On Thu, Jun 1, 2023 at 3:22 PM Wes Hardaker <wjhns61@hardakers.net> wrote:
1. There is some definite disagreement in opinions we've heard at this point, where we've heard from the other extreme opinion where they actually wish we wouldn't support the old addresses beyond the TTL at the time of the changeover (IE, a bit longer than 48 hours).
Why? Are they fans of breaking the Internet? There is no TTL on the root hints file and software update cycles are generally a lot longer than 48 hours. Yes, I know resolvers are supposed to discard the hints once they have the authoritative NS and A records, but you'd just be begging for unintended consequences.
2. I'll note that we are still serving DNS requests at the addresses that we switched away from in 2017 [1][2]. At that time we actually only promised 6 months and we've doubled that time length with our latest announced change. But we do need a date after which we can turn off service to an address block if some reason demands it.
Certainly we would appreciate other opinions about what the right length of a change-over time would be, especially from the operational communities that will be most impacted by this change.
A server generation is about 3 years before it's obsolete and is generally replaced. I suggest making the old address operable for two generations (6 years) and black-holed for another generation (3 more years). Perhaps make it a false responder in the last of those 9 years so that anybody who is truly that far behind on their software updates gets enough of a spanking to stop sending you packets. You'll have problems repurposing the address and its subnet until folks stop sending you DNS query packets, even if you don't respond to them. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/