Re: The SWAMP

[Eric Ziegast <ziegast () zee im gte com>]

> > How about allocating some "good sounding" IP addresses for them,
> > (like 1.0.0.x/32) and hard-wiring them into resolver code?  Would
> > save quite a lot of configuration headaches for newbies.
>
> Hardwiring anything like this into a system like DNS sounds like a really
> bad idea if only for the simple reason that DNS is not just used on the
> Internet, but also within private networks.  Having hardwiring IP numbers
> in this case would cause headaches of unimaginable proportions.

It's DNS servers, not resolvers, that need to update their lists
of Internet root servers.  The problem (IMHO) is that few sites know
or care that they have to maintain root server list periodically to
stay in sync with the rest of the Internet.  One way to attack the
problem (not solve it) is to require nameserver vendors (IIS, Apple,
BIND, etc.) to provide the capability for periodic root server list
updates.

In Unix (BIND), it's quite easy:

    In cron:

        # pick a random time once a week
        31 10 * * 4 /usr/sbin/update-root
        # some other time during the week
        23 20 * * 6 /usr/sbin/named.restart

    The shell script (off the top of my head):

        #!/bin/sh
        tmp=/tmp/rs$$
        trap "rm -f $tmp" 1 2 3 14 15
        chdir /etc/namedb
        ncftp -a -d 600 -g 5 ftp.root-servers.net:/named.root
        if [ ! -r named.root ]; then
                Mail -s "Could not get root nameserver list" hostmaster
        fi
        diff root.cache root-servers > $tmp
        if [ -s $tmp ]; then
                mv named.root root.cache   # fails if couldn't download
                Mail -s "Root server update" hostmaster < $tmp
        fi
        rm -f $tmp

Perhaps something similar could be done in a C program on
any NT or Mac internet DNS server.  If there's no "cron"
functionality, have the nameserver periodically check once
every N seconds (where N ~= one week + random seconds)
against a configured named resource for the list of root
servers.  For example, on the internet, it might be
"ftp://ftp.root-servers.net/named.root";.  For a local admin-
istrator it might be "file:config/named.root".

An RFC describing this mechanism would be yet another checkoff
mark that nameserver vendors would want to comply with.  To
promote compliance, nameserver vendors that comply would get
listed on the "Good Netkeeping Seal of Approval List" at
http://www.root-servers.net (where other neat new RFC features
like dynamic updating or secure AXFR are also listed).


The best part about these updates is that your root server list
is always updated from a named resource than can change its IP
address whenever it needs to rather than forcing some IP addresses
to be static.


People who don't update eventually lose.  Internet service providers
can detect losers (occasionally sniffing for domain/udp traffic to
outdated servers) and mail them to let them know they should look at
http://www.root-servers.net for more info about updating servers.
Administrators of old root nameservers can do this as well (if ISPs
are uncomfortable sniffing traffic).

.... just fantacizing.
--
Eric Ziegast
- - - - - - - - - - - - - - - - -