DNS root zone
Encyclopedia
A DNS root zone is the top-level DNS zone
in a Domain Name System
(DNS) hierarchy. Most commonly it refers to the root zone of the largest global DNS, deployed for the Internet
. Ultimate authority over the DNS root zone rests with the US Department of Commerce NTIA. The zone's content is managed and processed by the Internet Assigned Numbers Authority
(IANA) functions operator and the zone file itself is physically maintained by a third party under contract with the NTIA known as the root zone maintainer. The current IANA functions operator is ICANN
. The current root zone maintainer is Verisign
, Inc.
A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol
(UDP) packets, resulted in a limited number of root server
addresses that can be accommodated in DNS name query responses. This limit has determined the number of name server installations at (currently) 13 clusters, serving the needs of the entire public Internet worldwide.
s. Every name lookup must either start with a query to a root server or use information that was once obtained from a root server.
The root servers have the official names a.root-servers.net to m.root-servers.net. However, to look up the IP address of a root server from these names, a DNS resolver must first be able to look up a root server to find the address of an authoritative server for the .net DNS zone. Clearly this creates a circular dependency
, so the address of at least one root server must be known by a host in order to bootstrap access to the DNS. This is usually done by shipping the addresses of all known DNS root servers as a file with the computer operating system: the IP addresses of some root servers will change over the years, but only one correct address is needed for the resolver to obtain the current list of name servers. This file is called named.cache in the BIND
nameserver reference implementation and a current version is officially distributed by ICANN
's InterNIC
.
Once the address of a single functioning root server is known, all other DNS information can be discovered recursively, and the address of any domain name may be found.
) were designed to lift this restriction. While it is possible to fit more entries into a packet of this size when using "label compression", 13 was chosen as a reliable limit. Since the advent of IPv6
, the next generation IP address
structure, previous practices are being modified and extra space is filled with IPv6 name servers.
The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. Initially all of these installations were located in the United States. However, the distribution has shifted and this is no longer the case. Usually each DNS server installation at a given site is physically a cluster of machines with load-balancing routers. A comprehensive list of servers, their locations, and properties is available at http://root-servers.org. As of May 2011 there were 242 root servers worldwide.
The modern trend is to use anycast
addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net root server, maintained by VeriSign
, is represented by 41 individual server systems located around the world which can be queried using anycast addressing.
The establishment of DNSSEC
in the root zone again brought these issues to the table and both ICANN and VeriSign put forward competing proposals for the installation of DNSSEC in the root zone. ICANN (as the IANA operator) wished to generate both the Key Signing Key and Zone Signing Key architecture and through its proposal it also wished to take control of the actual editing of the root zone and alter the current editing process. Under their plan they would both edit and sign the zone after NTIA approval. VeriSign's role would have been reduced to simply receiving and then distributing the signed zone file to the 13 servers through its existing distribution system. VeriSign's proposal argued for keeping the current editing arrangement in place of ICANN submitting, NTIA approving, and VeriSign editing. VeriSign proposed that VeriSign should generate the ZSK and that the KSK should be generated in a key ceremony of the 13 root server operators. A quorum of the server operators would have to be present for key generation to take place. The NTIA ultimately released the final plan which closely resembled VeriSign's proposal, but as a compromise gave ICANN control over the KSK while giving VeriSign control over the ZSK.
DNS zone
A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:...
in a Domain Name System
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS) hierarchy. Most commonly it refers to the root zone of the largest global DNS, deployed for the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
. Ultimate authority over the DNS root zone rests with the US Department of Commerce NTIA. The zone's content is managed and processed by the Internet Assigned Numbers Authority
Internet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA) functions operator and the zone file itself is physically maintained by a third party under contract with the NTIA known as the root zone maintainer. The current IANA functions operator is ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
. The current root zone maintainer is Verisign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
, Inc.
A combination of limits in the DNS and certain protocols, namely the practical size of unfragmented User Datagram Protocol
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
(UDP) packets, resulted in a limited number of root server
Root nameserver
A root name server is a name server for the Domain Name System's root zone. It directly answers requests for records in the root zone and answers other requests returning a list of the designated authoritative name servers for the appropriate top-level domain...
addresses that can be accommodated in DNS name query responses. This limit has determined the number of name server installations at (currently) 13 clusters, serving the needs of the entire public Internet worldwide.
Initialization of DNS service
There are thirteen root server clusters that are authoritative for queries to the global DNS root zone. The root servers hold the lists of names and addresses for the authoritative servers for all of the top-level domainTop-level domain
A top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a...
s. Every name lookup must either start with a query to a root server or use information that was once obtained from a root server.
The root servers have the official names a.root-servers.net to m.root-servers.net. However, to look up the IP address of a root server from these names, a DNS resolver must first be able to look up a root server to find the address of an authoritative server for the .net DNS zone. Clearly this creates a circular dependency
Circular dependency
In software engineering, a circular dependency is a relation between two or more modules which either directly or indirectly depend on each other to function properly.-Overview:...
, so the address of at least one root server must be known by a host in order to bootstrap access to the DNS. This is usually done by shipping the addresses of all known DNS root servers as a file with the computer operating system: the IP addresses of some root servers will change over the years, but only one correct address is needed for the resolver to obtain the current list of name servers. This file is called named.cache in the BIND
BIND
BIND , or named , is the most widely used DNS software on the Internet.On Unix-like operating systems it is the de facto standard.Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley , the name originates as an acronym from...
nameserver reference implementation and a current version is officially distributed by ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
's InterNIC
InterNIC
The Internet Network Information Center, known as InterNIC, was the Internet governing body primarily responsible for domain name and IP address allocations from 1972 until September 18, 1998 when this role was assumed by the Internet Corporation for Assigned Names and Numbers...
.
Once the address of a single functioning root server is known, all other DNS information can be discovered recursively, and the address of any domain name may be found.
Redundancy and diversity
The root DNS servers are essential to the function of the Internet, as most Internet services, such as the World-Wide Web and electronic mail, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, there are multiple root servers worldwide. The number has been limited to 13 in DNS responses because DNS was limited to 512-byte packets until protocol extensions (EDNSEDNS
Extension mechanisms for DNS is a specification for expanding the size of several parameters of the Domain Name System protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol...
) were designed to lift this restriction. While it is possible to fit more entries into a packet of this size when using "label compression", 13 was chosen as a reliable limit. Since the advent of IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
, the next generation IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
structure, previous practices are being modified and extra space is filled with IPv6 name servers.
The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. Initially all of these installations were located in the United States. However, the distribution has shifted and this is no longer the case. Usually each DNS server installation at a given site is physically a cluster of machines with load-balancing routers. A comprehensive list of servers, their locations, and properties is available at http://root-servers.org. As of May 2011 there were 242 root servers worldwide.
The modern trend is to use anycast
Anycast
Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.-Addressing methodologies:...
addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net root server, maintained by VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
, is represented by 41 individual server systems located around the world which can be queried using anycast addressing.
Management
The IANA functions operator is responsible for receiving requests to edit root zone file data from the various TLD operators and approving and submitting them. Under the current arrangement, after approving the change request from a registry, IANA sends the request to the NTIA for approval and if approved it is then sent to the root zone maintainer for physical implementation to the root zone file. While the NTIA has over the years ceded control of the administrative and policy making aspects of the Internet DNS to ICANN such as setting policy, approving new TLDs, certifying registrars, and awarding registry contracts for existing TLDs, the technical management functions continue to be held by the US Government and executed through the IANA functions contract. While ICANN is also the IANA functions operator, theoretically the US Government could select a different organization upon expiration of the current contract and many people feel that it would make it very difficult for ICANN to manage the internet's DNS without the IANA contract. While there has been much international pressure for the US Government to completely transfer the IANA functions over to ICANN in the same way it did the general administration of the Domain Name System, the US Government has maintained that it will maintain its historic role in overseeing the IANA functions and has no plans to transfer this authority over to ICANN. A major reason that the NTIA has given for continuing the contract format is that it feels it is best to keep the administrative aspects and political bureaucracy of managing the DNS sepearate from the technical management, and as part of the contract ICANN has to keep its staff that are in charge of managing the IANA functions completely separate from those involved in the policy making side to the company. ICANN even does this physically as they are currently headquartered in two office suites, one for ICANN itself and the other for the IANA related staff. Many of the same critics of the US Government's role wish to remove VeriSign's role as the direct root zone maintainer and allow IANA to directly maintain it as some believe that the US Government has kept VeriSign in this role to solidify US control over the root zone.The establishment of DNSSEC
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
in the root zone again brought these issues to the table and both ICANN and VeriSign put forward competing proposals for the installation of DNSSEC in the root zone. ICANN (as the IANA operator) wished to generate both the Key Signing Key and Zone Signing Key architecture and through its proposal it also wished to take control of the actual editing of the root zone and alter the current editing process. Under their plan they would both edit and sign the zone after NTIA approval. VeriSign's role would have been reduced to simply receiving and then distributing the signed zone file to the 13 servers through its existing distribution system. VeriSign's proposal argued for keeping the current editing arrangement in place of ICANN submitting, NTIA approving, and VeriSign editing. VeriSign proposed that VeriSign should generate the ZSK and that the KSK should be generated in a key ceremony of the 13 root server operators. A quorum of the server operators would have to be present for key generation to take place. The NTIA ultimately released the final plan which closely resembled VeriSign's proposal, but as a compromise gave ICANN control over the KSK while giving VeriSign control over the ZSK.
External links
- root-servers.org
- CircleID.com, on DNS Root Servers
- CAIDA.org, paper on root server location problem
- CirlceID.com, More root server instances outside the U.S. than inside