Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Root Zone Changed 298

An anonymous reader writes "The day before yesterday the root zone was silently changed for the first time in 5 years. The change was to J.ROOT-SERVERS.NET that is now managed by Verisign. The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced. An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."
This discussion has been archived. No new comments can be posted.

Root Zone Changed

Comments Filter:
  • Why should we care? (Score:4, Interesting)

    by Disoriented ( 202908 ) on Thursday November 07, 2002 @04:02PM (#4619041)
    Maybe someone could explain to us newbies how this affects the operation of the Internet.
    • Without getting extremely technical with it, this mostly affects your ISP. If your ISP does not update their root zone files, when you attempt to resolve a website, your ISP has one less server for it to resolve the root server for and CC top level domains, as well as .com, .org, .net, etc.
    • by nelsonal ( 549144 ) on Thursday November 07, 2002 @04:07PM (#4619093) Journal
      The root servers are the master list of domain names for the Internet. The computers still use IP addresses to talk, but us Humans prefer remembering slashdot.org to 66.35.250.150. In meatspace terms, I think this is along the lines of a construction company changing the composition of their concrete for use on the Highway system, you might not notice the change as a user, but it could be a bad decision.
      All I want to know is if Sun is back to being the . in .com? :)
      • You forgot to mention domain name servers and the ip's to find out what their IP's are. All the root servers know about slashdot are what its ip's are and what the ip's of the dns servers are along with the fact that the name is slashdot.org.

        All the root servers are gigantic signs with posts pointing general directions to find out more specific information.
      • All I want to know is if Sun is back to being the . in .com

        I think Sun's marketing department finally realised that's not a good thing to be :)

        • by Strog ( 129969 ) on Thursday November 07, 2002 @05:52PM (#4620110) Homepage Journal
          A.ROOT-SERVERS.NET is considered the ultimate authority in DNS. It is also called "dot" and used to be a healthy Sun box. So they really were the "dot" in .com in a sense and that's what made it so funny. That box was replaced with an IBM box and now IBM could say they are the "dot" in .com.

          Link here [ibm.com]
          • Wrong dot (Score:5, Funny)

            by kasperd ( 592156 ) on Friday November 08, 2002 @03:55AM (#4623758) Homepage Journal
            So they say they are the dot in dot com, but they should really say they are the dot in dot com dot, because they are really the dot after com not the dot before com. However this last dot is often forgotten, it really means the name is absolute rather than relative. This is very much like the leading slash in paths to files.

            Hmm, now I'm writing on slashdot about leading slashes and trailing dots, what a coincidence.
      • by SacredNaCl ( 545593 ) on Thursday November 07, 2002 @05:52PM (#4620108) Journal
        I wonder if this has anything to do with the recent denial of service attacks against the root servers?

        Just speculating that maybe the attackers used a worm/trojan that was preset to attack them at the previous IP on certain dates? Similar to some things we have seen in the past...

        • by br0ck ( 237309 ) on Thursday November 07, 2002 @06:12PM (#4620388)
          I think your suspicion has been confirmed by a this recent New Scientist article [newscientist.com]. It says one of the Versign root servers was actually moved to a new location so that two servers wouldn't be relying on the same infrastructure. It does not mention the IP change, but it seems to make sense.
    • by a ( h 3 r 0 n ( 584379 ) on Thursday November 07, 2002 @04:12PM (#4619142)
      The root zones are where are all top-level DNS queries start. Think of the internet domain system as one giant honkin' tree. The root servers at the top manage domain information for the top level zones, and they pass off queries down the tree until the query hits an authoritative DNS server for the domain in question.

      This affects administrators of DNS servers, because in the DNS config is a list of the IP addresses where these root servers can be found.

      Why should you care? You probably don't. It doesn't affect you directly. That is, unless all the root servers mysteriously die one day. That would make surfing for your pr0n a thing of near impossibility. :)

    • by KieranElby ( 315360 ) <kieran@dunelm.org.uk> on Thursday November 07, 2002 @04:21PM (#4619244) Homepage
      > Maybe someone could explain to us newbies how this affects the operation of the Internet.

      Ok.

      Here's the usual (much simplified) explanation for how DNS (that is, maping hostnames to IP addresses) works:

      Let's assume we want to connect to www.slashdot.org. We need to know it's IP address in order to do this.

      What we do is:

      1) Ask one of the 13 root servers which server handles .org domains.

      2) Ask that server which server handles the slashdot.org domain.

      3)Ask that server which server handles the www.slashdot.org zone.

      However, this begs the question:

      "Where do the root servers get their info. from?"

      Well, as of yesterday they're getting it from 192.58.128.30.

      To some extent, 192.58.128.30 is now the most important address on the internet since it is the highest authority for the rather important business of looking up addresses.
      • by Anonymous Coward on Thursday November 07, 2002 @04:53PM (#4619500)
        Not exactly. The question is actually "how do we find the root servers to ask them who handles .org" aka, "how do we find out who handles '.'".

        The answer is to keep a list of the 13 root servers' IPs on disk, in a file called (appropriately enough) "root.hints".

        J is *one* of the root servers, and it has changed its IP. Therefore at some point people should update their root.hints files to reflect this change.

        There's no hurry, because the other 12 haven't moved, and over time the update will tend to happen without any special help as you upgrade your DNS install, etc.
      • Competly wrong.
        Here is how it actually works.

        Your computer contacts your ISPs DNS server asking where www.slashdot.org is. That computer if it knows the answer (which it often does as it keeps stores request for a few hours) Tells you the answer, if it doesn't or it only knows the partial answer (it might know the DNS server for slashdot.org in which it would go straight there and ask where www.slashdot.org is. Anyways your ISPs DNs server will assuming it didn't know the answer and immediently tell you, do one of two things, depending upon how its programmed, very small isps or most company intranet DNS servers, will ask its ISPs DNS server. Or assuming its a normal ISP with randomly pick one of X number of servers. (by my list, (not updated sence 1997) 14 different servers A.ROOT-SERVERS.NET to M.ROOT-SERVERS.NET) Of course the IP address of these servers are more important than the names. This server tells me that slashdot.org's domain name records are stored at ns1.osdn.com (and ns2 and ns3 as backups) and gives these ip addresses of ns1.osdn.org and the backups, then tells my local dns to keep this info on hand for just short of 2 days. My DNs server then asks ns1.osdn.org just where I can find www.slashdot.org, this server will answer me.
      • by AndroidCat ( 229562 ) on Thursday November 07, 2002 @06:18PM (#4620478) Homepage
        In the same way that requests go down the tree to find the server, requests go up the tree to the root servers. (Up the tree to the roots, hmm!)

        If your immediate DNS handled a request for slashdot.org two seconds previously, it should still be cached -- no need to bother a root server over that. Any request would have go up several levels before a root server would be bothered with it. (Otherwise they'd be continually /.'ed :^)

        The root servers could all disappear without a lot of disruption, but only for a short time until the cache entries started timing out.

        My backup plan is to toss the entire name space into my local hosts file. I've already got DoubleClick in there for testing. :^)

    • by Shagg ( 99693 ) on Thursday November 07, 2002 @05:22PM (#4619780)
      Think of it like this:

      If you are looking for the phone number for a company you've never called before, you want to look in the Yellow Pages to find it. Now if your wife has moved the Yellow Pages to a different room in the house, you need to know where she put it. However, in this case it's more like there are 13 copies of the Yellow Pages in your home, and she's only moved one of them... so it's not too big of a deal. It's also not something you need to know unless you run a DNS server.
      • Now if your wife has moved the Yellow Pages to a different room in the house, you need to know where she put it. However, in this case it's more like there are 13 copies of the Yellow Pages in your home, and she's only moved one of them... so it's not too big of a deal.

        I don't give a damn about the Yellow Pages, I just wish she'd stop leaving the frigg'n cordless phone burried in a pile of freshly folded laundry.

        -
  • by Hairy_Potter ( 219096 ) on Thursday November 07, 2002 @04:03PM (#4619049) Homepage
    the internet. Don't every one go J.ROOT-NET.NET now.
    • by Anonymous Coward

      that DDOS attacks are covered under the U.S.A.
      "Patriot" Act.

      Very truly yours,

      J. Ashcroft

      _)*&^%$$

      Be Patriotic: Smoke Amerikan Grown Marijuana
    • by br0ck ( 237309 ) on Thursday November 07, 2002 @04:17PM (#4619197)
      Oddly, the reply [cctec.com] to the NANOG post [cctec.com] about the change encourages people to hold off on downloding the hints file to prevent Slashdotting internic.net since. The reply claims that the update is not at all critical.
      • Its not at all critical and there is a reason its called a "hint" file.

        When you start up bind, it will loads the hints file. when you do a dns query where it has to go to the root, it grabs one out of the hints and does a lookup while timimg how long that server took. Its then continues through the list using the one with the lowest time and it increments a running average so that it will retry all the roots over time. At some point during this process it will find out the serail number of the root zone isn't quite what it expected and then will ask the a root server for the list of root servers. If your bind has been running for weeks, months or years, it already has the new data. Its just the startup data that has one wrong entry -- if you've been running a recent zone file, I've seen servers that runing hint files that are close to a decade old.

        If you don't want to /. the ftp server,
        $ dig @a.ROOT-SERVERS.NET. . ns > root.hints

        This would only be an urgent issue if they address of one of the root servers was assigned to a different group.
  • bah. (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Thursday November 07, 2002 @04:03PM (#4619051) Homepage Journal

    Whenever I go near a "root zone" I end up getting pepper sprayed and charged with sexual assault.

  • by dannyp ( 62358 ) on Thursday November 07, 2002 @04:06PM (#4619081)
    ....the day before. See the message [cctec.com]. Granted not much warning, but it wasn't silent.
    • " ....the day before. See the message [cctec.com]. Granted not much warning, but it wasn't silent."

      I see the message but the PGP key fingerprint does not match his key on the server for some reason. (Not that the meassage isn't accurate.)

      crain@icann.]org
      fingerprint: 1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7

    • by l1_wulf ( 602905 ) <<l1wulf> <at> <gmail.com>> on Thursday November 07, 2002 @04:49PM (#4619475) Homepage Journal
      As it has been pointed out further down (for those of us that sort by score), this is truly a non-event and makes no significant impact on the typical /. reader. I will not take credit for the following information, but will quote someone that I think summed up the situation enough to hopefully keep the average Joe from /.ing any of the links posted in the article above. ccandreva posted
      This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running. Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".
      Essentially, unless you know specifically that you are directly affected by this change, and can explain in detail why exactly you need this information right now, there is no need to /. any of the links above. If you run a linux box and keep your builds rather current, then I can assure you that there is no need to update. Think about it, the last change was 5 years ago, there should not be a major rush to update for the majority of us.
  • by myowntrueself ( 607117 ) on Thursday November 07, 2002 @04:06PM (#4619086)
    that we are going to need Microsoft passport to make changes to DNS now?
  • protocols? (Score:2, Flamebait)

    by ftide ( 454731 )
    are there written protocols & procedures for this activity agreed upon by the community?

    where's the oversight? who made the decision that changed the root zone? A *.int (intl. exchange) entity should mandate or govern root zone oversight, not some U$ corporate shill.
    • Re:protocols? (Score:3, Informative)

      by Anonymous Coward
      IANA made the decision and they are the appropriate authority to do such things.
      • by pyros ( 61399 )
        IANA made the

        Did anyone else read that and ask "You are not a what? And who made the decision? Finish your damn sentence!"
  • a quick theory (Score:5, Insightful)

    by cr@ckwhore ( 165454 ) on Thursday November 07, 2002 @04:11PM (#4619130) Homepage
    Following the recent DOS attacks against the root servers, it wouldn't surprise me if this move is only a small part of a bigger story. I'm willing to bet that modifications are being made to the networking and security of the root servers that will better prepare the entire root system for future attacks. The move of J. is probably just the tip of the clandestine "ice berg".

    • Re:a quick theory (Score:3, Informative)

      by bugpit ( 588944 )
      See the CNET article, Key Internet server moved for security [com.com], tho Verisign claims that the timing was coincidental.
    • RFC 2010 has the guidelines on what is needed for a root nameserver operations. Those guidelines had not been followed as closely as they should have. My feeling is that even as a result of the recent DOS attacks that they are trying to bring everything to ATLEAST rfc2010 standards and then maybe improve some more... esp. since that RFC was written in 1996, WAY before any of the "new" DOS attacks {like the ones that got Yahoo....) were so easy to do...

      http://www.ietf.org/rfc/rfc2010.txt?number=2010
    • Following the recent DOS attacks against the root servers

      You mean like posting the IP on slashdot for all previously unknowing script kiddies to see? :)
  • by toastyman ( 23954 ) <toasty@dragondata.com> on Thursday November 07, 2002 @04:12PM (#4619137) Homepage
    To quote Sean Donelan's post on NANOG:

    Since its been 5 years since the hints/cache boot file has changed,

    it may be useful to remind people an immediate change to your
    local configuration files is not required. You don't need to
    slashdot internic.net tomorrow morning trying to download the file.

    As long as 1 listed IP address responds with the current list of root
    servers, the server doesn't even need to be a root server itself, your
    name server should figure out who are the current roots. In the 1980's
    and 1990's when the hints/cache file changed regularly, some people when
    years without updating it. Or only updated it when they upgraded their
    name server code.

    Don't Panic.


    To sum up: You don't need to change anything. As long as one of the 13 servers in your hints/cache file responds, your name server will download the updated list on startup. You only have to worry if you've put off updating it so long that all 13 servers have changed IP's. Pretty unlikely, since that would be a hints file that's more than 10 years old at least. (You're not running Linux, anyway...)

    And no, this isn't verisign-causing-instability-as-usual. They're actually trying to help it. Before this change, both a.root-servers.net and j.root-servers.net were in the same /24 and in the same BGP annoucement. They're moving things around a bit(presumably) to increase reliability and redundancy.
  • Anyone that cares... (Score:5, Informative)

    by pirodude ( 54707 ) on Thursday November 07, 2002 @04:12PM (#4619139) Homepage
    Anyone that cares and needs to know about it was properly notified. There was a post to NANOG 3 days ago about it:

    *****PLEASE NOTE*****
    This is an important Informational Message to the internet community:

    November 5, 2002, the IP address for J.root-servers.net will
    change in the authoritative NS set for "dot". The change will
    be reflected in zone serial # 2002110501.

    The new set of servers authoritative for "dot" will be:
    A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
    H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
    C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
    G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
    F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
    B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
    J.ROOT-SERVERS.NET. 5w6d16h IN A 192.58.128.30
    K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
    L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
    M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
    I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
    E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
    D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90

    This WILL require a change to your root hints file. The new
    file will be available via anonymous ftp from
    rs.internic.net:/domain/named.root as well as
    ftp.internic.net:/doamin/named.root starting 11/5/02 1700UTC (12pm
    EST/9am PST).

    Both the new and old j.root-servers.net IP space will provide
    answers in parallel for the foreseeable future.

    _________________________________________

    John Crain
    Manager of Technical Operations
    ICANN/IANA

    crain@icann.org
    1AF4 F638 4B2D 3EF2 F9BA 99E4 8D85 69A7
  • by karl.auerbach ( 157250 ) on Thursday November 07, 2002 @04:12PM (#4619153) Homepage
    This move is "a good thing".

    The J server shared a broadcast domain (i.e. it was on the same Ethernet) as the A root server. That's was clearly sub-optimal.

    So this move is good in that it creates a small bit of physical separation and a bit larger amount of net-topological separation between the J and A root servers.

    I hear that the old server will continue in operation for an indefinite period - so there is no need to rush out and update your "hints" file for your DNS resolvers - you can do it at your leasure and you probably won't notice even if you forget to do it.

    (Even if the old server is turned off - as long as a bogus server doesn't replace it, when DNS resolvers that are using the old hints file come up and look for a root zone definition, they will simply bypass the non-responsive absent server and try the other hints.)

    But there is another issue - A change in the "hints" is always a nuisance. And since we are incurring this nuisance, I wonder why we did not use this as an opportunity to redress the imbalance of root server placement - there are few root servers in Europe and Asia, and rather than simply moving the J server from one side of Herndon, Virginia to another, why wasn't it moved to Europe of Asia?
    • "I wonder why we did not use this as an opportunity to redress the imbalance of root server placement"

      I'm guessing (and yes, guessing) that it was just to be conservative. There's probably a lot less to do, far fewer people to involve to move a machine across town, that to implement a geographically distributed bunch of servers. Setting up a DNS server and plugging it in might be easy, but coordinating different teams, new locations, procedures, languages for administration etc. isn't trivial.

      In fact it's probably a little fiddly procedurally, and a lot fiddly politically. Probably one of those things that gets mired for years.

      • by valdis ( 160799 ) on Thursday November 07, 2002 @05:22PM (#4619783)
        Quite correct - there's only a little bit of procedurally/technically fiddly about it.

        Your average root nameserver gets hit for about 100M queries per day (or on the order of 1,500 per second). See http://www.caida.org/~kkeys/dns/ for details. A root nameserver is expected to get pounded on by *mostly* invalid queries (see http://www.nanog.org/mtg-0210/wessels.html). The Wessels data was *normal production* workload, not during a DDoS.

        All the usual considerations regarding BGP multihoming and hardware redundancy apply. There's reasons why the servers are Sun E10K or large IBM boxes or similar big iron, and why people who have just a T-1 from Barney's ISP, Bait, and Tackle Shop need not apply.

        Of course, there's nothing in the above that can't be solved by applying clue and dollars. However...

        Ever priced a E10K? And noticed that most of the root nameservers are basically donated by their hosts? That's where the politically fiddly comes in - the number of places that are clued enough to run a root DNS, network connected well enough to be worth it, and willing to donate the resources to do it, is a lot smaller than you might expect...
    • If there's no conspiracy, why are we all crouching around a table in a smoke filled room going over printed transcripts of your VoIP conversations for the past week, huh, smart guy?

      Just because we at Verisign have no sinister motives in moving a god damned computer does NOT mean that we're not involved in any conspiracies!

      As another example, our co-conspirators at the NSA just closed a loophole that let members of their alien autopsy division take extra paid sickdays even if they've never been exposed to any alien tissue (and thus, to the space virus). This was a totally inoccuous cost cutting measure, and not part of their conspiracy to conceal the existence the aliens. Does this mean the conspiracy doesn't exist? Absolutely not!
  • stupid tagline (Score:5, Informative)

    by GigsVT ( 208848 ) on Thursday November 07, 2002 @04:15PM (#4619174) Journal
    "Causing instability as usual"?

    You only need one root server, there are 12 others. In fact, it safe to just wait until the next time you upgrade BIND or your operating system... running an out of date file won't hurt anything.

    There was no reason to announce anything here. This is really a non-event.
  • umm... (Score:5, Funny)

    by Triv ( 181010 ) on Thursday November 07, 2002 @04:18PM (#4619213) Journal
    An anonymous reader writes

    Ok. I got that. Next.

    "The day before yesterday the root zone was silently changed for the first time in 5 years.

    That's english at least. Something changed. Hopefully the rest will tell me what.

    The change was to J.ROOT-SERVERS.NET that is now managed by Verisign.

    Verisign's evil, right?

    The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced.

    Conspiracies are bad, right?

    An interesing sidenote is this thread on the IETF discussion list." the_proton writes "The server j.root-servers.net has changed IP address to 192.58.128.30. The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root. The new zone serial number is 2002110501."

    [Brain explodes]

    (Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?) ;)

    Triv
    • >> Isn't it amazing when you read something written in your own language and don't understand a word of what's being said?

      This should have come with a warning similar to the ones on a lot of linux kernel options: If you don't have any idea what this is talking about, then it doesn't affect you.
      This is only important to those of us who run our own DNS servers; the root servers are basically the "upstream" source from which all other DNS servers get their information.
    • The biased opinions are required material to get your submission posted by Michael.
  • Getting root.hints (Score:5, Informative)

    by image ( 13487 ) on Thursday November 07, 2002 @04:19PM (#4619224) Homepage
    > The new root zone hints can be grabbed from ftp://rs.internic.net/domain/named.root or ftp://ftp.internic.net/domain/named.root.

    For those running bind, you may want to try this instead:

    dig @e.root-servers.net . ns > root.hints

    It will generate the root list automatically, ready for you to drop into /var/named/ (or wherever you installed it).
    • [root@localhost named]# perl -pi.orig -e "s'198.41.0.10'192.58.128.30'" /var/named/named.ca

      [root@localhost named]# diff /var/named/named.ca /var/named/named.ca.orig
      67c67
      < J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
      ---
      > J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
    • For those running bind, you may want to try this instead:

      dig @e.root-servers.net . ns > root.hints


      Or, even simpler:

      dig @a.root-servers.net > root.hints

      (pick any letter from a-m to use in place of a; they should all work, even j)
    • For those running bind, you may want to try this instead:

      Yeah, because "wget ftp://ftp.internic.net/domain/named.root ; cp named.root /var/named/named.ca" is WAY more complicated.

      Belloc
  • Not that big a deal (Score:5, Informative)

    by ccandreva ( 409807 ) <chris@westnet.com> on Thursday November 07, 2002 @04:20PM (#4619234) Homepage
    This post is leaving out some details that were brought up on the NANOG mailing list.

    This is not a change that needs to be done immediately. For one thing, there are 13 (A - M) root servers. As long as your name server can contact one of them, it will download the latest list at start-up, so your root file can be fairly out of date, and still be fine when running.

    Also, the announcement says that the server will respond on both IP addresses "for the forseeable future".

    This isn't a question of flipping a switch and everyone having to update their servers at once. A big public announcement would probably just have confused most users for no good reason.
  • by Kj0n ( 245572 ) on Thursday November 07, 2002 @04:21PM (#4619250)
    Since when I look up the SOA record for the root domain, it gives a serial number of 2002110700 instead of 2002220501.
  • by PacketMaster ( 65250 ) on Thursday November 07, 2002 @04:23PM (#4619264) Homepage
    Please don't /. the named.root files Don't click on it just because you're curious to see what they look like. People need to legitimately access those files to update their DNS servers and flooding the FTP with meaningless requests is highly counterproductive.

    Also, Slashdot editors, why even let those links get posted? Every person with a browser is clicking on those to see what they look like and making them inaccessable to people who need them. People who need to see them or access them know where they're at already and people who are that curious should exercise a little personal initiative and go find out where to get them. It's irresponsible on the part of /. to let this happen. Slashdotting a news site is one thing, but Slashdotting internic is a very different can.
    • by Anonymous Coward
      I don't know, I clicked on the link 100 times and it worked ok for me.
    • Nobody needs to legitimately access those files to update their DNS servers. Everything will continue to work fine even if nobody could access those files. Even if you NEEDED to update your root hints file (which you don't), you can always lookup the NS records on another root server and output it to your hints file.

      Nice troll though, it went totally unnoticed until now.
    • I wasn't going to click the link, but you make it sound soooooo naughty... ;)
    • Why shouldn't somebody look if they are curious? I often hear about problems resulting from people not knowing enough about computers and the internet, perhaps looking at these root files is a good thing -- certainly some people will just be confused, but others might actually be even more curious and try to figure out what they mean.

      Any extra bit of knowledge anybody has about the internet probably helps everybody in the long run.

      And in any case, since nobody needs this root file immediately, and since the /. effect disappears in a few days, there shouldn't be any concern. At very least, consider this a fair test of the system, we wouldn't want our root name servers running on anything not-up-to-the-job, would we?
    • People need to legitimately access those files to update their DNS servers and flooding the FTP with meaningless requests is highly counterproductive.

      No they don't. People need to type:
      dig @a.root-servers.net > root.hints
      and they'll get exactly the same thing. Much faster and easier, and you can't tell me we're going to slashdot a root nameserver by sending it a bunch of DNS queries like this - that's what root nameservers handle all day.
    • Please don't /. the named.root files.

      Oh get serious.

      1) Slashdot is not that big. I think the Internet's root servers just might be able to handle a bigger load than you think.

      2) There are 12 (?) other root servers out there to get your root hints from. If any sysadmins out there give up on downloading the root hints because one freakin' server doesn't respond - well, they've got bigger problems.
  • by Anonymous Coward
    [OS/390]$ whois root-servers.net
    [whois.crsnic.net]

    Whois Server Version 1.3

    Domain names in the .com, .net, and .org domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    Domain Name: ROOT-SERVERS.NET
    Registrar: NETWORK SOLUTIONS, INC.
    Whois Server: whois.networksolutions.com
    Referral URL: http://www.networksolutions.com
    Name Server: A.ROOT-SERVERS.NET
    Name Server: F.ROOT-SERVERS.NET
    Name Server: J.ROOT-SERVERS.NET
    Name Server: K.ROOT-SERVERS.NET
    Updated Date: 23-aug-2002

    >>> Last update of whois database: Thu, 7 Nov 2002 05:05:26 EST <<<
    The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
    Registrars.

    [whois.networksolutions.com]
    The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information about
    or related to a domain name registration record. VeriSign does not guarantee
    its accuracy. Additionally, the data may not reflect updates to billing contact
    information. By submitting a WHOIS query, you agree to use this Data only
    for lawful purposes and that under no circumstances will you use this Data to:
    (1) allow, enable, or otherwise support the transmission of mass unsolicited,
    commercial advertising or solicitations via e-mail, telephone, or facsimile; or
    (2) enable high volume, automated, electronic processes that apply to VeriSign
    (or its computer systems). The compilation, repackaging, dissemination or
    other use of this Data is expressly prohibited without the prior written
    consent of VeriSign. VeriSign reserves the right to terminate your access to
    the VeriSign Registrar WHOIS database in its sole discretion, including
    without limitation, for excessive querying of the WHOIS database or for failure
    to otherwise abide by this policy. VeriSign reserves the right to modify these
    terms at any time. By submitting this query, you agree to abide by this policy.

    Registrant:
    VERISIGN GLOBAL REGISTRY SERVICES (ROOT-SERVERS-DOM)
    21345 Ridgetop Circle
    Dulles, VA 20166
    US

    Domain Name: ROOT-SERVERS.NET

    Administrative Contact:
    Internet Assigned Numbers Authority (IANA) iana@IANA.ORG
    4676 Admiralty Way, Suite 330
    Marina del Rey, CA 90292
    US
    310-823-9358
    Fax- 310-823-8649
    Technical Contact:
    VeriSign Global Registry Services (REGISTRY) nocnoc@VERISIGN.COM
    21345 Ridgetop Circle
    Dulles, VA 20166
    US
    703-948-7064
    Fax-703-421-6703

    Record expires on 05-Jul-2005.
    Record created on 04-Jul-1995.
    Database last updated on 7-Nov-2002 15:25:52 EST.

    Domain servers in listed order:

    A.ROOT-SERVERS.NET 198.41.0.4
    F.ROOT-SERVERS.NET 192.5.5.241
    J.ROOT-SERVERS.NET 198.41.0.10
    K.ROOT-SERVERS.NET 193.0.14.129
  • newspaper had it (Score:3, Informative)

    by jeavis ( 198354 ) on Thursday November 07, 2002 @04:32PM (#4619342)
    A short blurb on this appeared in my local paper today (they don't have it online, sorry). The gist of it is Verisign physically relocated the server to another building on their campus. The stated intent was (1) to move it to an undisclosed location in the interest of physical security, and (2) to get it off a network segment that another root server (a.root-servers.net) was already on.
  • DDOS (Score:3, Interesting)

    by dirvish ( 574948 ) <<moc.swendnuof> <ta> <hsivrid>> on Thursday November 07, 2002 @04:33PM (#4619351) Homepage Journal
    Does this have to do with the DDOS attacks that happened a couple weeks ago? Why else would they not make an announcement? OTOH, the perpetrators of the attacks wouldn't be fooled for long by a name change.
    • Re:DDOS (Score:2, Informative)

      by winnetou ( 19042 )
      Does this have to do with the DDOS attacks that happened a couple weeks ago?
      Possibly, a and j.root-servers.net are now in different netblocks, making a DDoS a bit more difficult.

      Why else would they not make an announcement?
      Because nameservers use the "hints" zone as a hints zone, i.e. they will fetch the authoritative nameservers using the IP addresses in the "hints" zone to find an answering nameserver.
      Since j.root-servers.net will continue to answer at the old address, no one will notice the change.

      • > Since j.root-servers.net will continue to answer at
        > the old address, no one will notice the change.

        Wouldn't that mean you could STILL DDoS both A and J at the same time?
  • The server j.root-servers.net has changed IP address to 192.58.128.30.

    Wow, that's pretty close to my home network address!
  • by winnetou ( 19042 ) <erik@warbase.selwerd.nl> on Thursday November 07, 2002 @04:37PM (#4619382) Homepage
    j.root-servers.net was 198.41.0.10 in 198.41.0.0/22, owned by VeriSign Global Registry Services.
    j.root-servers.net is 192.58.128.30 now, in 192.58.128.0/24, owned by VeriSign Global Registry Services.
    Having both a and j in the same netblock was not a good idea (remember what happened to Microsoft when they had all nameservers in the same netblock?).
    See ARIN [arin.net] and ARIN again [arin.net].
  • Whoa. (Score:3, Funny)

    by StupidKatz ( 467476 ) on Thursday November 07, 2002 @04:51PM (#4619486)
    $ ftp rs.internic.net
    Connected to rs.internic.net (198.41.0.6).
    in.ftpd: error in loading shared libraries: libdl.so.2: cannot open shared object file: Error 23
    ftp>

    Slashdotted an FTP server. On some sort of *nix. Ouch.
  • by GLX ( 514482 ) on Thursday November 07, 2002 @04:54PM (#4619504) Homepage
    When the change was announced, they noted specifically that the current J.ROOT-SERVERS.NET will stay in existance with it's current IP (just no direct DNS entry) and the new one has been moved to a different IP block for DoS protection... The current one will exist for awhile to come.

    This isn't really news...
  • Instability? WTF? (Score:4, Insightful)

    by alexjohns ( 53323 ) <{almuric} {at} {gmail.com}> on Thursday November 07, 2002 @05:12PM (#4619686) Journal
    "verisign-causing-instability-as-usual dept."
    Michael Sims, you're a fucking idiot. You know nothing about the way the internet works. In no way, shape, or form does this cause any instability whatsoever. It improves stability, however slightly.

    You might want to stick to articles about politics or censorship or something. Technical issues don't appear to be your forté.

    • Wow. Score: 5. For calling someone an idiot. Perhaps there's too many mod points floating around. :)

      Has anyone noticed that Michael likes to post snide insider-like comments in articles he posts? The problem is that they're sometimes wrong. It's like he's the outsider kid trying to get into the in-clique, but he keeps screwing it up.

      Wonder how long it will be before he discovers this threads and super-mods me down to -1?

  • For DjbDNS users (Score:4, Informative)

    by chrysalis ( 50680 ) on Thursday November 07, 2002 @05:23PM (#4619791) Homepage
    You must put this in your /etc/dnscache/root/servers/@ file :

    128.63.2.53
    128.8.10.90
    128.9.0.107
    192.112.3 6.4
    192.203.230.10
    192.33.4.12
    192.36.148.17
    1 92.5.5.241
    192.58.128.30
    193.0.14.129
    198.32.64 .12
    198.41.0.4
    202.12.27.33

  • If your DNS admin has some savvy, this link [dev.null] should work for you.
    If not, visit
    OpenNIC [unrated.net] and then ask your DNS admin to support OpenNIC and erode ICANN's dictatorial regime.
  • by Skjellifetti ( 561341 ) on Thursday November 07, 2002 @06:00PM (#4620245) Journal
    How is this [named.root/db.cache] kept up to date? As the network administrator [of your local network], that's your responsibility. Some old versions of BIND did update this file periodically. That feature was disabled, though; apparently it didn't work as well as the authors had hoped. Sometimes the db.cache file is mailed to the bind-users [isc.org] or namedroppers [vlsm.org] list mailing list. If you are on one of those lists, you are likely to hear about changes. (pg 68)

    Bottom line: If you run a nameserver it is your responsibility to keep it up to date. That includes knowing how changes are announced. BIND [isc.org] has also had several well known security problems. If you are running a version < 8.2.5 you should upgrade that as well.
  • by MavEtJu ( 241979 ) <.gro.ujtevam. .ta. .todhsals.> on Thursday November 07, 2002 @06:10PM (#4620363) Homepage
    The usual sites don't breathe a word about this change however as one would expect for such a change to be properly announced.

    The impact of this change is close to zero. The announcement is only necessary for people who distribute name-server software. Why?

    - Only the hints-file needs to be changed. The hints file bootstraps the DNS software on where it can find the .-zone. After that has been found, this data is not needed anymore.

    - There are still 12 other perfectly reachable servers in the hints-file. They give you all the information needed.

    - On the old IP address, a server will keep running for a while.

    - Unless you're working for an ISP, you don't need this information. The majority of the internet (windows users) don't have to change anything, they just run use their ISPs nameservers. The majority of the minority of the internet also use the nameservers of the ISP. Only a relative small group run their own servers.

    So dear anonymous writer, don't be afraid, the internet is not going to break because of this. No reason for panic, all is fine.
  • by Anonymous Coward on Thursday November 07, 2002 @06:15PM (#4620437)

    I'm surprised that only one poster has even noticed that Slashdotters are barking up the wrong tree, but even (s)he didn't quite make the connection.



    For the most part, root.hints files are maintained by OS/Distribution maintainers, not DNS admins. The hints file is only used to bootstrap a DNS server which will (well, should) retrieve an authoritative copy of the root zone shortly after startup and then rely on that instead. As long as just one of the 13 root server IP addresses listed in a DNS server's root.hints file is correct, the server will successfully retrieve the updated root zone. At the rate at which changes are made to the root zone (or at least, to its delegated servers), it is likely that this condition will hold true for the next 10-20 years.



    So, as long as DNS server admins perform an OS upgrade sometime between now and the year 2012, they need not touch their server configuration at all; the change will be handled automatically.

  • DNS Server Moved (Score:3, Informative)

    by Steve0987 ( 604559 ) on Thursday November 07, 2002 @06:20PM (#4620510)
    As the href="http://computerworld.com/newsletter/0%2C4902 %2C75711%2C0.html?nlid=AM"article in Computer World explains, the move of the DNS server was done for both physical seperation and to move it onto a different LAN segment.
  • That's quite simple (Score:3, Interesting)

    by BrunoC ( 540199 ) <brunoc@gmai l . com> on Friday November 08, 2002 @12:37AM (#4623068)
    Just a few points here: - I don't think there's a conspiracy here. J is moving and that's it. ICANN does not have to go "stop the presses! J ROOT SERVER is moving". They just have to release the new hints file. There's no need to panic, as someone posted before. - The 13 root servers were attacked, A (hosted by Verisign at undisclosed location [securityfocus.com] ) survived the attack and J didn't. Why not move J to a safer place? - Improving the security of the root servers is a *good* thing, not a bad one. The root servers network is a sensitive one, and everything done there must be done very carefully, especially after the DDoS. - Go get some sleep, the root servers around the world will grant you the right to translate IP addresses :)

I never cheated an honest man, only rascals. They wanted something for nothing. I gave them nothing for something. -- Joseph "Yellow Kid" Weil

Working...