nanog mailing list archives
Re: New addresses for b.root-servers.net
From: Crist Clark <cjc+nanog () pumpky net>
Date: Sat, 17 Jun 2023 18:05:40 -0700
IP addresses cannot and should not be trusted. It’s not like you can really trust your packets going to B _today_ are going to and from the real B (or Bs). If the security of DNS relies on no one intercepting or spoofing responses of some of your queries to a root server, it’s been game over for a long time. On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo <nanog () as397444 net> wrote:
On 6/17/23 7:12 AM, Tom Beecher wrote:Bill- Don't say, "We'll keep it up for as long as we feel like it, but at least a year." That's crap. 30% of the root servers have been renumbered in the last 25 years. h : 2015 d: 2013 l : 2007 j : 2002 For these 4 cases, only a 6 month transition time was provided, and theinternet as we know it didnot fall over in a flaming pile. ( One could argue it was ALREADY aflaming pile, but that's adifferent discussion.)There’s a huge difference between “no one noticed any issues because recursive resolvers will seamlessly fall back to other root servers if there’s an outage” and “there aren’t issues”. For non-DNSSEC-verifying-resolvers (sheesh, but they still exist), if the IPs are eventually released and someone stands up a DNS server on them you could cause real harm. Does this need to be over-engineered to prevent that? No, though doing a few tricks to help the poor folks on unmaintained recursive resolvers isn’t bad either. But lack of visible issues doesn’t mean that users aren’t put at risk. That said, I have no idea if the old number resources were released or no longer announced in the DFZ after the previous renumbers, which would really be the point at which concern is warranted, not simply no longer responding. Matt
Current thread:
- Re: New addresses for b.root-servers.net, (continued)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net William Herrin (Jun 07)
- Re: New addresses for b.root-servers.net Izaac (Jun 07)
- Re: New addresses for b.root-servers.net Wes Hardaker (Jun 15)
- Re: New addresses for b.root-servers.net William Herrin (Jun 15)
- Re: New addresses for b.root-servers.net Wes Hardaker (Jun 15)
- Re: New addresses for b.root-servers.net William Herrin (Jun 15)
- Re: New addresses for b.root-servers.net Tom Beecher (Jun 17)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 17)
- Re: New addresses for b.root-servers.net Crist Clark (Jun 17)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 17)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 18)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 18)
- Re: New addresses for b.root-servers.net niels=nanog (Jun 18)
- Re: New addresses for b.root-servers.net Cynthia Revström via NANOG (Jun 18)
- Re: New addresses for b.root-servers.net niels=nanog (Jun 18)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 19)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 19)
- Re: New addresses for b.root-servers.net Masataka Ohta (Jun 19)
- Re: New addresses for b.root-servers.net Matt Corallo (Jun 20)