infrastructure and things will break regardless of compatability. we might as well get used to it (though as always, having a decent explanation wouldn't be a bad thing[tm])

Re:Stop Changing DNS

Change is good. You don't even want to imagine how the internet would look today if things were still run the way they were 10 years ago. The users are changing, so the net will have to follow.

Re:Stop Changing DNS

[jrumney]

Reading between the lines, it looks to me like Verisign want to start providing real time DNS updates, in which case there is a reason for change it. Currently they update the database twice a day, which is well within the limits of the current serial number scheme. But with real time updates, they could easily get to 100 updates in a day.

Re:Stop Changing DNS

Part of an older meaning for hacker was someone who fixes things that aren't broken. Verisign has hackers working on this one. We don't use YYYYMMDDHHSS for serials, we use an increasing serial maintained by a script that does not contain an overloaded date meaning. If you want the serial to be the number of seconds since beginning of an epoch, then change the RFC through normal means, not by some corporate edict. Hackers they are, in the old sense.

Re:Stop Changing DNS

[Blkdeath]

Reading between the lines, it looks to me like Verisign want to start providing real time DNS updates, in which case there is a reason for change it. Currently they update the database twice a day, which is well within the limits of the current serial number scheme. But with real time updates, they could easily get to 100 updates in a day.

I've always had a problem with change for the sake of change. The current system allows them, in their semantic "the SOA value must represent the date" methodology already allows them 100 updates per day. Why do they think they require more??!

With their new timeout values (900 seconds), 86400 seconds being in a day, they only have a reasonable set of 96 update cycles anyways, otherwise they'd be changing the zone so frequently every other update would be missed by half the world.

Ok, so the new format permits them 86400 changes in a day. My question is this; why are they, a "responsible" domain authority, making so many changes, and furthermore what is the utility of each change?

Trying to regain trust?

[netsharc]

But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.

The last sentence sounds like they want to emphasize that they're announcing this so early so the no one panics when all of a sudden something changes, I guess it's good that they're trying to rebuild trust.

"There should be no end-user impact"

[Fortunato_NC]

And then they go and cite an example where there WOULD be an end user impact.

Although unlikeley, there is a potential for collateral damage here. Is there anyone at Verisign willing to post the logic behind making the changes in the fist place? I can't see where there would be a business case when someone would jump up and say "We could make a billion dollars, but only if we change the way we determine DNS serial numbers for the .COM and .ORG domain. I guess we're screwed, guys!" Then the brave tech raises his hand and says "You know, with my Dell laptop and wireless LAN, I can change the way the serial number is incremented from anywhere."

I've been watching too many Dell commercials lately...

Re:"There should be no end-user impact"

[resiak]

I'm not someone at Verisign, but I am willing to suggest possible logic in this change.

The previous format, YYYYMMDDNN (where NN is an arbitrary sequence number), conforms to no standard but its own. The UNIX timestamp format is recognised by any date/time manipulation tool worth using, as well as being a standard (de facto or otherwise, I don't know). While switching format now is a PITA for those who have already written tools that work with it, it will make future development fractionally easier, as well as allowing more accuracy than could practically be used.

Then again, they could just leave things alone.

Re:"There should be no end-user impact"

[gavcam]

Is there anyone at Verisign willing to post the logic behind making the changes in the fist place?

RTFA...

The .com and .net zones will still be generated twice per day, but this serial number format change is in preparation for potentially more frequent updates to these zones.

Re:"There should be no end-user impact"

[Tayto]

To be honest, this makes reasonable sense to me. I can see the case for Verisign wanting to make new registrations available immediately, rather than at the next 12-hourly update.

Eventually, the zone data could be updated every time the contents of .COM or .ORG changed, with no real impact on the end user (because of DNS caching). The zone data could even be generated dynamically, directly from a database, with the serial set to the last time the database was updated. I know, historically, this isn't the way DNS servers have worked, but why not run a DNS server directly from a database? This would pave the way for that possibility for Verisign.

With the exception of this one-time hit on people who want to pretend to be slaves of .COM/.ORG, there should be minimal other effect, and does make it possible for faster (or let us say 'almost immediate') addition/removal of domains to occur.

Serial number format

[albalbo]

No-one cares what format the serial number is in, except those who have written software that relies on the current format (in disobedience of the RFCs...)

A serial number is just a 32-bit number, and is used to see if a domain has been updated. The specs. do not say anywhere that it should be in a specific format.

Re:Serial number format

[Trillan]

This looks like a good change to me. I can't imagine there would be an outcry over this if Verisign hadn't previously implemented the SiteFinder dung.

More transparent decisions and pre-announcements

[WebTurtle]

This announcement is important in that Verisign finally seems to recognize that they are part of a larger community, that those DNS records are not just some corporate asset sitting in a couple of computers in the corner.

Changes affect administrators around the globe. As part of a community, they have a responsibility to make their decisions transparent to the community, and to announce changes well-enough in advance that those who are affected have time to prepare.

This is not just a Verisign issue. The need for major Internet organizations to recognize the larger public as important stakeholders within the community is important. Awareness of the larger community should be followed by communication and actions that reflect that awareness, thus signalling a willingness to truly be a part of that community.

Verisign seems to be exhibiting a newfound awareness of community that ICANN seems to have abandoned.

I hope Verisign continues to be a good memeber of the community. Perhaps others can follow their lead.

Why do Verisign have this level of access anyway?

[nighty5]

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings. This change seems dubious at best, considering Verisigns previous efforts of domain sitting, which, would break applications lets ensure we keep them in their place.

Hey...

[Neophytus]

2038 anyone?

Re:Hey...

[Neophytus]

No, it isn't offtopic if you had RTFA. The new format will be the UTC time at the moment of zone generation encoded as the number of seconds since the UNIX epoch. (00:00:00 GMT, 1 January 1970.)

Re:Hey...

[kasperd]

2038 is a valid concern. But if DNS servers compare serial numbers according to RFC 1982 it is not going to be a problem.

Aaww just great

[Rosco+P.+Coltrane]

Verisign will change the serial number format and "minimum" value in the .com and .net zones

Right, so when I fall on an unresolved address, I can't even return it under warranty because the serial number has changed, and even if they did reimburse me, they changed the value. That's just flipping great...

Is it just me?

[armando_wall]

From Infoworld: But the company did allow that "processes that rely on the semantics of the .com/.net serial number" could be affected.

For example, companies that have created scripts to monitor domain change on .com and .net will almost certainly need to make changes to account for the serial number change..."The damage won't be catastrophic, but some DNS servers could stop receiving updates,"

And they are planning to do this next Feb 9? Isn't that like too little time for organizations to update their systems?

I don't trust Verisign... the fact that they control such an important database accesed by millions of people around the world really frightens me. They screwed it once, they can do it again.

They should have that power removed from them. It should be on another organization (i.e. a non-profit one) that better serves internet community.

Re:Why do Verisign have this level of access anywa

[mongbot]

History, I suppose.

The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings.

That was what the recent UN conference was about I suppose. But everyone wanted to dismiss that as being useless.

I see a problem

[jcochran]

They will be changing their serial number from about 2004020900 to something about 1075680000 which according to the DNS system will be an older serial number because the difference is only 928340900 which is much less than half the range of a 32 bit number. They can make the change that they are planning if they make two changes with at least their cache interval amount of time between the changes. See RFC-1034.

Re:I see a problem

[91degrees]

Oh, don't worry. Everything will just sort itself out on the 3rd July 2033.

Re:I see a problem

[graf0z]

There is no problem.

Serial numbers only affect master-slave communication (and selfwritten scripts violating rfcs), but all masters and slaves for .com & .net belong to VS. See Paul Vixies reply to the same question on NANUG.

/graf0z.

Hmm... TTL900...

[Yaa+101]

With a TTL of 15 mins you have to generate a new zone 96 times a day to keep the zone visible during a whole day. I wonder if they want to speed up propogation time of new domain with this?

Re:Hmm... TTL900...

[KevinM]

You clearly don't understand how DNS works. This change in no way requires a new zone 96 times a day. The TTL field is used by client accessing the zone to understand when they need to stop caching the retrieved data. Verisign could have a TTL of 15 minutes and never change the serial number, and nothing would break.

Re:Why do Verisign have this level of access anywa

[Pendersempai]

The boxes have to sit on someone's desk. "The community," disorganized and disparate as it is, is remarkably poor at doing anything. You'd have to invent some sort of hierarchy. Maybe have a General Manager of the Internet, and he could have a board of directors under him or something. They would be elected by the nation's population at large, and they'd have the final say on internet issues.

But it's be silly to give EVERYONE an equal vote in their elections, as the great majority of people have no clue how the internet works, and the campaigns for these positions would be totally unable to focus on real issues. They'd have to dumb it down and sugar-coat it so that sixpack joe can digest what they're saying, and at that level of simplicity, who could tell a good candidate from a bad?

Okay, so let's find some way of making sure only highly competent people can vote. We can't give a test, since we'd need someone to create and administer it, and the potential for corruption is too high. The only thing I can think of is selling the votes: that way, every vote is going to represent an informed citizen. After all, who would buy a vote if they don't understand the technology?

So at the point where we've got a CEO, a Board of Managers, and an equity market, we may as well package the whole thing as a corporation and name it VeriSign.

ISO 8601 specifies YYYYMMDD

[mec]

I got your international standard right here.

YYYY-MM-DD and YYYYMMDD are both standards-compliant.

Seriously, if you've never heard of this standard, read up. Whenever I need to stick a date or a time on something in text form, I just do it the ISO 8601 way.

Re:ISO 8601 specifies YYYYMMDD

[jrumney]

Where in ISO-8601 does the NN fit in? It doesn't.

Re:ISO 8601 specifies YYYYMMDD

[AndroidCat]

And if you want resolution smaller than a day? The NN tacked on to the end is kind of kludgy.

The real question is why is Verisign prepping to increase the update cycle, and is this a good thing?

Re:ISO 8601 specifies YYYYMMDD

[Anders1]

I'm all for ISO 8601, but it does not apply in this case. The serial number is not a textual representation of a date, it is a 32-bit unsigned integer in a DNS record that must be increased whenever the record is updated. A "YYYYMMDD" format, aside from resulting in a basically useless integer, would only change once per day. The UNIX timestamp format really does make the most sense here.

Re:ISO 8601 specifies YYYYMMDD

That standard is completely irrelevant. It specifies how to represent an unambiguous timestamp.

DNS serial numbers are opaque tokens. There's nothing in the DNS specs. that requires them to be timestamps. All they have to do is increment by an arbitrary amount when the relevant records are updated.

Quite frankly, I'm amazed anybody has bothered writing tools that pretend they are anything but opaque. It's like assuming certain values for an etag HTTP header or something.

Re:ISO 8601 specifies YYYYMMDD

[Lars+T.]

Too bad the serial number is a 32 bit unsigned integer, not a string. For heaven sakes, this YYYYMMDDNN thing only makes sense if you look at that value in decimal representation.

Anyway, the serial number is just a revision number intended for the DNS "system" (I'm being a little vague here) to know when a SOA record has changed. There are no end-user servicable parts inside. No human but the people directly handling the coonfiguration of that record needs to know about it - including how it is formed, if it is following specifications. Period.

Sure, if you have build your company based on that tool that tells people when a .com domain SOA record was last changed, you are fucked - for about that minute it takes to change the conversion from int->decimal string->date to UNIX timestamp->date.

Maybe all those complaining are using Windows, and they fear that it may actually take them a day to Google for a routine that does that, and they lose the competetive edge to those UNIX weenies? Sounds like what MS had to say about the Apple/HP iTunes/iPod deal.

Re:ISO 8601 specifies YYYYMMDD

[Tony+Hoyle]

It'd better bl$$dy well not be a 32bit integer otherwise DNS is screwed in 2038...

Luckily I know it isn't. Unfortunately I suspect the verisign way will break stuff unless they're careful eg.

Today is:

2004011001 in DNS time
1073760813 in Unix time

DNS time > Unix time... a lot of DNS systems (bind does this for example) will take the record with the largest number - there's scope for masses of confusion here.

Re:ISO 8601 specifies YYYYMMDD

[You're+All+Wrong]

That's called a counter. You know -- integers starting from zero.
I don't know if there's an international standard for counters,
but there's certainly a /de facto/ standard for them.

Lesson 2, "concatenation", to follow in my next post.

YAW.

Why I don't read the tech press

[swb]

"Also, companies that have incorrectly formatted their DNS servers to get information directly from the DNS root servers maintained by VeriSign will stop receiving updates on Feb. 9, leaving those servers and the Internet users who rely on them out of step with the rest of the Internet, he said."

I so seldom read even the tech press because of this kind of statement. What does it mean? AFAIK the root servers just have NS records pointing to the 2nd level domains, but querying the root servers is how you find them and this is essentially how DNS is *supposed* to work. There was no further context in the story to indicate what they're talking about.

Are there other queryable DNS servers maintained just by verisign for .com and .net for distribution to the usual root servers? Or have I been running DNS wrong all along?

Re:Why I don't read the tech press

[Just+Some+Guy]

Were you serious or joking? I hope you were joking. You were, right?

Because if you weren't, you would be saying that if your ISP has 10,000 customers, and they all ran their own caching nameservers, and all of them decide to resolve "www.google.com", then the root nameservers wouldn't really be hit with 10,000 times as many queries as if all of your little servers were properly configured.

There are two reasons to query the root nameservers directly:

1. Your ISP's nameservers are broken.
2. Testing.

That's it. Hitting them directly for routine queries is wasteful, inconsiderate, and expensive. If you weren't joking: fix your configuration. Now.

Re:Why I don't read the tech press

[Just+Some+Guy]

So who decides who gets to query the roots for NS queries? My ISP is kind of small, only a few thousand customers -- should they be configuring THEIR name servers to foward to nameservers at their upstreams?

In a word: yes.

Since their upstreams are major Tier 1 providers like UUNet, Qwest and Sprint, presumably my ISPs nameservers are the cause of untold THOUSANDS of unncessary queries against the root nameservers that could easily be satisfied by the caches at UUNet, Qwest and Sprint.

If your ISP is well-managed, then they query their upstreams and not the root nameservers.

I don't plan on changing my config, thanks. I don't have reason to believe my ISPs DNS is more reliable or more secure against poisoning than my server is,

Don't thank me for your wasted resources. I have one reason to think that your ISP runs a better DNS service than you do: we don't know that they have mis-configured servers.

nor do I particularly buy into the idea this is wasteful or expensive; the root servers are THERE to provide NS records for finishing queries.

Wrong again. They are there to provide NS records to the highest tier of the DNS caching hierarchy, not every little personal system on the Internet.

Re:Why I don't read the tech press

[jroysdon]

If your ISP is well-managed, then they query their upstreams and not the root nameservers.

That's simply not true. Customers should use their ISP's DNS server, but I don't believe ISP's should ever be forwarding queries upstream. That's just asking for problems. ISP's buy wholesale bandwidth, not services like mail forwarding or DNS forwarding (not that one couldn't do it, but it is asking for an extra level of troubleshooting and delay).

Once a lookup to the .NET NS is cached from the root servers, it is cached the same for a Tier 1 ISP or a Tier 2, and it doesn't have to be done again. The root nameservers are able to handle the .NET, .COM, .US, etc. lookups just fine. Even the next-level .NET, .COM, .US nameservers are multi-homed and anycast globally and able to handle a huge load. There is no reason to risk problems with an upstream ISP vs. going right to the source for an NS record lookup. Once the NS info is cached for a TLD like msn.com, it's the msn.com NS servers (and the hundreds of thousands (?) of other TLD NS servers) that can each handle their own load just fine.

It's all meant to scale without having needless delay or problems introduced by forwarding queries to a DNS server you cannot control.

Perhaps you can point to an RFC that says Teir2/3 ISPs should forwad DNS queries to upstream providers? Nope, thought not, not even a best practice.

Get a grip man

[rs79]

The time/datestamp should have always been this way; more to the point do you know of any other TLD that at least attempts to be this communicative? They don't do this because ICANN, or anybody, makes them.

How bout .NAME ("oops, we were rooted") or .PRO ("Hi ICANN, I know we said we wouldn't sell SLD name but we're dying here, and we ask a second time can we sell SLD name pleeeeeeeease?") or .biz ("home of more spam since 2000! Yeah baby!!") or any of the cctlds that have (cough) lame servers.

Bitch at NSI all you want, they're still the model of a well, if not best run TLD.

And spare me the crap about sitefinder, 22 other tlds did this long before NSI did, .WS did it 3 years ago.

It's reasonable to whine when they do a bad thing (like agree to ICANN oversight, you folks have no idea how close they were to the, um "alternative") but for things that have little or no effect you're reacting to the corporate name not the actual change.

So, put NSI under greater ICANN control? NOT. Frankly we'd be better of if they put ICANN under NSI control.

Hey, is this one of those thigns you can't say because it's hersey?

"Duh. Double duh." - Weemba

Why is always the question

[rabtech]

It appears that they are gearing up to start providing far more than two updates per day. This could mean that sometime in the future you could register a new domain name and have it up and running within 15-30 minutes.

Seems like a positive change to me.

Re:Why is always the question

[MCZapf]

Who on earth needs a domain name working so quickly? Spammers, perhaps. Squatters. Anyone else?

Re:Evo;ve or die

[pe1chl]

It does not matter how many bits your computer has, it matters if the DNS protocol is still in use by then.

If it is, it will break because of this change. The older timestamp format had a much longer lifetime.

Of course there will be major problems in 2038, probably much worse than in 2000. This small issue will not contribute too much.

My serial number format lasts longer

[Skapare]

My serial number format lasts longer than Verisign's, and I still get more than 100 updates a day out of it. In fact it will last until 07:06:36 Tuesday 2 October 2096 while staying in just 9 digits (which it has been since 15:06:40 Saturday 4 September 1982). After that it goes to 10 digits, but still remains a positive signed 32 bit integer until 12:56:28 Wednesday 16 March 2242, and if unsigned 32 bit integer works everywhere else, it will go all the way to 01:53:00 Wednesday 30 May 2514.

Instead of being the count of number of seconds, as Verisign plans to use, mine is 1/4 of that value. Basically, I take the system time() value and divide by 4. By treating that value as an unsigned quantity, I won't have the Y2038 bug, either. That logic will work until 06:28:15 Sunday 7 February 2106 (past the 9 digit limit). And I can do 21600 updates a day (one every 4 seconds).

dig linuxhomepage.com. soa

Third reason

[Skapare]

Third reason:

3. Your caching nameservers just flushed cache or restarted, and thus they have no idea where any of the top level domains are, and have to ask the root servers (provided in the hints file) where they are. Also, this will happen again in 2 days when those NS records, and their corresponding A records, expire from the cache.