Jump to content

DNS root zone: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Undid revision 1008790056 by Stephan Leeds (talk) my error
No edit summary
Tags: Visual edit Mobile edit Mobile web edit
 
(43 intermediate revisions by 34 users not shown)
Line 1: Line 1:
{{Use American English|date=January 2019}}{{Short description|The top level zone in the domain name system
{{Short description|Top-level DNS zone}}
{{Use American English|date=January 2019}}
}}
{{Use mdy dates|date=August 2022}}
The '''DNS root zone''' is the top-level [[DNS zone]] in the hierarchical namespace of the [[Domain Name System]] (DNS) of the [[Internet]].
The '''DNS root zone''' is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.


Since 2016, the root zone has been overseen by the [[ICANN|Internet Corporation for Assigned Names and Numbers]] (ICANN) which delegates the management to a subsidiary acting as the [[Internet Assigned Numbers Authority]] (IANA).<ref>{{cite news|url=https://www.icann.org/news/announcement-2016-10-01-en |title=Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends |date=2016-10-01 |access-date=2017-12-25}}</ref> Distribution services are provided by [[Verisign]]. Prior to this, ICANN performed management responsibility under oversight of the [[National Telecommunications and Information Administration]] (NTIA), an agency of the United States [[Department of Commerce]].<ref>{{cite news|url=http://techland.time.com/2011/03/05/icann-vs-the-world/ |title=ICANN vs. the World |date=2011-03-05 |access-date=2011-12-17 |author=Jerry Brito |publisher=TIME |url-status=dead |archive-url=https://web.archive.org/web/20101230085401/http://icannatlarge.com/ |archive-date=December 30, 2010 }}</ref>
Before October 1, 2016, the root zone had been overseen by the Internet Corporation for Assigned Names and Numbers (ICANN) which delegates the management to a subsidiary acting as the [[Internet Assigned Numbers Authority]] (IANA).<ref>{{cite news|url=https://www.icann.org/news/announcement-2016-10-01-en |title=Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends |date=October 1, 2016 |access-date=December 25, 2017}}</ref> Distribution services are provided by [[Verisign]]. Prior to this, ICANN performed management responsibility under oversight of the [[National Telecommunications and Information Administration]] (NTIA), an agency of the United States [[Department of Commerce]].<ref name=":0">{{cite news|url=https://techland.time.com/2011/03/05/icann-vs-the-world/ |title=ICANN vs. the World |date=March 5, 2011 |author=Jerry Brito |magazine=[[Time (magazine)|Time]]}}</ref> Oversight responsibility transitioned to the [[Internet governance|global stakeholder community]] represented within ICANN's governance structures.


A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented [[User Datagram Protocol]] (UDP) packets, resulted in a practical maximum of 13 [[root name server]] addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries.<ref>{{Cite web|url=https://www.icann.org/news/blog/there-are-not-13-root-servers|title=There are not 13 root servers|website=www.icann.org|language=en|access-date=2018-01-18}}</ref><ref>{{Cite web|url=https://stupid.domain.name/node/407|title=DNS root servers in the world « stupid.domain.name|website=stupid.domain.name|language=en-US|access-date=2018-01-18}}</ref>
A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented User Datagram Protocol<ref name=":0" /> (UDP) packets, resulted in a practical maximum of 13 root name server addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries.<ref>{{Cite web|url=https://www.icann.org/news/blog/there-are-not-13-root-servers|title=There are not 13 root servers|website=www.icann.org|language=en|access-date=January 18, 2018}}</ref><ref>{{Cite web|url=https://stupid.domain.name/node/407|title=DNS root servers in the world « stupid.domain.name|website=stupid.domain.name|language=en-US|access-date=January 18, 2018|archive-date=February 11, 2021|archive-url=https://web.archive.org/web/20210211045935/https://stupid.domain.name/node/407|url-status=dead}}</ref>


==Initialization of DNS service==
==Initialization of DNS service==
The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the [[top-level domain]]s of the Internet.<ref name=Ars /><ref name=RS>{{cite web|title=Root Servers|url=https://www.iana.org/domains/root/servers|access-date=January 17, 2020|publisher=IANA}}</ref> Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.
The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the [[top-level domain]]s of the Internet.<ref name=Ars /><ref name=RS>{{cite web|title=Root Servers|url=https://www.iana.org/domains/root/servers|access-date=January 17, 2020|publisher=IANA}}</ref> Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.


The root servers clusters have the official names ''a.root-servers.net'' to ''m.root-servers.net''.<ref name=RS /> To resolve these names into addresses, a DNS resolver must first find an authoritative server for the ''net'' zone. To avoid this [[circular dependency]], the address of at least one root server must be known for [[Bootstrapping (computing)|bootstrapping]] access to the DNS. For this purpose operating systems or DNS server or resolver software packages typically include a file with all addresses of the DNS root servers. Even if the IP addresses of some root servers change, at least one is needed to retrieve the current list of all name servers. This address file is called ''named.cache'' in the [[BIND]] name server reference implementation. The current official version is distributed by [[ICANN]]'s [[InterNIC]].<ref>{{cite web|url=https://www.internic.net/zones/named.cache|title=named.cache|publisher=InterNIC|date=2015-11-17|access-date=2015-11-17}}</ref>
The root servers clusters have the official names ''a.root-servers.net'' to ''m.root-servers.net''.<ref name=RS /> To resolve these names into addresses, a DNS resolver must first find an authoritative server for the ''net'' zone. To avoid this [[circular dependency]], the address of at least one root server must be known for [[Bootstrapping (computing)|bootstrapping]] access to the DNS. For this purpose, operating systems or DNS servers or resolver software packages typically include a file with all addresses of the DNS root servers. Even if the IP addresses of some root servers change, at least one is needed to retrieve the current list of all name servers. This address file is called ''named.cache'' in the [[BIND]] name server reference implementation. The current official version is distributed by [[ICANN]]'s [[InterNIC]].<ref>{{cite web|url=https://www.internic.net/zones/named.cache|title=named.cache|publisher=InterNIC|date=November 17, 2015|access-date=November 17, 2015}}</ref>


With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.
With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.


==Redundancy and diversity==
==Redundancy and diversity==
The root DNS servers are essential to the function of the Internet, as most Internet services, such as the [[World Wide Web]] and electronic-mail, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, multiple root servers are distributed worldwide.<ref name=SANS>{{cite web|title=SANS Institute InfoSec Reading Room|publisher=SANS|url=http://www.sans.org/reading-room/whitepapers/dns/secure-root-dns-servers-991|access-date=March 17, 2014}}</ref> The DNS packet size of 512 octets limits a DNS response to thirteen addresses, until protocol extensions ([[EDNS]]) lifted this restriction.<ref name=about>{{cite web|title=Why There Are Only 13 DNS Root Name Servers|author=Bradley Mitchell|date=November 19, 2008|publisher=About.com|url=http://compnetworking.about.com/b/2008/11/19/why-there-are-only-13-dns-root-name-servers.htm|access-date=March 17, 2014}}</ref> While it is possible to fit more entries into a packet of this size when using label compression, thirteen was chosen as a reliable limit. Since the introduction of [[IPv6]], the successor [[Internet Protocol]] to [[IPv4]], previous practices are being modified and extra space is filled with IPv6 name servers.
The root DNS servers are essential to the function of the Internet, as most Internet services, such as the [[World Wide Web]] and email, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, multiple root servers are distributed worldwide.<ref name=SANS>{{cite web|title=SANS Institute InfoSec Reading Room|publisher=SANS|url=http://www.sans.org/reading-room/whitepapers/dns/secure-root-dns-servers-991|access-date=March 17, 2014}}</ref> The DNS packet size of 512 octets limits a DNS response to thirteen addresses, until protocol extensions ([[Extension Mechanisms for DNS|see Extension Mechanisms for DNS]]) lifted this restriction.<ref name=about>{{cite web|title=Why There Are Only 13 DNS Root Name Servers|author=Bradley Mitchell|date=November 19, 2008|publisher=[[About.com]]|url=http://compnetworking.about.com/b/2008/11/19/why-there-are-only-13-dns-root-name-servers.htm|access-date=March 17, 2014|archive-date=March 18, 2014|archive-url=https://web.archive.org/web/20140318020048/http://compnetworking.about.com/b/2008/11/19/why-there-are-only-13-dns-root-name-servers.htm|url-status=dead}}</ref> While it is possible to fit more entries into a packet of this size when using label compression, thirteen was chosen as a reliable limit. Since the introduction of [[IPv6]], the successor [[Internet Protocol]] to [[IPv4]], previous practices are being modified and extra space is filled with IPv6 name servers.


The [[root name server]]s are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case.<ref>{{cite web|title=DNS Root Servers: The most critical infrastructure on the internet|date=November 15, 2013|publisher=Slash Root|url=http://www.slashroot.in/dns-root-servers-most-critical-infrastructure-internet}}</ref> Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers.<ref name=about /> A comprehensive list of servers, their locations and properties is available at https://root-servers.org/. As of February 20th, 2019, there were 938 root servers worldwide.<ref>{{cite web|title=Root Servers Technical Operations Assn|url=http://root-servers.org/|access-date=2016-01-13|archive-url=https://web.archive.org/web/20170824002054/http://root-servers.org/|archive-date=2017-08-24|url-status=dead}}</ref>
The [[root name server]]s are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case.<ref>{{cite web|title=DNS Root Servers: The most critical infrastructure on the internet|date=November 15, 2013|publisher=Slash Root|url=http://www.slashroot.in/dns-root-servers-most-critical-infrastructure-internet}}</ref> Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers.<ref name=about /> A comprehensive list of servers, their locations, and properties is available at https://root-servers.org/. {{as of|2023|6|24}}, there were 1708 root servers worldwide.<ref>{{cite web|title=Root Servers Technical Operations Assn|url=http://root-servers.org/|access-date=June 29, 2023|archive-url=https://web.archive.org/web/20230624010603/https://root-servers.org/|archive-date=June 24, 2023|url-status=dead}}</ref>


The modern trend is to use [[anycast]] addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the ''j.root-servers.net'' server, maintained by [[Verisign]], is represented by 104 ({{as of|2016|1|lc=on}}) individual server systems located around the world, which can be queried using anycast addressing.<ref>{{cite web|title=Root Server Technical Operations Assn|url=https://root-servers.org/}}</ref>
The modern trend is to use [[anycast]] addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the ''j.root-servers.net'' server, maintained by [[Verisign]], is represented by 104 ({{as of|2016|1|lc=on}}) individual server systems located around the world, which can be queried using anycast addressing.<ref>{{cite web|title=Root Server Technical Operations Assn|url=https://root-servers.org/}}</ref>
Line 24: Line 25:
The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the [[Internet Assigned Numbers Authority]] (IANA) functions. [[Verisign]] generates and distributes the zone file to the various root server operators.
The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the [[Internet Assigned Numbers Authority]] (IANA) functions. [[Verisign]] generates and distributes the zone file to the various root server operators.


In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA has exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it will transition its stewardship to a "global stakeholder community".<ref name=Ars />
In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it would transition its stewardship to a "global stakeholder community".<ref name=Ars />


According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of [[Global surveillance disclosures (2013–present)|revelations]] that the United States and its allies had engaged in surveillance. The chairman of the board of ICANN denied the two were connected, however, and said the transition process had been ongoing for a long time. ICANN president Fadi Chehadé called the move historic and said that ICANN will move toward multi-stakesholder control. Various prominent figures in Internet history, not affiliated with ICANN, also applauded the move.<ref name=Ars />
According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of [[Global surveillance disclosures (2013–present)|revelations]] that the United States and its allies had engaged in surveillance. The chairman of the board of ICANN denied the two were connected, however, and said the transition process had been ongoing for a long time. ICANN president Fadi Chehadé called the move historic and said that ICANN would move toward multi-stakeholder control. Various prominent figures in Internet history not affiliated with ICANN also applauded the move.<ref name=Ars />


NTIA's announcement did not immediately affect how ICANN performs its role.<ref name=Ars>{{cite news|url=https://arstechnica.com/tech-policy/2014/03/in-sudden-announcement-us-to-give-up-control-of-dns-root-zone/|title=In sudden announcement, US to give up control of DNS root zone|last=Farivar|first=Cyrus|publisher=Ars Technica|date=14 March 2014|access-date=15 March 2014}}</ref><ref>{{cite web|url=https://www.ntia.doc.gov/blog/2015/update-iana-transition|title=An Update on the IANA Transition|publisher=National Telecommunications and Information Administration|date=2015-08-17|access-date=2015-11-17}}</ref> On March 11, 2016 NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days.<ref>{{cite web|last1=Strickling|first1=Lawrence|title=Reviewing the IANA Transition Proposal|url=https://www.ntia.doc.gov/blog/2016/reviewing-iana-transition-proposal|website=National Telecommunications and Information Administration|publisher=United States Department of Congress|access-date=26 May 2016}}</ref>
NTIA's announcement did not immediately affect how ICANN performs its role.<ref name=Ars>{{cite news|url=https://arstechnica.com/tech-policy/2014/03/in-sudden-announcement-us-to-give-up-control-of-dns-root-zone/|title=In sudden announcement, US to give up control of DNS root zone|last=Farivar|first=Cyrus|website=[[Ars Technica]] |date=March 14, 2014|access-date=March 15, 2014}}</ref><ref>{{cite web|url=https://www.ntia.doc.gov/blog/2015/update-iana-transition|title=An Update on the IANA Transition|publisher=National Telecommunications and Information Administration|date=August 17, 2015|access-date=November 17, 2015}}</ref> On March 11, 2016, NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days.<ref>{{cite web|last1=Strickling|first1=Lawrence|title=Reviewing the IANA Transition Proposal|url=https://www.ntia.doc.gov/blog/2016/reviewing-iana-transition-proposal|website=National Telecommunications and Information Administration|publisher=United States Department of Congress|access-date=May 26, 2016}}</ref>


The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan,<ref>{{cite web|url=https://www.icann.org/en/system/files/files/iana-stewardship-transition-proposal-10mar16-en.pdf|title=Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community|date=March 2016}}</ref> it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.
The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan,<ref>{{cite web|url=https://www.icann.org/en/system/files/files/iana-stewardship-transition-proposal-10mar16-en.pdf|title=Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community|date=March 2016}}</ref> it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.


==Signing of the root zone==
==Data protection of the root zone==
===Signing of the root zone===
Since July 2010, the root zone has been signed with a [[DNSSEC]] signature,<ref>{{cite web|url=http://www.root-dnssec.org/|title=Root DNSSEC: Information about DNSSEC for the Root Zone|publisher=Internet Corporation For Assigned Names and Numbers|access-date=2014-03-19}}</ref> providing a single [[trust anchor]] for the Domain Name System that can in turn be used to provide a trust anchor for other [[public key infrastructure]] (PKI). The root zone DNSKEY section is re-signed periodically with the root zone [[Domain_Name_System_Security_Extensions#Key_management|key signing key]] performed in a verifiable manner in front of witnesses in a [[Key ceremony|key signing ceremony]].<ref>{{cite web|url=https://www.icann.org/news/announcement-2-2010-06-07-en |title=First KSK Ceremony |publisher=Internet Corporation For Assigned Names and Numbers |date=2010-04-18 |access-date=2014-10-19 |url-status=dead |archive-url=https://web.archive.org/web/20150414231507/https://www.icann.org/news/announcement-2-2010-06-07-en |archive-date=2015-04-14 }}</ref><ref>{{cite web|url=https://www.iana.org/dnssec/ceremonies|title=Root KSK Ceremonies|publisher=Internet Assigned Numbers Authority|date=2015-11-12|access-date=2015-11-17}}</ref>
Since July 2010, the root zone has been signed with a [[DNSSEC]] signature,<ref>{{cite web|url=http://www.root-dnssec.org/|title=Root DNSSEC: Information about DNSSEC for the Root Zone|publisher=Internet Corporation For Assigned Names and Numbers|access-date=March 19, 2014}}</ref> providing a single [[trust anchor]] for the Domain Name System that can in turn be used to provide a trust anchor for other [[public key infrastructure]] (PKI). The root zone DNSKEY section is re-signed periodically with the root zone [[Domain_Name_System_Security_Extensions#Key_management|key signing key]] performed in a verifiable manner in front of witnesses in a [[Key ceremony|key signing ceremony]].<ref>{{cite web|url=https://www.icann.org/news/announcement-2-2010-06-07-en |title=First KSK Ceremony |publisher=Internet Corporation For Assigned Names and Numbers |date=April 18, 2010 |access-date=October 19, 2014 |url-status=dead |archive-url=https://web.archive.org/web/20150414231507/https://www.icann.org/news/announcement-2-2010-06-07-en |archive-date=April 14, 2015 }}</ref><ref>{{cite web|url=https://www.iana.org/dnssec/ceremonies|title=Root KSK Ceremonies|publisher=Internet Assigned Numbers Authority|date=November 12, 2015|access-date=November 17, 2015}}</ref>
The KSK2017 with ID 20326 is valid as of 2020.
The KSK2017 with ID 20326 is valid as of 2020.

===ZONEMD record===
While the root zone file is signed with DNSSEC, some DNS records, such as NS records, are not covered by DNSSEC signatures. To address this weakness, a new DNS Resource Record, called ZONEMD, was introduced in [https://www.rfc-editor.org/rfc/rfc8976 RFC 8976]. ZONEMD doesn't replace DNSSEC. ZONEMD and DNSSEC must be used together to ensure the full protection of the DNS root zone file.<ref>{{cite web |last1=Wessels |first1=Duane |title=Adding ZONEMD Protections to the Root Zone |url=https://blog.verisign.com/security/root-zone-zonemd/ |website=Verisign Blog |date=April 18, 2023}}</ref><ref>{{cite web |author1=D. Wessels |author2=P. Barber |author3=M. Weinberg |author4=W. Kumari |author5=W. Hardaker |title=RFC 8976 Message Digest for DNS Zones |url=https://www.rfc-editor.org/rfc/rfc8976 |access-date=10 March 2024 |date=February 2021}}</ref>

The ZONEMD deployment for the DNS root zone was completed on December 6, 2023.<ref>{{cite web |last1=Wessels |first1=Duane |title=[dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone |url=https://lists.dns-oarc.net/pipermail/dns-operations/2023-December/022388.html |access-date=10 March 2024 |date=2023-12-06}}</ref>

===DNS over TLS===
The B-Root DNS servers offer experimental support for [[DNS over TLS]] (DoT) on port 853.<ref>{{cite web|url=https://b.root-servers.org/news/2023/02/28/tls.html|title=B-Root Offers Experimental Support for DNS over TLS}}</ref>


==See also==
==See also==
* [[Root name server]]
* [[Alternative DNS root]]
* [[Alternative DNS root]]
* [[AS112]]
* [[AS112]]
Line 43: Line 54:
==References==
==References==
{{Reflist|30em}}
{{Reflist|30em}}
* RFC 2870 – Root Name Server Operational Requirements
* {{IETF RFC|2870|link=no}} – Root Name Server Operational Requirements
* RFC 2826 – IAB Technical Comment on the Unique DNS Root
* {{IETF RFC|2826|link=no}} – IAB Technical Comment on the Unique DNS Root


==Further reading==
==Further reading==
*{{cite web|url=https://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions|title=NTIA announces intent to transition key internet domain name functions|others=Office of Public Affairs|publisher=[[National Telecommunications and Information Administration]]|date=14 March 2014|access-date=15 March 2014}}
*{{cite web|url=https://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions|title=NTIA announces intent to transition key internet domain name functions|others=Office of Public Affairs|publisher=[[National Telecommunications and Information Administration]]|date=March 14, 2014|access-date=March 15, 2014}}


==External links==
==External links==
Line 59: Line 70:
* [https://www.circleid.com/posts/new_instance_of_dns_root_server_makes_internet_history/ CirlceID.com], More root server instances outside the U.S. than inside
* [https://www.circleid.com/posts/new_instance_of_dns_root_server_makes_internet_history/ CirlceID.com], More root server instances outside the U.S. than inside
* [https://web.archive.org/web/20190413095253/https://brayhost.com/servidores-dns/ List of public DNS servers] Continuously verified and updated.
* [https://web.archive.org/web/20190413095253/https://brayhost.com/servidores-dns/ List of public DNS servers] Continuously verified and updated.
[[Category:Domain Name System|Root zone]]
[[Category:Domain Name System]]

Latest revision as of 00:16, 5 August 2024

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

Before October 1, 2016, the root zone had been overseen by the Internet Corporation for Assigned Names and Numbers (ICANN) which delegates the management to a subsidiary acting as the Internet Assigned Numbers Authority (IANA).[1] Distribution services are provided by Verisign. Prior to this, ICANN performed management responsibility under oversight of the National Telecommunications and Information Administration (NTIA), an agency of the United States Department of Commerce.[2] Oversight responsibility transitioned to the global stakeholder community represented within ICANN's governance structures.

A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented User Datagram Protocol[2] (UDP) packets, resulted in a practical maximum of 13 root name server addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries.[3][4]

Initialization of DNS service

[edit]

The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the top-level domains of the Internet.[5][6] Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.

The root servers clusters have the official names a.root-servers.net to m.root-servers.net.[6] To resolve these names into addresses, a DNS resolver must first find an authoritative server for the net zone. To avoid this circular dependency, the address of at least one root server must be known for bootstrapping access to the DNS. For this purpose, operating systems or DNS servers or resolver software packages typically include a file with all addresses of the DNS root servers. Even if the IP addresses of some root servers change, at least one is needed to retrieve the current list of all name servers. This address file is called named.cache in the BIND name server reference implementation. The current official version is distributed by ICANN's InterNIC.[7]

With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.

Redundancy and diversity

[edit]

The root DNS servers are essential to the function of the Internet, as most Internet services, such as the World Wide Web and email, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, multiple root servers are distributed worldwide.[8] The DNS packet size of 512 octets limits a DNS response to thirteen addresses, until protocol extensions (see Extension Mechanisms for DNS) lifted this restriction.[9] While it is possible to fit more entries into a packet of this size when using label compression, thirteen was chosen as a reliable limit. Since the introduction of IPv6, the successor Internet Protocol to IPv4, previous practices are being modified and extra space is filled with IPv6 name servers.

The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case.[10] Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers.[9] A comprehensive list of servers, their locations, and properties is available at https://root-servers.org/. As of 24 June 2023, there were 1708 root servers worldwide.[11]

The modern trend is to use anycast addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net server, maintained by Verisign, is represented by 104 (as of January 2016) individual server systems located around the world, which can be queried using anycast addressing.[12]

Management

[edit]

The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the Internet Assigned Numbers Authority (IANA) functions. Verisign generates and distributes the zone file to the various root server operators.

In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it would transition its stewardship to a "global stakeholder community".[5]

According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of revelations that the United States and its allies had engaged in surveillance. The chairman of the board of ICANN denied the two were connected, however, and said the transition process had been ongoing for a long time. ICANN president Fadi Chehadé called the move historic and said that ICANN would move toward multi-stakeholder control. Various prominent figures in Internet history not affiliated with ICANN also applauded the move.[5]

NTIA's announcement did not immediately affect how ICANN performs its role.[5][13] On March 11, 2016, NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days.[14]

The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan,[15] it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.

Data protection of the root zone

[edit]

Signing of the root zone

[edit]

Since July 2010, the root zone has been signed with a DNSSEC signature,[16] providing a single trust anchor for the Domain Name System that can in turn be used to provide a trust anchor for other public key infrastructure (PKI). The root zone DNSKEY section is re-signed periodically with the root zone key signing key performed in a verifiable manner in front of witnesses in a key signing ceremony.[17][18] The KSK2017 with ID 20326 is valid as of 2020.

ZONEMD record

[edit]

While the root zone file is signed with DNSSEC, some DNS records, such as NS records, are not covered by DNSSEC signatures. To address this weakness, a new DNS Resource Record, called ZONEMD, was introduced in RFC 8976. ZONEMD doesn't replace DNSSEC. ZONEMD and DNSSEC must be used together to ensure the full protection of the DNS root zone file.[19][20]

The ZONEMD deployment for the DNS root zone was completed on December 6, 2023.[21]

DNS over TLS

[edit]

The B-Root DNS servers offer experimental support for DNS over TLS (DoT) on port 853.[22]

See also

[edit]

References

[edit]
  1. ^ "Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends". October 1, 2016. Retrieved December 25, 2017.
  2. ^ a b Jerry Brito (March 5, 2011). "ICANN vs. the World". Time.
  3. ^ "There are not 13 root servers". www.icann.org. Retrieved January 18, 2018.
  4. ^ "DNS root servers in the world « stupid.domain.name". stupid.domain.name. Archived from the original on February 11, 2021. Retrieved January 18, 2018.
  5. ^ a b c d Farivar, Cyrus (March 14, 2014). "In sudden announcement, US to give up control of DNS root zone". Ars Technica. Retrieved March 15, 2014.
  6. ^ a b "Root Servers". IANA. Retrieved January 17, 2020.
  7. ^ "named.cache". InterNIC. November 17, 2015. Retrieved November 17, 2015.
  8. ^ "SANS Institute InfoSec Reading Room". SANS. Retrieved March 17, 2014.
  9. ^ a b Bradley Mitchell (November 19, 2008). "Why There Are Only 13 DNS Root Name Servers". About.com. Archived from the original on March 18, 2014. Retrieved March 17, 2014.
  10. ^ "DNS Root Servers: The most critical infrastructure on the internet". Slash Root. November 15, 2013.
  11. ^ "Root Servers Technical Operations Assn". Archived from the original on June 24, 2023. Retrieved June 29, 2023.
  12. ^ "Root Server Technical Operations Assn".
  13. ^ "An Update on the IANA Transition". National Telecommunications and Information Administration. August 17, 2015. Retrieved November 17, 2015.
  14. ^ Strickling, Lawrence. "Reviewing the IANA Transition Proposal". National Telecommunications and Information Administration. United States Department of Congress. Retrieved May 26, 2016.
  15. ^ "Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community" (PDF). March 2016.
  16. ^ "Root DNSSEC: Information about DNSSEC for the Root Zone". Internet Corporation For Assigned Names and Numbers. Retrieved March 19, 2014.
  17. ^ "First KSK Ceremony". Internet Corporation For Assigned Names and Numbers. April 18, 2010. Archived from the original on April 14, 2015. Retrieved October 19, 2014.
  18. ^ "Root KSK Ceremonies". Internet Assigned Numbers Authority. November 12, 2015. Retrieved November 17, 2015.
  19. ^ Wessels, Duane (April 18, 2023). "Adding ZONEMD Protections to the Root Zone". Verisign Blog.
  20. ^ D. Wessels; P. Barber; M. Weinberg; W. Kumari; W. Hardaker (February 2021). "RFC 8976 Message Digest for DNS Zones". Retrieved March 10, 2024.
  21. ^ Wessels, Duane (December 6, 2023). "[dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone". Retrieved March 10, 2024.
  22. ^ "B-Root Offers Experimental Support for DNS over TLS".
  • RFC 2870 – Root Name Server Operational Requirements
  • RFC 2826 – IAB Technical Comment on the Unique DNS Root

Further reading

[edit]
[edit]
Wikimedia Commons has media related to DNS root zone.
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=DNS_root_zone&oldid=1238652821"