Advisory — D-root is changing its IPv4 address on the 3rd of January.

>> I realise that keeping the old IP functional for some time is =
important
>> for all the static configurations. But does it matter if a dynamic =
list
>> is updated "real time" without much advance warning ?
>=20
> 3 weeks is not a lot of "advance warning".

3 weeks is plenty for a service that in 6 months you may see degraded to =
12/13 capacity if you haven't properly maintained it AND it is used for =
recursive service. (trusting a referral from a root or sub-root =
delegation to the root is crazy!).

3 weeks is not a lot of time to inform every recursive service
operator in the world that there is a change coming. Remember
nameservers will start logging warning messages as of January 3rd.

There is a big difference between 'This is just fallout from D
changing it's address' to 'What does this message mean and do I have
to worry?'

Nameservers will NOT log messages starting Jan 3rd. The old IP address
will continue to work for 6 months after that.

Tempest in a tea pot.

Besides all this is moot since the simulation which runs our universe
ends this friday (the 21st is the end of the world, remember ? :slight_smile:

So you edit your root.hints file today, and schedule a rndc refresh
before June 3rd when convenient.

3 weeks is not a lot of time to inform every recursive service
operator in the world that there is a change coming.

Given the impact of the change, I figure 3 weeks is plenty.

Remember nameservers will start logging warning messages as of January 3rd.

And if they do, recursive service operators who haven't seen the message will (if they care) update their root hints. This seems to be exactly the right thing. I fail to see the concern here.

There is a big difference between 'This is just fallout from D
changing it's address' to 'What does this message mean and do I have
to worry?'

Are BIND's warning messages so opaque that someone who is looking at name server log messages can't figure out that the warning is talking about a root server IP address being changed?

The handwringing over this issue is a bit over the top.

Regards,
-drc

What about the people that are running BIND 4 on an old Solaris 2.6 box, and
the log file filled up at 2gb back in 2006? Also they forgot the root
password, and no one has a boot disk.

Won't somebody think of the boxen?

Let us all have a moment of silence to remember all those poor unmanaged
servers out there......Thank you now nuke them all and start over :slight_smile:

It's a question of what's procedurally sensible. Sensible things would
include longer notice of the impending change to the root zone, more
widespread notice of what's happening and generally not poking around with
really important bits of the Internet at times which are well known for
having configuration freezes and/or when many people are going to be on
holidays. There are many bits of the internet where changes will only
affect small areas, but this change will affect everyone even if they
people don't realise it (and yes, it probably won't affect them visibly
because of root cache repriming).

Other sensible things might include:

- liaising with operating system vendors and recurser servers code authors
and providing them with extra advance notice so that they can roll these
changes into their code in a structured way. Software update release
cycles often take many months to roll out, particularly for non OSS code.

- perhaps some targeted localisation of the d.root-servers.org notice so
that more than 15% of the world population can read it (english == 5%
native speakers, 10% second language)?

Lots of people are aware that resolver dns servers will automatically
reprime their root cache without manual intervention. However, not
everyone will realise it and a random punter who looks at this notice and
doesn't understand root cache mechanics may well think that they need to
start updating their DNS configuration files on Jan 3. It's not clear from
the change notification that you don't necessarily need to do this.

This change wasn't planned over a coffee last thursday morning. It's
obviously been on the cards for several years, so asking for more carefully
structured notice in a procedurally sensible sort of way isn't an
unreasonable thing to expect as part of the migration plan.

Nick

widespread notice of what's happening and generally not poking around with
really important bits of the Internet at times which are well known for
having configuration freezes and/or when many people are going to be on
holidays.

You have 6.75 months to implement this before the current IP address no
longer works. Use idle time during holidays to plan when you will do
this change if your configs are frozen during holidays.

I did react with a sense of urgency when I first read the message, but
once you re-read it, you realise the timing and advance notice are
plenty sufficient.

Software update release
cycles often take many months to roll out, particularly for non OSS code.

Those one support can get a patch from their vendor or simple
instructions on how to edit their root.honts file to change an IP
address it in (or use dig to get the new one).

This change wasn't planned over a coffee last thursday morning. It's
obviously been on the cards for several years,

But probably can't make an announcement until everything has been approved.

Also, if you annouce something that will happen 1 year from now, more
people will just postpone the change and forgot about it.

Nick,

The handwringing over this issue is a bit over the top.

It's a question of what's procedurally sensible. Sensible things would
include longer notice of the impending change to the root zone,

Given reality and the way root priming works, 3 weeks notice and 6 months of continued service seems sensible to me.

more widespread notice of what's happening

I gather recursive server implementations provide a warning message telling folks that the IP address has changed. That seems like a more useful notification methodology than sending email to a few (or even many) mailing lists.

and generally not poking around with
really important bits of the Internet at times which are well known for
having configuration freezes and/or when many people are going to be on
holidays.

It simply doesn't matter if folks refuse to make a change during the holidays. The worst case scenario is they'll get a warning message in their recursive server log files. Presumably, the folks who look at those log files will be able to understand what it means. They have 6 months after the change occurs to update their root hints. Even if they don't, this particular change will only affect people 1/13th of the time their name servers reprime and will do so in a way that is wildly unlikely to even be noticed.

This change wasn't planned over a coffee last thursday morning. It's
obviously been on the cards for several years, so asking for more carefully
structured notice in a procedurally sensible sort of way isn't an
unreasonable thing to expect as part of the migration plan.

You seem to be a bit confused about roles and prerogatives here.

The UMD folks are making a change to _their_ infrastructure. They have sent out a notice in advance of that change to folks who might be interested. They were under absolutely no obligation to do so. There is no contractual or service level agreement between UMD and _anyone_ that requires them to do _anything_ with regards to root service. The fact that they gave 3 weeks notice that they were changing the IP addresses of their server shows they are nice folks. Neither you nor anyone else that uses "D" has any right to dictate how UMD operates their infrastructure, how much notice to give when making changes to that infrastructure, who gets notified, etc.

Welcome to the wonderful wacky world of volunteer root service!

With that said, I would argue it should be the responsibility of the maintainers of the root hints to notify software vendors, recursive operators, etc. of a change since the maintainer of the root hints file has vetted/implemented the change. It is also more likely that the world has at least heard of the maintainers of the root hints than some random person posting unsigned messages from a University (no offense Jason :-)).

Regards,
-drc

> The handwringing over this issue is a bit over the top.

It's a question of what's procedurally sensible. Sensible things would
include longer notice of the impending change to the root zone, more
widespread notice of what's happening and generally not poking around with
really important bits of the Internet at times which are well known for
having configuration freezes and/or when many people are going to be on
holidays. There are many bits of the internet where changes will only
affect small areas, but this change will affect everyone even if they
people don't realise it (and yes, it probably won't affect them visibly
because of root cache repriming).

  how much notice would you like?

Other sensible things might include:

- liaising with operating system vendors and recurser servers code authors
and providing them with extra advance notice so that they can roll these
changes into their code in a structured way. Software update release
cycles often take many months to roll out, particularly for non OSS code.

  its not clear this has not been done. nor is it clear
  that it would be needed, given the bootstrap methods that have
  been current for more than a decade.

- perhaps some targeted localisation of the d.root-servers.org notice so
that more than 15% of the world population can read it (english == 5%
native speakers, 10% second language)?

  its not clear this has not been done.
  where you you localise this notice and what methods would you use?

Lots of people are aware that resolver dns servers will automatically
reprime their root cache without manual intervention. However, not
everyone will realise it and a random punter who looks at this notice and
doesn't understand root cache mechanics may well think that they need to
start updating their DNS configuration files on Jan 3. It's not clear from
the change notification that you don't necessarily need to do this.

  true - there is an expectation that the reader has a basic
  understanding of the DNS. My grandmother would be confused, but
  would clearly understand from the notice that there were many months
  before the existing system would change. Perhaps the notice should
  suggest talking with your service provider if you don't understand
  or have questions.

This change wasn't planned over a coffee last thursday morning. It's
obviously been on the cards for several years, so asking for more carefully
structured notice in a procedurally sensible sort of way isn't an
unreasonable thing to expect as part of the migration plan.

  are these all the points that concern you? are there others?
  lets get them all on the table.

The UMD folks are making a change to _their_ infrastructure.

as is their prerogative. It's just that they happen to operate a
particular chunk of Internet infrastructure which is pretty important in
the scale of things.

They have
sent out a notice in advance of that change to folks who might be
interested. They were under absolutely no obligation to do so. There is
no contractual or service level agreement between UMD and _anyone_ that
requires them to do _anything_ with regards to root service.

yep, absolutely.

The fact
that they gave 3 weeks notice that they were changing the IP addresses
of their server shows they are nice folks. Neither you nor anyone else
that uses "D" has any right to dictate how UMD operates their
infrastructure, how much notice to give when making changes to that
infrastructure, who gets notified, etc.

No-one's dictating: I'm just asking them politely to take some suggestions
into consideration - suggestions which no-one has so far pointed out as
being unreasonable, and which I would tend to view as being procedurally
sensible and good things to do. That's all.

Nick

Nick Hilliard wrote:

The UMD folks are making a change to _their_ infrastructure.

A site who hosts a Global Internet critical infrastructure is not bound to
the same procedures as a regular site. It takes a certain amount of trust
to have one of the Internet's core devices hosted at your site.

While it is sometimes required to perform changes, it is no wonder that
the community is involved and worried, since the D root server is a global
infrastructure device, regardless of where it is located, and it is expected
from UMD to behave accordingly (not that they are not, but just in the grand
scheme of things).

I am pretty sure that UMD doesn't think that the D root is akin their web server,
as you would suggest in your mail (their infrastructure, their server, their procedure,
not owe anything to anyone, etc etc...)

It is critical to all of us, and we can and should lend our advice or even request
(and sometimes require) a level of assurance that we (that is the operators on theInternet
which is being served by D, since D is no local UMD service) will not end up hurt.

It is their decision to make ultimately, but they can and should hear us, and if there
is actually a grain of wisdom in what is being said, to consider it and amend plans.

While there is no "specific and contractual" SLA in place, that does not mean that
a root server operator is free to do whatever they please with critical global infrastructure,
and I am very sure that this attitude is not prevalent with any Root operator out there.

best,

-- Ariel

I believe you are assuming that the department which runs tne root
server at UMD has a choice in the matter.

Consider a campus-wide IPv4 address space reorganisation to make better
use of their available space. It would make sense to do this during
summer when students are away. Having to stop using that IP by June
would fit that scenario.

The scarcity of IPv4 will result in more and more streamlining of
network address spaces within organisations.

While I have seen this announcement because I subscribed to nanog, I
wouldnt be surprised to see that news spread via many other means.

And how much more warning would one really need ?

It isn't as if they were to announce that the end of the world will be
this coming friday. (that one was announced centuries ago and isn't
getting much press :slight_smile:

This is a simple change, the internet will not stop running. It may take
an extra second to reboot the bind servers that haven't gotten updates.

Actually, I have an excellent memory also. The one thing I do NOT remember is this much Sturm und Drang over any of the past changes. I believe that the first few changes were actually painful (they were for me), but really, everything has gone along just fine and dandy until now.

I gently point out the following resource (which I'm sure nearly everyone here already knew about):

http://www.zakon.org/robert/internet/timeline/

DNS first reared its head in 1984. For the very longest time I even kept my copy of hints updated by hand, leaving notes as to the old IP, so that I'd notice if anything from my end was trying to reach an old IP (the amount of stupidity hard coded in was just as bad then as now).

I downloaded one of the last hosts.txt files, in 1992, out of sentiment. It still makes me nostalgic to look at it.

Is it just me? I do not remember L or previous entries garnering this much attention, and it seems there was actually a bit less time between announcement of the change, and my ::face::palm:: when I saw log entries, and realized I was lazy. I have no idea when the IP was turned off, since it wouldn't have *mattered* to me. I do remember quite a bit of discussion here and there when the first ones were changing, but it was local discussion, when my world was a bit more narrow and focused.

I did actually look (although not very hard) for an actual history of the original hosts, and the migrations from legacy IPs and legacy names into the less colorful format of *.root-servers.net that we know and love today.

For those of you still worried, I promise it will all be okay. I promise.

... or 21/22 capacity, if you have IPv6. :slight_smile: And the v6 address of D is not changing.

FWIW I agree with the "tempest in a teapot" assessment. I think UMD has given more than adequate notice, and I'm looking at this from not only my perspective as former IANA-dude, but also as someone who formerly would have been the person to update this in FreeBSD. From a real, operational perspective, this is simply not that big a deal. In fact, it's hardly a deal at all.

Doug

Actually, I have an excellent memory also. The one thing I do NOT
remember is this much Sturm und Drang over any of the past changes.

increase in number of people who can't resist telling others what they
should do

randy

and ones who don't read posts before responding.