Verisign Plans DNS Changes 161
NetWizard writes "According to a recent NANOG post and an InfoWorld story, 'Verisign will change the serial number format and "minimum" value in the .com and .net zones' SOA records on or shortly after 9 February 2004'. They seemed to have learned their lesson, from the post: 'There should be no end-user impact resulting from these changes (though it's conceivable that some people have processes that rely on the semantics of the .com/.net serial number.) But because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.)'"
Stop Changing DNS (Score:3, Insightful)
STOP FUCKING CHANGING THINGS!
Re:Stop Changing DNS (Score:2)
Re:Stop Changing DNS (Score:5, Insightful)
Re:Stop Changing DNS (Score:4, Insightful)
Re:Stop Changing DNS (Score:5, Insightful)
Re:Stop Changing DNS (Score:1)
Re:Stop Changing DNS (Score:3, Insightful)
I've always had a problem with change for the sake of change. The current system allows them, in their semantic "the SOA value must represent the date" methodology alr
Re:Stop Changing DNS (Score:5, Informative)
The above isn't meant as an excuse, just an explanation as to why this will undoubtly break someone's something. Then you get back to the old 'change is good' but not if it causes trouble, then 'change is bad'[tm]. At some point we're going to have to make big changes to the infrastructure and things will break regardless of compatability. we might as well get used to it (though as always, having a decent explanation wouldn't be a bad thing[tm])
Re:Stop Changing DNS (Score:2, Insightful)
Re:Stop Changing DNS (Score:2, Informative)
Get a grip man (Score:3, Insightful)
How bout
Bitch at NSI
Trying to regain trust? (Score:3, Interesting)
The last sentence sounds like they want to emphasize that they're announcing this so early so the no one panics when all of a sudden something changes, I guess it's good that they're trying to rebuild trust.
Re:Trying to regain trust? (Score:1, Flamebait)
Yup, 30 days notice. Probably the minimum notice period allowed! Hardly 'early'
Re:Trying to regain trust? (Score:1)
"There should be no end-user impact" (Score:4, Interesting)
Although unlikeley, there is a potential for collateral damage here. Is there anyone at Verisign willing to post the logic behind making the changes in the fist place? I can't see where there would be a business case when someone would jump up and say "We could make a billion dollars, but only if we change the way we determine DNS serial numbers for the
I've been watching too many Dell commercials lately...
Re:"There should be no end-user impact" (Score:5, Informative)
The previous format, YYYYMMDDNN (where NN is an arbitrary sequence number), conforms to no standard but its own. The UNIX timestamp format is recognised by any date/time manipulation tool worth using, as well as being a standard (de facto or otherwise, I don't know). While switching format now is a PITA for those who have already written tools that work with it, it will make future development fractionally easier, as well as allowing more accuracy than could practically be used.
Then again, they could just leave things alone.
ISO 8601 specifies YYYYMMDD (Score:5, Informative)
YYYY-MM-DD and YYYYMMDD are both standards-compliant.
Seriously, if you've never heard of this standard, read up. Whenever I need to stick a date or a time on something in text form, I just do it the ISO 8601 way.
Re:ISO 8601 specifies YYYYMMDD (Score:3, Insightful)
Re:ISO 8601 specifies YYYYMMDD (Score:2, Funny)
I don't know if there's an international standard for counters,
but there's certainly a
Lesson 2, "concatenation", to follow in my next post.
YAW.
Re:ISO 8601 specifies YYYYMMDD (Score:2, Interesting)
The real question is why is Verisign prepping to increase the update cycle, and is this a good thing?
Re:ISO 8601 specifies YYYYMMDD (Score:3, Informative)
Re:ISO 8601 specifies YYYYMMDD (Score:3, Interesting)
Luckily I know it isn't. Unfortunately I suspect the verisign way will break stuff unless they're careful eg.
Today is:
2004011001 in DNS time
1073760813 in Unix time
DNS time > Unix time... a lot of DNS systems (bind does this for example) will take the record with the largest number - there's scope for masses of confusion here.
Re:ISO 8601 specifies YYYYMMDD (Score:2)
But surely this applies only to the secondaries that transfer via AXFR? Most people deny general AXFRs and add explicit IPs of those who can, so they should know EXACTLY who needs to refresh the zones manually.
A couple of years ago I switched two standard DNS clusters onto a third unix epoch based DNS with no problems.
Re:ISO 8601 specifies YYYYMMDD (Score:2)
The DNS spec specifically states that the value is to be compared using MOD 2**32 arithmetic. Besides, the serial number is only supposed to be used for DNS slaves to sync from the master, so it doesn't really matter.
Like the metric system... (Score:2)
Re:Like the metric system... (Score:2)
Yes, we Americans have "our own" date and time system that isn't metric. (Same with the rest of the world, by the way, except for those idiots at Swatch [computeruser.com] who just want to sell more cheesy plastic watches.) So I guess we're a bunch of assholes who are too damn stupid to figure out metrics, right??
Am I the only one here on Slashdot who's fed up with the knee-jerk America bashing???
Re:Like the metric system... (Score:2)
- Metrics? For representing date information? Are you out of your fucking mind?
Oh, sorry, I ment "Like the metric system"....erm...HEY! That's the title of my post! Would you look at that!
...and, HEY! I'm an Amercian of the U-S-A veriety too! Wow! Amazing!
Re:Like the metric system... (Score:2)
If you take "metric system" to mean a system of measurement that's derived from base-10, then a system is either metric or not. It can't be "like metric". It either is or it isn't...
First, so what? There are plenty of Americans who engage in America-bashing. And second, you said with respect to metrics "in the US people can't seem to grasp the concept", in effect saying, "those dumb American
Re:Like the metric system... (Score:2)
Re:Like the metric system... (Score:2)
Both the U.S. and ISO standards, when truncated to just month and day, are identical. 12/11 or 12-11 is December 11th, whether you use the American or the international standard.
So any confusion of what day of the year a two-separated-numbers date means is entirely the fault of European stubbornness in refusing to adopt the international standard.
Re:ISO 8601 specifies YYYYMMDD (Score:2, Informative)
That standard is completely irrelevant. It specifies how to represent an unambiguous timestamp.
DNS serial numbers are opaque tokens. There's nothing in the DNS specs. that requires them to be timestamps. All they have to do is increment by an arbitrary amount when the relevant records are updated.
Quite frankly, I'm amazed anybody has bothered writing tools that pretend they are anything but opaque. It's like assuming certain values for an etag HTTP header or something.
Re:ISO 8601 specifies YYYYMMDD (Score:3, Insightful)
Anyway, the serial number is just a revision number intended for the DNS "system" (I'm being a little vague here) to know when a SOA record has changed. There are no end-user servicable parts inside. No human but the people directly handling the coonfiguration of that record needs to know about it - including how it is formed, if
Re:"There should be no end-user impact" (Score:1)
I was under the impression that the *only* thing that the serial number stood for was a numeric sequence that the nameservers checked against to see if it had an older version of the record.
I know of several people who use straight numeric serial numbers (i.e. '1', '2', '3') and haven't had any issues since they still increment it when they make changes on the master and the slaves all see the serial # is different and update.
Re:"There should be no end-user impact" (Score:2)
Because that won't fit in a 32-bit integer. The serial number field is just that--a number. However, it's a 32-bit number, so it can't be greater than 4294967295. Other than that, who cares what format it's in, as long as it increases whenever the zone is changed?
Re:"There should be no end-user impact" (Score:2, Informative)
RTFA...
The .com and .net zones will still
be generated twice per day, but this serial number format change is in
preparation for potentially more frequent updates to these zones.
Re:"There should be no end-user impact" (Score:2, Insightful)
Eventually, the zone data could be updated every time the contents of
Re:"There should be no end-user impact" (Score:1)
Check out Power DNS [powerdns.com]. Basically it's an authorative only nameserver that gets its results directly from a database (mySQL, Postgres, Oracle). Wanna update info for a zone, it's as simple as issuing an SQL UPDATE statement and viola, your changes are live.
Re:"There should be no end-user impact" (Score:1)
If the format is different across various TLDs, anyone programming for just the .com/.net format was foolish. (Too lazy to haul out the Cricket book and check.)
Re:"There should be no end-user impact" (Score:2)
Serial number format (Score:5, Informative)
A serial number is just a 32-bit number, and is used to see if a domain has been updated. The specs. do not say anywhere that it should be in a specific format.
Re:Serial number format (Score:4, Insightful)
This looks like a good change to me. I can't imagine there would be an outcry over this if Verisign hadn't previously implemented the SiteFinder dung.
Re:Serial number format (Score:2)
More transparent decisions and pre-announcements (Score:5, Interesting)
Changes affect administrators around the globe. As part of a community, they have a responsibility to make their decisions transparent to the community, and to announce changes well-enough in advance that those who are affected have time to prepare.
This is not just a Verisign issue. The need for major Internet organizations to recognize the larger public as important stakeholders within the community is important. Awareness of the larger community should be followed by communication and actions that reflect that awareness, thus signalling a willingness to truly be a part of that community.
Verisign seems to be exhibiting a newfound awareness of community that ICANN seems to have abandoned.
I hope Verisign continues to be a good memeber of the community. Perhaps others can follow their lead.
Transparency? (Score:2)
Moral: Verisign can hardly do anything wrong with this serial number change, so it's hardly proof of goodwill. When they stop messing with other, more delicate things, they will get
Why do Verisign have this level of access anyway? (Score:5, Interesting)
Re:Why do Verisign have this level of access anywa (Score:1, Interesting)
Re:Why do Verisign have this level of access anywa (Score:1)
Re:Why do Verisign have this level of access anywa (Score:2, Interesting)
The internet infrastructure should be managed and run by the community, and not driven by commerical proliferation of services offered to enhance a companies offerings.
That was what the recent UN conference was about I suppose. But everyone wanted to dismiss that as being useless.
Re:Why do Verisign have this level of access anywa (Score:3, Insightful)
But it's be silly to give EVERYONE an equal vote in their elections, as the great majority of people have no clue ho
Re:Why do Verisign have this level of access anywa (Score:1)
But...
Not so long ago in the US only male land-owners could vote, because it was felt only they had a vested interest governance. This seems like a similar thing.
I'm not sure an Republic of the Internet would really work. You'd create even more of a chasm between the technocrat and everyone else. I think people would be resentful of exclusion.
Also, I have always been very wary of trying to "centralize" the Internet. Yes, I know ICANN is sort of.. something..
Re:Why do Verisign have this level of access anywa (Score:2)
Remember, they were the ones who wanted to "commercialize" the root DNS servers and take them "out of the hands of the academics".
Re:Why do Verisign have this level of access anywa (Score:2)
Re:Why do Verisign have this level of access anywa (Score:1)
In reality Verisign isn't in control of "too much" if it came down to it we could all just start up our own registry database (mirrored from the existing) and make a transperent change in how computers resolve domains (OS developers would conform to the new standard). But right now I think they're doing fine and
Re:Why do Verisign have this level of access anywa (Score:2)
Sounds like a good idea to me. Why do you start going around, and telling the "community" that they need to start buying verisign stock... Pretty soon, the "community" will own and manage verisign.
Re:Why do Verisign have this level of access anywa (Score:2)
The fact that Verisign abuses its position of power is not in itself an indication that someone else would do a better job. Someone else might, or might not
Hey... (Score:5, Insightful)
Don't Be Silly. (Score:2)
Re:Hey... (Score:3, Informative)
Re:Hey... (Score:3, Informative)
Re:Hey... (Score:2)
Aaww just great (Score:5, Funny)
Right, so when I fall on an unresolved address, I can't even return it under warranty because the serial number has changed, and even if they did reimburse me, they changed the value. That's just flipping great...
Re:Aaww just great (actually no) (Score:2)
Even more so, when you request a name resolution for an address, they don't even (ever) give you a serial for it, just a TTL. (aka, no receipt required, we trust you, no refund,store exchange only within X seconds)
Re:Aaww just great (Score:2)
they can't handle it (Score:1)
Is it just me? (Score:5, Interesting)
From Infoworld: But the company did allow that "processes that rely on the semantics of the .com/.net serial number" could be affected.
For example, companies that have created scripts to monitor domain change on .com and .net will almost certainly need to make changes to account for the serial number change..."The damage won't be catastrophic, but some DNS servers could stop receiving updates,"
And they are planning to do this next Feb 9? Isn't that like too little time for organizations to update their systems?
I don't trust Verisign... the fact that they control such an important database accesed by millions of people around the world really frightens me. They screwed it once, they can do it again.
They should have that power removed from them. It should be on another organization (i.e. a non-profit one) that better serves internet community.
I see a problem (Score:4, Informative)
Re:I see a problem (Score:3, Funny)
Re:I see a problem (Score:1)
If managed properly it should go smoothly. I'll be bottling up my angst for their less sane proposals.
Re:I see a problem (Score:5, Informative)
Serial numbers only affect master-slave communication (and selfwritten scripts violating rfcs), but all masters and slaves for .com & .net belong to VS. See Paul Vixies reply [merit.edu] to the same question on NANUG.
Hmm... TTL900... (Score:2, Insightful)
Re:Hmm... TTL900... (Score:2)
Re:Hmm... TTL900... (Score:4, Informative)
Y2038 bug? (Score:2, Interesting)
Re:Y2038 bug? (Score:1, Informative)
Evo;ve or die (Score:2)
If you're still using a 32 bit computer in 2038 you may as well right now, begin walking around with your thumb and finger making the shape of an L on your forehead.
Re:Evo;ve or die (Score:3, Informative)
If it is, it will break because of this change. The older timestamp format had a much longer lifetime.
Of course there will be major problems in 2038, probably much worse than in 2000. This small issue will not contribute too much.
Re:Evo;ve or die (Score:1)
I am pretty sure we will still widely use 32 bits computers in many devices in 2038. Many devices will have IPv6 address, hostname and timestamps.
DNS protocol uses 32 bits for serial (Score:1)
The DNS protocol uses 32 bits for serial number. So what you should be saying is that we should be upgrading the DNS protocol before 2038, with enough lead time so all the network operators will have time to make the switch. That means we need to expand the DNS protocol to more than 32 bits (40 bits should actually be enough) by around 2008.
Re:Evo;ve or die (Score:2)
Re:Evo;ve or die (Score:2)
>Guess what happened?
Nothing?
Re:Y2038 bug? (Score:2)
-dk
Why I don't read the tech press (Score:3, Interesting)
Are there other queryable DNS servers maintained just by verisign for
Re:Why I don't read the tech press (Score:2)
Re:Why I don't read the tech press (Score:2)
Querying my ISPs DNS would accomplish the same thing in the same way, except they m
Re:Why I don't read the tech press (Score:5, Informative)
Because if you weren't, you would be saying that if your ISP has 10,000 customers, and they all ran their own caching nameservers, and all of them decide to resolve "www.google.com", then the root nameservers wouldn't really be hit with 10,000 times as many queries as if all of your little servers were properly configured.
There are two reasons to query the root nameservers directly:
That's it. Hitting them directly for routine queries is wasteful, inconsiderate, and expensive. If you weren't joking: fix your configuration. Now.
Third reason (Score:2, Informative)
Third reason:
Re:Why I don't read the tech press (Score:2)
I don't plan on changing my config
Re:Why I don't read the tech press (Score:3, Informative)
In a word: yes.
Since their upstreams are major Tier 1 providers like UUNet, Qwest and Sprint, presumably my ISPs nameservers are the cause of untold THOUSANDS of unncessary queries against the root nameservers that could easily be satisfied by the caches at UUNet, Qwest and Sprint.
If your ISP is w
Re:Why I don't read the tech press (Score:2)
Can you tell me why if this is so damaging to the 'net why Verisign or the root server operators don't block NS queries to the root servers?
Re:Why I don't read the tech press (Score:4, Informative)
That's simply not true. Customers should use their ISP's DNS server, but I don't believe ISP's should ever be forwarding queries upstream. That's just asking for problems. ISP's buy wholesale bandwidth, not services like mail forwarding or DNS forwarding (not that one couldn't do it, but it is asking for an extra level of troubleshooting and delay).
Once a lookup to the
It's all meant to scale without having needless delay or problems introduced by forwarding queries to a DNS server you cannot control.
Perhaps you can point to an RFC that says Teir2/3 ISPs should forwad DNS queries to upstream providers? Nope, thought not, not even a best practice.
Re:Why I don't read the tech press (Score:2)
Re:Why I don't read the tech press (Score:2)
But could you not also say that running your own cache at the end of a leased line is better than everyone in your network querying your ISP to resolve every request?
I'd say it's cacheing and reasonable TTLs that contribute most to reducing the load on the DNS. But I've met DNS administrators who didn't have a clue about TTLs, setting them to "300" to make sure data that had not changed in years would always be "fresh".
Re:Why I don't read the tech press (Score:2)
Absolutely correct. In BIND, you configure your ISP's DNS in the "forwarders" option and point all of the machines on your LAN to your local server. It answers any requests it can, forwards everything else to your ISP, and then tries to resolve any requests that your ISP can't manage (if there server's down, for example). The key differenc
Why is always the question (Score:4, Informative)
Seems like a positive change to me.
Re:Why is always the question (Score:4, Interesting)
Re:Why is always the question (Score:2)
As always, you don't see people that need it because nobody can do it yet.
Perhaps it will become common to go to a registrar, and buy a domain on the spot for a single-day event, or something similar.
Perhaps people that are switching site ownership don't want to wait a week for anyone to get to the new site.
Or even more likely, perhaps companies want this as some sort of load-balancing/failover mechanism... It's not instant, but 15 minutes of excess l
My serial number format lasts longer (Score:5, Interesting)
My serial number format lasts longer than Verisign's, and I still get more than 100 updates a day out of it. In fact it will last until 07:06:36 Tuesday 2 October 2096 while staying in just 9 digits (which it has been since 15:06:40 Saturday 4 September 1982). After that it goes to 10 digits, but still remains a positive signed 32 bit integer until 12:56:28 Wednesday 16 March 2242, and if unsigned 32 bit integer works everywhere else, it will go all the way to 01:53:00 Wednesday 30 May 2514.
Instead of being the count of number of seconds, as Verisign plans to use, mine is 1/4 of that value. Basically, I take the system time() value and divide by 4. By treating that value as an unsigned quantity, I won't have the Y2038 bug, either. That logic will work until 06:28:15 Sunday 7 February 2106 (past the 9 digit limit). And I can do 21600 updates a day (one every 4 seconds).
dig linuxhomepage.com. soa
Re:My serial number format lasts longer (Score:2)
Re:My serial number format lasts longer (Score:1)
That could be done. But rather than have to process it like that and either store or parse the serial value to be updated, the way I do it to take the master file (not a normal zone format) I use to generate each zone, get its last modification date from the filesystem, and produce the serial number from that. This way, I can still derive the date and time, to a 4 second resolution, from the serial number, and back track it to the archived master files if there are any issues to figure out. It's basicall
Re:My serial number format lasts longer (Score:2)