ICANN blog » root

L.root-servers.net goes IPv6

John L. Crain — Mon, 15 Dec 2008 20:20:53 +0000

Last week IANA processed a request to add AAAA records for one of the thirteen DNS root-servers.

L.root-servers.net, operated by ICANN, became the seventh of the root servers to have it’s IPv6 address records (AAAA) added into the DNS root-zone. The addition of IPv6 service is part of ICANN’s ongoing commitment to act as a leader in enabling IPv6 services throughout the DNS.

The new IPv6 address is 2001:500:3::42

To access this service DNS operators should update their hints files. In fact checking that you have the latest hints file on a regular basis is always good operational practice.

The latest hints files are available at the following URLs:

ftp://rs.internic.net/domain/named.root
ftp://ftp.internic.net/domain/named.root

The root servers currently answering on IPv6 are:

A.ROOT-SERVERS.NET 2001:503:ba3e::2:30
F.ROOT-SERVERS.NET 2001:500:2f::f
H.ROOT-SERVERS.NET 2001:500:1::803f:235
J.ROOT-SERVERS.NET 2001:503:c27::2:30
K.ROOT-SERVERS.NET 2001:7fd::1
L.ROOT-SERVERS.NET 2001:500:3::42
M.ROOT-SERVERS.NET 2001:dc3::35

Ghosts of Root Servers Past

David Conrad — Tue, 20 May 2008 03:48:10 +0000

As noticed by some in the Internet network operations community, at the beginning of May an odd event occurred as ICANN ended DNS service on the IP address formerly associated with L.ROOT-SERVERS.NET (”L-root”). Specifically, as ICANN turned off the DNS service at the address formerly used by the L-root, 198.32.64.12 (and the routing announcement by ICANN for 198.32.64.0/24), DNS root queries sent to that address instead of the new L-root address (199.7.83.42) continued to be answered.

At ICANN and for those who were aware of the situation this raised some eyebrows. Immediately after we turned off the old DNS server and noticed queries for the old address kept getting answers, we began looking into the issue by checking the DNS responses, reviewing routing system logs (including asking folks at Renesys and others for assistance), doing traceroutes from various points in the Internet, etc. Our investigation determined that the answers being provided by the machines now answering for the old L-root address were correct, returning proper referrals and answers including returning the correct address (199.7.83.42) for L-root, and as such, no immediate damage was being done. However, those answers should not have been returned period.

Why did the old L-root address keep answering?

As is well known, there are 13 root server IP addresses (and many DNS servers behind those addresses), referenced by a single letter (A through M) in the domain ROOT-SERVERS.NET. ICANN has operated L-root since 1997 or so. As part of an ongoing effort to improve L-root service, and after an extensive community consultation process, ICANN obtained a “critical infrastructure” block of addresses from ARIN and renumbered L-root out of a block that was originally intended for use at exchange points into the new block. Back in October 2007, ICANN announced this renumbering and continued to provide root name service on the old address for L-root while turning up a much beefier service on the new address. As part of the announced renumbering process, ICANN continued to answer DNS queries on the old address for 6 months, at which time root DNS service on 198.32.64.12 would cease.

On May 2, the 6 month clock expired, and we turned off root DNS service at the old address as planned. To our surprise, however, the registrant for the Exchange Point block, Bill Manning of “EP.NET, LLC.” (who under some relationship with the University of Southern California, Information Sciences Institute helps operate B.ROOT-SERVERS.NET) had entered into an agreement with a DNS hosting provider, CommunityDNS, to continue answering DNS root queries for the old L-root address.

As the folks at Renesys note, Bill Manning, as the current registrant for the superblock out of which for historical reasons the old L-root address was numbered, has the ability to re-provision the 198.32.64.0/24 address space as part of the Exchange Point block of address space. However, the continued availability of DNS root service on a “decommissioned” root server address violates the “Principle of Least Surprise”, at least for those who take a keen interest in the DNS infrastructure such as ICANN. Historically, when a root server has been renumbered, the root server operator maintains a DNS server at the old address for some period of time and then turns off service, with the address not being put back into use. The fact that queries to the old L-root address continued to be answered and ICANN, the operator of the L-root server, was unaware of agreements to continue service by a third party raises some significant areas of concern, not least of which is what should be done with IP addresses formerly used by root servers and who has the authority to make those sorts of decisions.

What did ICANN do?

After some discussion with the relevant parties, the DNS root service being provided at the old L-root address was discontinued. While undoubtedly a number of DNS queries were (and are) still being sent to the old L-root IP address, it is important to remember that the nature of the queries. When a typical DNS resolver first starts up, it uses information called the “root hints” as a list of known IP addresses for root servers. The DNS resolver will then ask one of those IP addresses (typically chosen at random) for an updated list, and then use that updated list from then on. This initial query is known as a “priming query” and only a fraction (1/13th to be precise) of priming queries from resolvers that had not updated their root hints file would have been affected — any queries following that priming query would not be affected since the answer to the priming query returns the correct root server address list.

ICANN has also been monitoring the results returned by these IP addresses through the entire time it was advertised, and believes it was always providing accurate root responses throughout its existence. ICANN continues to work with the root server operator community to improve monitoring and analysis of the root server system, aiming to ensure the continued security and stability of this critical component of the Internet.

So what does this mean for the Internet?

This incident highlights firstly how robust the DNS system is, that it continued to work flawlessly despite this issue. Given the existence of 13 root server IP addresses, only 1/13th of DNS resolvers that have not updated their root hints would have sent a priming query to the IP address formerly associated with the L-root server. However this incident also highlights how important it is for system administrators and DNS software developers to update their root hints as it becomes necessary. Thankfully, this usually only happens once every few years, and IANA sends announcements to the network operator communities when this information is updated.

ICANN, though its Root Server System Advisory Committee (RSSAC), is bringing some of the questions and issues raised by this incident to the root server community, who undoubtedly will want to consider this incident carefully.

A Root with a view…

John L. Crain — Mon, 26 Nov 2007 22:34:58 +0000

Running a DNS server that serves the root gives an interesting view into the world of the DNS.With the ongoing improvements to the ICANN operated L-ROOT we’ve been fortunate enough to be able to make use of the “DNS Statistics Collector” tool.

http://dns.measurement-factory.com/tools/dsc/

“DSC” allows us to generate different views of the DNS queries we have been seeing at the L-ROOT systems. Both to the current IP address (199.7.83.42) and to the old address (198.32.64.12).

The above graph shows the commonly queried Top Level Domains for a single day and the type of queries being asked. These are queries seen across l.root-servers.net. The TLDs change from day to day but some are persistent.No surprises in there really although some of the TLDs being queried should raise a few eyebrows.Seeing mainly addresses record queries (A and AAAA) for .com or .net, or a lot of requests for reverse delegation informations (PTR) in .arpa are logical things to see.However, “.local” is constantly in the top five of queries which is likely an indication of misconfiguration somewhere. Regular appearances are also made by “.localhost”, “.belkin”, “.home”, “.invalid”, “.localdomain” and “.domain”.I leave it to the reader to decide why this is and at whom to point fingers…

Clearly one thing is certain, a large portion of the queries we are seeing are for non existing domains and hence get answered with “NXDOMAIN” (See above).Oh and one last snippet of information. I know that sometimes people do not allow DNS queries over TCP. This is actually not a good idea. According to the RFCs it is OK to query over TCP and in the case of a large enough answer (over 512 bytes) then TCP is typically the way to get that. So although the number of TCP queries is small compared to those using UDP, they can be valid queries.

Special thanks have to go to the folks who produced DSC . If only for making my life easier.If people want to see more data or would like to hear more about what we are doing in L-ROOT operations then speak up and I will do my best to inform. After all we run this for the community.Also see http://l.root-servers.org for information on L-ROOT operations

There are not 13 root servers

Kim Davies — Thu, 15 Nov 2007 12:31:23 +0000

I am at the UN Internet Governance Forum, being held this week in Rio de Janeiro, Brazil. A recurring theme you can hear here is one that has vexed the technical community many times before — “Why are there 13 root servers?” This question is usually followed by questions like “Why are most of the root servers in the US?”

So let’s dispel these myths.

There are not 13 root servers.

What there are is there are many hundreds of root servers at over 130 physical locations in many different countries. There are twelve organisations responsible for the overall coordination of the management of these servers.

So where does the 13 number come from?

There is a technical design limitation that means thirteen is a practical maximum to the number of named authorities in the delegation data for the root zone. These named authorities are listed alphabetically, from a.root-servers.net through m.root-servers.net. Each has associated with it an IP address (and shortly some will have more than one as IPv6 is further rolled out).

But when we think of servers, we probably think of physical machines that sit on a desk, or perhaps lined up in racks in a specialised computing facility. By any measure, there are not 13 servers as there is not a correlation between the number of named authorities, and the number of servers.

The majority of named authorities are spread across multiple cities, often multiple countries. The “I” root, for example, is located in 25 different countries. But ignoring the physical diversity, even those authorities that are just in one physical location — the reality is they are comprised of networks of multiple servers that handle the millions of DNS queries the root servers receive every hour.

Another thing you may hear is that some of these root servers are just copies, whilst others are the “real” name servers. The reality is that every single root server is a copy, and none of them are more special than the others. In fact, the true master server from which the copies are made is not one of the public root servers.

So next time you hear there are 13 root servers, or that they are mostly in the US, just remember this map, courtesy of Patrik Fältström: