Can the IP address of a root nameserver change?

domain-name-system

This is a question about DNS root nameservers.

In order to resolve DNS queries, to obtain nameservers for the first stage of the process, the root nameservers must be consulted.

There are 13 and the IP addresses of these servers can be viewed at http://www.internic.net/zones/named.root

My understanding is that when a new device connects to the internet, it (probably) uses the nameservers provided by the ISP. (I don't actually know how the IP addresses of these devices are obtained. Presumably some software in the router/hardware provided by the ISP?)

The ISP then knows the IP addresses of the root nameservers.

The question is what happens if those IP addresses change? Is this possible?

Taking a look at http://www.internic.net/zones/named.root the IP addresses seem to be somewhat arbitrary.

Presumably they are static and decided by ICANN. Can the IP addresses of the root nameservers change? If so, what happens?


Solution 1:

Yes, it can change, and it happened in the past, see for example https://h.root-servers.org/renumber.html

H-Root will change its addresses on 1 December 2015

This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory.

The new IPv4 address for this authority is 198.97.190.53.

The new IPv6 address for the authority is 2001:500:1::53.

It happened in fact multiple times "recently":

  • d root nameserver changed its IP address in January 2013
  • h root nameserver did in December 2015
  • j in 2002
  • l in 2007

Besides that, IPv6 addresses were also added in the past.

(to have the full picture: at least one renumbering event in the past did create some stir, as the owner of the now deprecated IP address block continued to listen for queries coming and hence collected data).

More generally, you might want to look at https://www.icann.org/en/system/files/files/rssac-023-04nov16-en.pdf that gives a full details of history on root nameservers, with changes in both number, names, and IP addresses.

It is not a problem because:

  • changes are few and seldom, with long cool down periods
  • there are 13 nameservers (at a logical level, far more physically), so a lot of redundancy, even if one disappears or have its IP address change, the other ones are sufficiently provisioned to take the extra traffic (the DNS is load balancing at its core, not fail over, so "on average", each nameserver works at the same time and receive a rougly same amount of traffic)
  • even if users continue to use the old, normally decommissioned address, they won't get a reply anymore, hence the software will automatically switch to another IP address (another root server). This is a standard DNS resiliency mechanism and since recursive nameservers typically store statistics on how a server respond or not, they slowly converge to the "fastest" one, hence discarding any old IP address not working anymore
  • software is released with a "hint" file that provides this data, and hence, except for things never updated, they will get the new information.
  • but note also that good software has intrinsic software updates, which is called priming for DNS: even if the software is deployed with a list of root nameservers, its first task, called "priming", is to contact one such root nameserver and obtain the current list (names + IPs) of root nameservers, hence replacing the local hard coded list by a new current dynamic one. See RFC 8109 for a full description of that priming.

As for:

My understanding is that when a new device connects to the internet, it (probably) uses the nameservers provided by the ISP. (I don't actually know how the IP addresses of these devices are obtained. Presumably some software in the router/hardware provided by the ISP?)

The configuration is either hard coded or the settings are obtained at boot using DHCP.

But note that this becomes less and less true, as it is overriden. With DoH (DNS over HTTPS), or DoT but in a lesser fashion, this opens now the way for each application (ex: a browser) to decide which recursive nameserver to query, irrespective to what the OS is configured with. And indeed browsers started that trend quite heavily.

And for:

Taking a look at http://www.internic.net/zones/named.root the ip addresses seem to be somewhat arbitary.

You need to remember/know that the DNS system is 40 years old. It evolved. Companies/Organizations were tasked at the beginning to be benevolent root nameserver operators, and each used its IP blocks. If it were created from scratch today I am sure that some blocks would be reserved for it, as it was done for related operations (see RFC 7434 and 7435 for examples).

But besides that, no IP address is special. Each works the same way, or can be made to work the same way (root nameservers are using anycast).

Solution 2:

They can be changed, and they have changed several times over the years, albeit rarely.

The key is that when they have been changed, they have not all been changed at the same time. So if one is changed, DNS resolvers are still able to reach the remaining servers until their operators are able to update their root hints file.

Solution 3:

Quotation from the IANA page on root servers:

Operators who manage a DNS recursive resolver typically need to configure a “root hints file”. This file contains the names and IP addresses of the root servers, so the software can bootstrap the DNS resolution process. For many pieces of software, this list comes built into the software.

(my emphasis)

Therefore, if root servers' IP addresses changed, software everywhere in the world would have to change, too. To me, this is enough evidence to conclude that these addresses will never change. EDIT: The comments below and the best answer show that this statement is not correct, and that root nameservers' addresses do change occasionally.

EDIT: The first IP address is hardwired into RFC1400. From the RFC:

After the transition, the host.txt file will be available only from nic.ddn.mil and hosts.txt will include ONLY MILNET HOSTS. On April
1, 1993, a new root DNS server will be placed in service. It will be available at ns.internic.net ( 198.41.0.4 ).

This indicates that this address will not change as long as this RFC is in effect, but in theory, addresses of other root servers could change. I guess that DNS software should be designed so that it updates the root hints file from ns.internic.net.

Related

Error 2003 (HY000) when i try to connect amazon rds server from ec2 server
Best Practices for Azure AD-joined PCs and Global Admin accounts
Nginx -- disable aggressive caching for Wordpress admin areas
Dell R630 supported PCIe to NVMe (m.2) adapter and drive?
Bulk Phone number change - DSQUERY
Which is my SQL server name for connecting to the online database by SSMS?
Segmenting IPv6 networks using dnsmasq?
Mirror Linux Systems Running Game Servers And Payment Managing servers
How to stop apt-get using /tmp for install scripts
New virtual host on apache returns the default vhost, other times returns the normal content
docker-compose static ip does not work
checking and reading cookies with nginx