[dns-operations] root? we don't need no stinkin' root!

Florian Weimer fw at deneb.enyo.de
Thu Nov 28 08:32:28 UTC 2019


* Ondřej Surý:

>> Raw change rates do not tell us if zones keep at least of some of
>> their servers at constant addresses over really, really long
>> periods of time.
>
> .bank
> - deleted NS {ac1|ac2}.nstld.com. and added NS {a|b|c}.nic.bank. on November 20
> and
> - deleted NS {ac3|ac4}.nstld.com. and added NS {d|e|f}.nic.bank. on November 23
>
> Does that answer your question?

{a,b,c,d,e,f}.nic.bank and ac{1..4}.nstld.com seem to have
non-overlapping addresses.

I think this means that a simple update protocol (such as that
currently used for tzdata, or the root key and initial set of DNS
server address) will not be very reliable (at least until these
practices change).

I'm not sure if a different update protocol would be much of an
improvement over using the current with NSEC synthesis enabled.  (It
would be nice if resolver software allowed configuring that for the
root separately.)




More information about the dns-operations mailing list