DNS root zone

Last updated

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

Contents

Before October 1, 2016, the root zone had been overseen by the Internet Corporation for Assigned Names and Numbers (ICANN) which delegates the management to a subsidiary acting as the Internet Assigned Numbers Authority (IANA). [1] Distribution services are provided by Verisign. Prior to this, ICANN performed management responsibility under oversight of the National Telecommunications and Information Administration (NTIA), an agency of the United States Department of Commerce. [2] Oversight responsibility transitioned to the global stakeholder community represented within ICANN's governance structures.

A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented User Datagram Protocol [2] (UDP) packets, resulted in a practical maximum of 13 root name server addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries. [3] [4]

Initialization of DNS service

The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the top-level domains of the Internet. [5] [6] Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.

The root servers clusters have the official names a.root-servers.net to m.root-servers.net. [6] To resolve these names into addresses, a DNS resolver must first find an authoritative server for the net zone. To avoid this circular dependency, the address of at least one root server must be known for bootstrapping access to the DNS. For this purpose, operating systems or DNS servers or resolver software packages typically include a file with all addresses of the DNS root servers. Even if the IP addresses of some root servers change, at least one is needed to retrieve the current list of all name servers. This address file is called named.cache in the BIND name server reference implementation. The current official version is distributed by ICANN's InterNIC. [7]

With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.

Redundancy and diversity

The root DNS servers are essential to the function of the Internet, as most Internet services, such as the World Wide Web and electronic-mail, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, multiple root servers are distributed worldwide. [8] The DNS packet size of 512 octets limits a DNS response to thirteen addresses, until protocol extensions (see Extension Mechanisms for DNS) lifted this restriction. [9] While it is possible to fit more entries into a packet of this size when using label compression, thirteen was chosen as a reliable limit. Since the introduction of IPv6, the successor Internet Protocol to IPv4, previous practices are being modified and extra space is filled with IPv6 name servers.

The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case. [10] Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers. [9] A comprehensive list of servers, their locations and properties is available at https://root-servers.org/. As of 24 June 2023, there were 1708 root servers worldwide. [11]

The modern trend is to use anycast addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net server, maintained by Verisign, is represented by 104 (as of January 2016) individual server systems located around the world, which can be queried using anycast addressing. [12]

Management

The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the Internet Assigned Numbers Authority (IANA) functions. Verisign generates and distributes the zone file to the various root server operators.

In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA has exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it will transition its stewardship to a "global stakeholder community". [5]

According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of revelations that the United States and its allies had engaged in surveillance. The chairman of the board of ICANN denied the two were connected, however, and said the transition process had been ongoing for a long time. ICANN president Fadi Chehadé called the move historic and said that ICANN will move toward multi-stakesholder control. Various prominent figures in Internet history, not affiliated with ICANN, also applauded the move. [5]

NTIA's announcement did not immediately affect how ICANN performs its role. [5] [13] On March 11, 2016, NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days. [14]

The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan, [15] it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.

Signing of the root zone

Since July 2010, the root zone has been signed with a DNSSEC signature, [16] providing a single trust anchor for the Domain Name System that can in turn be used to provide a trust anchor for other public key infrastructure (PKI). The root zone DNSKEY section is re-signed periodically with the root zone key signing key performed in a verifiable manner in front of witnesses in a key signing ceremony. [17] [18] The KSK2017 with ID 20326 is valid as of 2020.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

<span class="mw-page-title-main">ICANN</span> American nonprofit organization that coordinates several Internet address databases

The Internet Corporation for Assigned Names and Numbers is an American multistakeholder group and nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the network's stable and secure operation. ICANN performs the actual technical maintenance work of the Central Internet Address pools and DNS root zone registries pursuant to the Internet Assigned Numbers Authority (IANA) function contract. The contract regarding the IANA stewardship functions between ICANN and the National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce ended on October 1, 2016, formally transitioning the functions to the global multistakeholder community.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is .com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As of 2017, 330.6 million domain names had been registered. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

<span class="mw-page-title-main">Internet Assigned Numbers Authority</span> Standards organization overseeing IP addresses

The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocol–related symbols and Internet numbers.

A domain name registry is a database of all domain names and the associated registrant information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party entities to request administrative control of a domain name. Most registries operate on the top-level and second-level of the DNS.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign Inc. is an American company based in Reston, Virginia, United States, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc country-code top-level domains, and the back-end systems for the .jobs and .edu sponsored top-level domains.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human-readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Internet domain names. The most widely used DNS root is administered by the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, several organizations operate alternative DNS roots, often referred to as alt roots. These alternative domain name systems operate their own root name servers and commonly administer their own specific name spaces consisting of custom top-level domains.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

A domain name registrar is a company that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. A registrar operates in accordance with the guidelines of the designated domain name registries.

The domain name arpa is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. It is used predominantly for the management of technical network infrastructure. Prominent among such functions are the subdomains in-addr.arpa and ip6.arpa, which provide namespaces for reverse DNS lookup of IPv4 and IPv6 addresses, respectively.

The Canadian Internet Registration Authority (CIRA) is the organization that manages the .ca country code top-level domain (ccTLD) for Canada. Its offices are located at 979 Bank Street in Ottawa, Ontario, Canada. CIRA sets the policies and agendas that support Canada's internet community and Canada's involvement in international internet governance. It is a member-driven organization with membership open to all that hold a .ca domain. As of March 2023, there were more than 3.3 million active .ca domains.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

<span class="mw-page-title-main">Internet governance</span> System of laws, norms, rules, policies and practices

Internet governance consists of a system of laws, rules, policies and practices that dictate how its board members manage and oversee the affairs of any internet related-regulatory body. This article describes how the Internet was and is currently governed, some inherent controversies, and ongoing debates regarding how and why the Internet should or should not be governed in future.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

WHOIS is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

The Protecting Internet Freedom Act was introduced in June 2016 by United States Senator Ted Cruz in order to "prohibit the National Telecommunications and Information Administration from allowing the Internet Assigned Numbers Authority functions contract to lapse unless specifically authorized to do so by an Act of Congress."

References

  1. "Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends". October 1, 2016. Retrieved December 25, 2017.
  2. 1 2 Jerry Brito (March 5, 2011). "ICANN vs. the World". Time .
  3. "There are not 13 root servers". www.icann.org. Retrieved January 18, 2018.
  4. "DNS root servers in the world « stupid.domain.name". stupid.domain.name. Archived from the original on February 11, 2021. Retrieved January 18, 2018.
  5. 1 2 3 4 Farivar, Cyrus (March 14, 2014). "In sudden announcement, US to give up control of DNS root zone". Ars Technica . Retrieved March 15, 2014.
  6. 1 2 "Root Servers". IANA. Retrieved January 17, 2020.
  7. "named.cache". InterNIC. November 17, 2015. Retrieved November 17, 2015.
  8. "SANS Institute InfoSec Reading Room". SANS. Retrieved March 17, 2014.
  9. 1 2 Bradley Mitchell (November 19, 2008). "Why There Are Only 13 DNS Root Name Servers". About.com. Archived from the original on March 18, 2014. Retrieved March 17, 2014.
  10. "DNS Root Servers: The most critical infrastructure on the internet". Slash Root. November 15, 2013.
  11. "Root Servers Technical Operations Assn". Archived from the original on June 24, 2023. Retrieved June 29, 2023.
  12. "Root Server Technical Operations Assn".
  13. "An Update on the IANA Transition". National Telecommunications and Information Administration. August 17, 2015. Retrieved November 17, 2015.
  14. Strickling, Lawrence. "Reviewing the IANA Transition Proposal". National Telecommunications and Information Administration. United States Department of Congress. Retrieved May 26, 2016.
  15. "Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community" (PDF). March 2016.
  16. "Root DNSSEC: Information about DNSSEC for the Root Zone". Internet Corporation For Assigned Names and Numbers. Retrieved March 19, 2014.
  17. "First KSK Ceremony". Internet Corporation For Assigned Names and Numbers. April 18, 2010. Archived from the original on April 14, 2015. Retrieved October 19, 2014.
  18. "Root KSK Ceremonies". Internet Assigned Numbers Authority. November 12, 2015. Retrieved November 17, 2015.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.