IP addresses cannot and should not be trusted. It’s not like you can really trust your packets going to B _today_ are going to and from the real B (or Bs).
If the security of DNS relies on no one intercepting or spoofing responses of some of your queries to a root server, it’s been game over for a long time. On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo <na...@as397444.net> wrote: > > > On 6/17/23 7:12 AM, Tom Beecher wrote: > > Bill- > > > > Don't say, "We'll keep it up for as long as we feel like it, but at > > least a year." That's crap. > > > > > > 30% of the root servers have been renumbered in the last 25 years. > > > > h : 2015 > > d: 2013 > > l : 2007 > > j : 2002 > > > > For these 4 cases, only a 6 month transition time was provided, and the > internet as we know it did > > not fall over in a flaming pile. ( One could argue it was ALREADY a > flaming pile, but that's a > > different discussion.) > > There’s a huge difference between “no one noticed any issues because > recursive resolvers will > seamlessly fall back to other root servers if there’s an outage” and > “there aren’t issues”. > > For non-DNSSEC-verifying-resolvers (sheesh, but they still exist), if the > IPs are eventually > released and someone stands up a DNS server on them you could cause real > harm. > > Does this need to be over-engineered to prevent that? No, though doing a > few tricks to help the poor > folks on unmaintained recursive resolvers isn’t bad either. > > But lack of visible issues doesn’t mean that users aren’t put at risk. > That said, I have no idea if > the old number resources were released or no longer announced in the DFZ > after the previous > renumbers, which would really be the point at which concern is warranted, > not simply no longer > responding. > > Matt > >