Faster Updates for DNS Root Servers Arrive

Tee Emm writes "VeriSign's DNS Rapid Update notice period (as announced on NANOG mailing list) expires today. Beginning September 9, 2004 the SOA records of the .com and .net zones will be updated every 5 minutes instead of twice a day. The format of the serial number is also changing from the current YYYYMMDDNN to a new one that depicts the UTC time." We first mentioned this back in July, but it's finally launching now.

Re:hmm, but is this really a good thing?

[Mordac the Preventer]

This is *theoretically* a good thing, but it means that applications cannot cache DNS as effectively for nonexistant domains. this may end up causing a *lot* heavier load on the root DNS servers.

No, it's the TTL that determines how long a record can be cached for. Updating the zone more frequently just means that the information will be available sooner. It will not increase the load on the root nameservers.

Re:dynamic dns

[numbski]

It's already there [wieers.com].

The catch of course is that you have to be running bind locally to make it work. Which is fine if you're a unix-head and know how to work dns, but for the average joe, it's far from simple. I have a perl script that checks my Linksys firewall's IP every half hour, and if it's changed, updates the dns file, then runs nsupdate.

Re:For all registrars, or just some?

[numbski]

Looks to me like it requires a conformity to the new serial number spec (which, if I might say BLOWS...I run an ISP and I appreciate being able to look at a DB file and know when the last time I changed it was by simply looking at the serial...ugh), otherwise it will just sort of 'happen'. So long as your dns server is authoritative for a domain and your root-hints file is correct.

Anyone have further input?

Re:hmm, but is this really a good thing?

[LiquidCoooled]

If I remember rightly, the new system does not change the TTL, it is still down to the domain administrator to pre plan domain moves.

On the day before you move, your TTL can be dropped to this 5 minutes so your address can be changes with minimal disruption. After the move, once your stable, your TTL can be increased once again, and network congestion is minimalised.

Of course, I could be talking out of my arse, one of you lot will put me right if this is the case.

Re:Emergency use

[Anonymous Coward]

you can already do this, the root servers basically just know the address of a nameserver designated to a domain.

this just helps if you want to switch nameservers within 5 mins

on top of that if you have a standby box bring it online with the old ip

Re:Emergency use

[autocracy]

Wrong way about it. Your DNS records in the [.com .net .org .whatever] domain only point to your NS records. You should have multiple name servers up anyway (peering agreements for DNS are usually pretty easy to get). It is your A records that point to the web server, and the update for that takes place upon your own servers.

Re:Emergency use

[Eggplant62]

I think you mean that this would be more handy for sites who lose a DNS server. Note that if the machine in an NS record for a domain goes dead, the domain can be left unresolvable until the root servers update. Now with every five second updates on the root servers, change the NS records and yer back up and running.

Happened to me with my vanity domain when afraid.org was cut off for about 8 hours due to abuse issues. His upstream provider cut him off due to spammers hosting DNS there and he had to take steps to get back online. Meanwhile, my domain was unresolvable. I ended up putting up secondaries to prevent this from happening again.

Re:Emergency use

[LostCluster]

What's the point in that?

The record in a DNS root server never is meant to identify your web server, it's meant to indentify your primary and secondary DNS server, and it's those servers that work for you (or at least the ISP you work with) to identify your web server.

So, if you want fallover if your main web server goes down, you just need to update your local DNS record, not the one at the root servers. It's when your DNS servers explode that the five-minute updates would be helpful.

In case of slashdot effect...

[bruceg]

Upcoming change to SOA values in .com and .net zones

* From: Matt Larson
* Date: Wed Jan 07 17:49:43 2004

VeriSign Naming and Directory Services will change the serial number
format and "minimum" value in the .com and .net zones' SOA records on
or shortly after 9 February 2004.

The current serial number format is YYYYMMDDNN. (The zones are
generated twice per day, so NN is usually either 00 or 01.) The new
format will be the UTC time at the moment of zone generation encoded
as the number of seconds since the UNIX epoch. (00:00:00 GMT, 1
January 1970.) For example, a zone published on 9 February 2004 might
have serial number "1076370400". The .com and .net zones will still
be generated twice per day, but this serial number format change is in
preparation for potentially more frequent updates to these zones.

This Perl invocation converts a new-format serial number into a
meaningful date:

$ perl -e 'print scalar localtime 1076370400'

At the same time, we will also change the "minimum" value in the .com
and .net SOA records from its current value of 86400 seconds (one day)
to 900 seconds (15 minutes). This change brings this value in line
with the widely implemented negative caching semantics defined in
Section 4 of RFC 2308.

There should be no end-user impact resulting from these changes
(though it's conceivable that some people have processes that rely on
the semantics of the .com/.net serial number.) But because these
zones are widely used and closely watched, we want to let the Internet
community know about the changes in advance.

Matt
--
Matt Larson
VeriSign Naming and Directory Servic

Re:hmm, but is this really a good thing?

[Entrope]

Your claim of "144x as much traffic" exhibits an ignorance of how DNS caching works -- not that I should be surprised by the ignorance of anything I read on Slashdot. Specifically, caching is controllable independently of zone revision. It is easy to instruct clients to cache negative replies for a longer time than that revision of the zone is current. The only way to increase the frequency of lame requests is to reduce the TTL or SOA MINIMUM values.

On top of that, maximum-frequency error responses are only a problem when you have enough headstrong or automated users to see requests for the SAME misspelled domain name just past the SOA MINIMUM (or TTL, if appropriate) time. It is not a problem for valid name requests, since they have separate TTLs. While that frequency of lame requests is indeed a valid assumption with infinite load, in practice, only the largest ISPs will see anything that approximates that traffic.

Your comment that domains are not supposed to change every minute is correct for some domains; but the particular domains in question (TLDs) do change every minute as new domains are registered or expire. (Other things, like DHCP-driven dynamic DNS, can also legitimately cause frequent zone updates.)

Re:dynamic dns

[two-tail]

Services provided by the likes of DynDNS are not affected by this. The changes mentioned in this article affect top-level servers, which maintain lists of registered domains and their name servers. Providing an actual IP address is provided in the next level down. For example, here is the complete path that you would go through to get an IP address for www.slashdot.org:

1: a.root-servers.net (refers request to tld2.ultradns.net)
2: tld2.ultradns.net (refers request to ns1.osdn.com)
3: ns1.osdn.com (returns 66.35.250.150)

Adding and deleting domains causes changes at #1 and #2. Changing the name servers assigned to a domain also happens at #1 and #2. Changes to an IP address (like the IP address for www.slashdot.org), which is what DynDNS and the like covers, would take place at #3.

One last note: If you have a domain already in place, and you want to change its nameservers over to DynDNS (possibly to take advantage of their dynamic update service), then #1 and #2 would get involved (since you're changing a nameserver). Under the system being phased out, that would have given you a day-long delay.

Re:increase of (mostly useless) traffic exptected?

[Tenareth]

Just because they are refreshing the roots every 5 minutes doesn't mean they dropped the TTL to 5 minutes. Since most DNS servers do not cache bad domains, this just means that new domains become available faster, and propogate within 10 minutes or so.

Re:Emergency use

[ostiguy]

This isn't that. You are talking about regular DNS A record changes on your dns server. You could have done what you sought a year ago, or 10. This is about what DNS servers are responsible for your domain, among other domain level changes (responsibility, etc) - if Chicago burns to the ground, Schlotsky's House of Bacon, having lost their headquarters with its server room, could then outsource its DNS, enter records, and make a root change to indicate that schlotskyshouseofbacon.com's dns servers have changed within 5 minutes (ideally).

ostiguy

Re:Why?

[mr_z_beeblebrox]

Is there any real need for this? Realistically it is going to have very little impact on the average user.

This will affect DNS customers not consumers. DNS is a purchased service (not a product) Businesses are its customers, users are its' consumers. Verisign wants to make a positive impact on its' customers to turn more revenue.

Root servers?

[bartjan]

These faster updates are not for the root servers, but for the .com/.net gTLD servers.

Re:Fifteen minutes?

[frozen_crow]

no, it does not. it just means that if a resolver receives a "no such name" response from one of the com or net nameservers, that "no such name" response will only be cached for 15 minutes instead of a day.

Re:hmm, but is this really a good thing?

[sw155kn1f3]

It's simple:

# dig a alksasdasdqweqwehqwe.com

com. 10793 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com.
1094 735719 --- serial
1800 --- refresh
900 --- retry
604800 --- expiry
900 --- minimum aka "default" for this domain.. it's the time for NXDOMAIN responses too

Re:hmm, but is this really a good thing?

[SirCyn]

Let me clarify a few misconceptions.

1. The "minimum time" set to 15 minutes means the servers will not check for an update on a record until it is at least 15 minutes old.

2. The 5 minute transfers. This is how often the root servers check with each other. This has nothing to do with any other server. Not the registars, not your ISP's DNS server; only the root servers.

3a. The serial change from yyyymmddnn to Unix epoch time makes perfect senese. And no, it does not suffer the 32-bit problem. Serial numbers can be much more than 32 bits. Heck the yyyymmddnn takes 8 bits per character now, so 80 bits just for that. Dare I guess how far into the future an 80-bit Unix time would go (if it was stored that way)?

3b. If this serial change screws up your DNS Cache server simply flush the cache, problem solved. If you have some application (as suggested in the memo) that relies on the serial you need to update your software, now.

4. Whoever suggested this as a backup plan for having only one server run your whole opperation: You are dumb. Now go away or I shall taunt you a second time.

5. The TTL for a standard DNS entry is not going to change. So if your ISP's DNS server caches an entry it will (probably) keep it the same amount of time as it did before. (I say probably because most DNS severs can update records before their TTL expires).

Would the people who do not know how DNS works please stop posting your misinformation and speculations. Thanky you!

Re:hmm, but is this really a good thing?

[Kishar]

3a. The serial change from yyyymmddnn to Unix epoch time makes perfect senese. And no, it does not suffer the 32-bit problem. Serial numbers can be much more than 32 bits. Heck the yyyymmddnn takes 8 bits per character now, so 80 bits just for that. Dare I guess how far into the future an 80-bit Unix time would go (if it was stored that way)?

You're correct on all counts except this one.

From RFC1035:

SERIAL The unsigned 32 bit version number of the original copy of the zone. Zone transfers preserve this value. This value wraps and should be compared using sequence space arithmetic.

The YYYYMMDDxx way can't be used past 2148, the UTC way can't be used past 2038. (neither way breaks it, because the serial number wraps to 0)

Re:Root Servers...

[jabley]

This has nothing to do with the root servers [root-servers.org]. The slashdot article is inaccurate.

Verisign are publishing delegations in the DNS from their registry for the COM and NET domains much more frequently than they were before. The TTL on records in the COM and NET zones is not changed.

The affected nameservers are a.gtld-servers.net through m.gtld-servers.net. These are not root servers. They are authority servers for the COM and NET zones.

Verisign also runs two root servers (a.root-servers.net and j.root-servers.net). There has been no announced change in the way A and J are being run.

Re:Fifteen minutes?

[bfree]

Ooops, it's not quite as described above! The root servers aren't being updated any quicker, it's just the .com and .net servers. It doesn't impact on the above though as the root servers just hand out the ip addresses of the authoritative servers for the top level domains, so for a non existant domain name the root servers will behave just the same as an existing domain name in the same tld.

Re:2038 fun

[amorsen]

I have no idea where people got the idea that the serial number is a text field. It is a simple 32 bit integer. However, it is supposed to be compared using "sequence space arithmetic". This has been defined in RFC 1982 [sunsite.dk]. Basically it means that overflows are fine, as long as no secondary nameserver keeps really old revisions around. So if you make a secondary for the .com zone now, unplug it for 40 years, and plug it in again, it may fail to get the latest zone.

Re:hmm, but is this really a good thing?

[Feyr]

you're correct. this is .com and .net

as a side note. for everyone that doesn't pay attention to dns and have been spouting random crap (eg, not you). .org has been doing the exact same time since ultradns bought the rights to host it. in short, no it won't cause much problems

also, verisign pointed out the TTL will stay to 24 (or 48?) hours, so this really only affects NEW domains, unless you set your zone ttl to much lower in the first place (your zone has a higher trust than verisign's, so the ttl from that zone gets cached instead of theirs)

Re:dynamic dns

[tigress]

Actually, adding, deleting and changing domains causes changes at #2 and #3. The root-servers are never affected unless there is a change in the TLD delegations. Changing a Second level domain requires changes in the TLD nameservers (#2) and the nameservers responsible for the SLD (#3). Changes within the domain only affects #3. Unless, of course, the change is on an authorative nameserver, in which case #2 is also affected. This article describes how the changes in #2 will take effect faster.