2

This is a question about DNS root nameservers.

In order to resolve DNS queries, to obtain nameservers for the first stage of the process, the root nameservers must be consulted.

There are 13 and the IP addresses of these servers can be viewed at http://www.internic.net/zones/named.root

My understanding is that when a new device connects to the internet, it (probably) uses the nameservers provided by the ISP. (I don't actually know how the IP addresses of these devices are obtained. Presumably some software in the router/hardware provided by the ISP?)

The ISP then knows the IP addresses of the root nameservers.

The question is what happens if those IP addresses change? Is this possible?

Taking a look at http://www.internic.net/zones/named.root the IP addresses seem to be somewhat arbitrary.

Presumably they are static and decided by ICANN. Can the IP addresses of the root nameservers change? If so, what happens?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
user3728501
  • 191
  • 2
  • 8

3 Answers3

10

Yes, it can change, and it happened in the past, see for example https://h.root-servers.org/renumber.html

H-Root will change its addresses on 1 December 2015

This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory.

The new IPv4 address for this authority is 198.97.190.53.

The new IPv6 address for the authority is 2001:500:1::53.

It happened in fact multiple times "recently":

  • d root nameserver changed its IP address in January 2013
  • h root nameserver did in December 2015
  • j in 2002
  • l in 2007

Besides that, IPv6 addresses were also added in the past.

(to have the full picture: at least one renumbering event in the past did create some stir, as the owner of the now deprecated IP address block continued to listen for queries coming and hence collected data).

More generally, you might want to look at https://www.icann.org/en/system/files/files/rssac-023-04nov16-en.pdf that gives a full details of history on root nameservers, with changes in both number, names, and IP addresses.

It is not a problem because:

  • changes are few and seldom, with long cool down periods
  • there are 13 nameservers (at a logical level, far more physically), so a lot of redundancy, even if one disappears or have its IP address change, the other ones are sufficiently provisioned to take the extra traffic (the DNS is load balancing at its core, not fail over, so "on average", each nameserver works at the same time and receive a rougly same amount of traffic)
  • even if users continue to use the old, normally decommissioned address, they won't get a reply anymore, hence the software will automatically switch to another IP address (another root server). This is a standard DNS resiliency mechanism and since recursive nameservers typically store statistics on how a server respond or not, they slowly converge to the "fastest" one, hence discarding any old IP address not working anymore
  • software is released with a "hint" file that provides this data, and hence, except for things never updated, they will get the new information.
  • but note also that good software has intrinsic software updates, which is called priming for DNS: even if the software is deployed with a list of root nameservers, its first task, called "priming", is to contact one such root nameserver and obtain the current list (names + IPs) of root nameservers, hence replacing the local hard coded list by a new current dynamic one. See RFC 8109 for a full description of that priming.

As for:

My understanding is that when a new device connects to the internet, it (probably) uses the nameservers provided by the ISP. (I don't actually know how the IP addresses of these devices are obtained. Presumably some software in the router/hardware provided by the ISP?)

The configuration is either hard coded or the settings are obtained at boot using DHCP.

But note that this becomes less and less true, as it is overriden. With DoH (DNS over HTTPS), or DoT but in a lesser fashion, this opens now the way for each application (ex: a browser) to decide which recursive nameserver to query, irrespective to what the OS is configured with. And indeed browsers started that trend quite heavily.

And for:

Taking a look at http://www.internic.net/zones/named.root the ip addresses seem to be somewhat arbitary.

You need to remember/know that the DNS system is 40 years old. It evolved. Companies/Organizations were tasked at the beginning to be benevolent root nameserver operators, and each used its IP blocks. If it were created from scratch today I am sure that some blocks would be reserved for it, as it was done for related operations (see RFC 7434 and 7435 for examples).

But besides that, no IP address is special. Each works the same way, or can be made to work the same way (root nameservers are using anycast).

Community
  • 1
Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Interesting response. I suppose a follow up question would be - if all the root nameservers changed IP simultaniously, the internet would presumably break and there would be no way to recover from this, other than by buying a new copy of some software or config file on a CD or memory stick from a shop. Indeed that may be impossible because it would require companys to coordinate stocking such things, and how are they going to do that without internet? – user3728501 Jan 19 '21 at 17:34
  • The people who run root nameservers know this well and they never change all simultaneously. – raj Jan 19 '21 at 18:36
  • " if all the root nameservers changed IP simultaniously" But why? One of the original design of Jon Postel was exactly to chose independent organizations so that the whole system can not be captured, as some are military, some are corporations, some are non profit, some are US based and some aren't. So they do each their own business (there is some coordination now throug ICANN), why would they coordinate to change some core thing just at the same moment? – Patrick Mevzek Jan 19 '21 at 18:40
  • "the internet would presumably break" also not true or not immediately at least, see my comment on the other answer. The DNS is full of caches. Root nameservers are "occasionnally" hit by DDOS, yet it almost doesn't change anything for you as end user, because all TLD authoritative nameservers are cached by recursive, hence the root is seldom used (yet it gets A LOT of crap as queries due to bad software or huge requests by design such as Chrome test of domain hijacks through random names) – Patrick Mevzek Jan 19 '21 at 18:42
  • There are various discussions or proposals to run the root "everywhere" (which is possible nowadays because it is signed). See for example RFC 3258, RFC 7706, or RFC 8767 about caches and stale data. And most recently RFC 8806 – Patrick Mevzek Jan 19 '21 at 18:47
2

They can be changed, and they have changed several times over the years, albeit rarely.

The key is that when they have been changed, they have not all been changed at the same time. So if one is changed, DNS resolvers are still able to reach the remaining servers until their operators are able to update their root hints file.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
1

Quotation from the IANA page on root servers:

Operators who manage a DNS recursive resolver typically need to configure a “root hints file”. This file contains the names and IP addresses of the root servers, so the software can bootstrap the DNS resolution process. For many pieces of software, this list comes built into the software.

(my emphasis)

Therefore, if root servers' IP addresses changed, software everywhere in the world would have to change, too. To me, this is enough evidence to conclude that these addresses will never change. EDIT: The comments below and the best answer show that this statement is not correct, and that root nameservers' addresses do change occasionally.

EDIT: The first IP address is hardwired into RFC1400. From the RFC:

After the transition, the host.txt file will be available only from nic.ddn.mil and hosts.txt will include ONLY MILNET HOSTS. On April
1, 1993, a new root DNS server will be placed in service. It will be available at ns.internic.net ( 198.41.0.4 ).

This indicates that this address will not change as long as this RFC is in effect, but in theory, addresses of other root servers could change. I guess that DNS software should be designed so that it updates the root hints file from ns.internic.net.

Community
  • 1
berndbausch
  • 973
  • 7
  • 11
  • Interesting. If I were designing DNS today I would probably define a block of addresses (maybe 1024) which were reserved for ROOT DNS use. It looks like IANA did that with just a single address in 1993. – user3728501 Jan 19 '21 at 14:08
  • 2
    "To me, this is enough evidence to conclude that these addresses will never change." This is untrue. – Patrick Mevzek Jan 19 '21 at 15:24
  • @user3728501 RIRs/ICANN do reserve blocks for specific root/TLD operations, see RFC 7534 and 7535 – Patrick Mevzek Jan 19 '21 at 15:35
  • 2
    Also RFC1400 is Informational only and hence does not have the stamp of typical "STANDARD" at IETF side. It is completely outdated and not related in any way with how the DNS works today. – Patrick Mevzek Jan 19 '21 at 15:37
  • 2
    "I guess that DNS software should be designed so that it updates the root hints file from ns.internic.net." It is doing something far better than that. See explanations on "priming" in my answer or elsewhere. – Patrick Mevzek Jan 19 '21 at 15:38
  • As any other software, DNS software is regularly updated. As the root hint file is one of the files included in the software package being installed, if it changes, then developers of the particular software will include the changed file in the next software update. When you install the update, you'll get the updated list of root nameservers. It's similar as with the time zones; when time zones (or DST rules) anywhere in the world change, the `tzdata` (or equivalent) package in your OS is updated accordingly. – raj Jan 19 '21 at 16:01
  • @raj How can that possibly work though? If the DNS root servers change, how does one download any software updates? For example, if I want to download the debian ISO, I cannot, because I cannot find the `debian.org` website. Even my package manager (probably) does not use IP addresses but DNS resolvable names? – user3728501 Jan 19 '21 at 17:30
  • Did you read the other answer? There are 13 root nameservers. They never change all at once. Usually one or two of them changes. Then, if these are not responding, DNS software asks other ones, that are still available. As long as DNS software knows the IP address of at least one root nameserver, the DNS will work. – raj Jan 19 '21 at 18:34
  • @user3728501 And they are caches too. Your recursive nameserver already has in its cache the authoritative nameservers for `com`,`net`, `org` and various other "major" TLDs, because they are "hot" resources they will always stay in cache. Which means: even if all the root nameservers disappear right now (and it happens sometimes they are hit by DDOS), for probably more than 24 hours you won't see a difference at all, everything will work exactly as before (except if you are using a small or cold recursive and you suddenly need to resolve a name in a TLD never used recently) – Patrick Mevzek Jan 19 '21 at 18:39
  • @raj Yes, my question is what happens in this case? If ROOT server A changes, then how does any software update know this? Nameserver A will not respond to packets, but then what does it do? Go and check other nameservers? What if for some reason A and B are down, or if all 13 change address at once? In practice obviously DNS is designed so that this doesn't happen, but if it did, presumably it would break? Is there some kind of democratic decision made in the case that some of the servers are up and others are producing different results for example? – user3728501 Jan 20 '21 at 20:42
  • Thinks you are creating some total disaster scenarios. I see no point in that. One can always imagine total disaster, but if there's total disaster, then nothing will work - it's a simple answer. The whole Internet is and always was based on cooperation. The people who run root nameservers know that that the functioning of whole DNS depends on them, so it's highly unlikely that they will do such unreasonable things like changing all 13 addresses at once. – raj Jan 20 '21 at 21:18
  • @user3728501 The DNS does not work like you think. All nameservers are queried all the time (`a`. is not different from others, at least from the query point of view), they all get, statistically on average, the same amount of traffic. If one does not reply, the software (recursive nameserver) querying it will wait a little and then switch to another. This is covered in my answer, see the third bullet point. As for content, the root is signed, hence can be in fact published "everywhere" and its content integrity be validated (as long as you have the root key) – Patrick Mevzek Jan 21 '21 at 15:01