The Grumpy Troll

Ramblings of a grumpy troll.

The DNS root zone, international governance, ICANN and DNSSEC

When it comes to “who controls the DNS?”, passions start to run high, nationalistic sentiment comes to the fore and the noise level rises. I'd like to step back and point out a difference between the official nominal control of DNS and the actual, de facto, practice, and how things are changing.

DNS is a federated system, whereby DNS operators own their own little corner of the DNS and can control and delegate as they see fit. However, it's organised into a tree, with the “root zone”, ‘.’ at the top, then the “top-level domains” beneath that, and normal registrations at some level below those. The top-level domains include .org, .net, .com, .jp, .us, etc. Clearly there are differences between the policies applicable to .jp and those to .us.

So the top-level, root, domain is particularly important, as whosoever controls the root, can control who appears in the DNS at the next level. They can wipe a country out of DNS, or change who is in charge of DNS for a country. With that amount of leverage, they can apply pressure for the operators of a sub-tree to implement policies of their choosing.

The “official” root zonefile is maintained by IANA, one of the most important bodies on the Internet. It's a body only usually noticed by the technically inclined, so it got brushed into ICANN when ICANN was formed. ICANN reports to the United States Department of Commerce.

Thus it is that some people campaign to have the control of the root zone removed from the US and moved to an international body, to remove the controls from one nation. More organisations don't actively campaign, but hold the opinion that this should happen.

This is ignorant of history and dangerously naïve; by confusing nominal and actual control, it will have the opposite effect to the one which the proponents state.

The root name-servers are referred to by every DNS resolver on the planet. These resolvers, normally operated by your ISP, need to be able to find the roots without using DNS. Thus there are 13 hosts with well-established IP addresses, scattered around the planet. The resolvers have those IP addresses configured into them; as long as even one of them remains correct and serving, once the resolver has started it can find the current list of root servers. The list of resolvers changes very slowly indeed, as it can take decades to shake out the old IP addresses. (The only notable changes in recent years have been from the addition of IPv6 addresses).

It used to be that each root server was one machine, somewhere on the net. One of the founders of the Internet, Jon Postel, decided where to place those servers. Jon Postel was a wise and astute man. In the early days, IANA was Jon Postel. He scattered the 13 roots among different organisations; some in the USA, some outside; some military, some commercial, some academic.

(In the time since then, some of those resolvers have become “anycast”, backed by servers in multiple places, so that there are even more root servers today, even though there are only 13 routed IPv4 addresses (and fewer IPv6 addresses) in use.)

It is a strong convention that keeps all of the root server operators following the official root zone. Some may be compelled to do so, by being part of the US government. Some may be pressured to do so. Others continue to use the root zone because the impact of using different root zones would lead to Interesting Times.

But should the day ever come when one government unilaterally decides to remove another country's top-level domain from the root zone, you can be very sure that a number of the root zone operators would not accept the update and would continue to publish a record for that zone. This would very shortly be followed by ISPs fixing their reliability problems by removing the censored root servers from their list of roots.

But what happens if the root zone is moved to an international body? It's fairly easy for a root server in a Scandinavian country to make the case that censorship imposed by a foreign government is wrong and should be opposed, but when the censorship is imposed by an international body which their own government belongs to? That becomes much harder to resist.

There exists a political tactic called “policy laundering”. This is where a governing body decides they want to pass a law X, but can't get away with it. So they instead campaign within a wider governing body for them to pass X, which lets them then tell their electorate “not our fault, imposed from outside, you're right that it's terrible”. A fairly recent example was when the second President Bush banned the use of federal money for stem cell research while claiming that he wasn't blocking all stem cell research; meanwhile, his government campaigned for a UN resolution banning stem cell research.

So should the control of the root zone move to an international body, you'd start to see political maneuvering to control what can be within it. Powerful nations would exert pressure. When orders came down via the national governments to implement a change, the root server operators would be powerless to resist, if they wanted to stay out of prison. Or at least, they would be the second time they were ordered, after any additional laws as prove locally necessary are passed.

So, by moving control of the root zone to an international body, you INCREASE the risk of suborning of the content of the root zone by national governments acting in concert.

De facto != De jure.

At the moment, the Internet is living in a golden age, where non-government bodies retain some control of the technically critical units which let the Internet and DNS function and changes would be resisted.

Into this mix, we now throw DNSSEC.

DNSSEC provides for security in the DNS. Various integrity problems have shown up over the years in non-secured DNS and the ability to resist some tampering of the DNS results is important. There are a couple of methods of doing this, but the one with the momentum behind it is DNSSEC.

The root zone is now signed. The keys used to control that signing live within one organisation. As ISPs and other network operators deploy DNSSEC validation to their resolvers, they bake in the public-key for signing the root zone. (Pedantically: for signing the key which in turns signs the root zone).

As this happens, it will become much harder for the root server operators to schism. If they do so, their data will be unsigned and will be rejected by the resolvers.

This increases the ability for control of the DNS root zone's content to be abused, even without moving to an international body first.

So, how can we avoid moving to a future where one body can make arbitrary decisions without having to worry about effective resistance?

One way would be to not use one key for signing the root zone. Instead, ensure that DNS resolvers support using a set of keys, any one of which can be used for signing a zone. Then each operator who controls what goes into the root zone on a set of servers creates their own keys. They sign the root zone with their keys. They publish a root zone using their signatures.

This way, the current model of "13 independent entities" is preserved, instead of destroyed. The resolvers continue to be able to validate the content, in the event of a schism. Nobody gets too much leverage. Detente is maintained.

In international affairs, detente is good.


Phil P

Please note that "each operator who controls what goes into the root zone" is a statement about the proposed state of affairs, not the existing state of affairs.

I am well aware of how the process is managed currently, with the signing ceremonies and all. My argument is that if we continue down this path then DNSSEC takes us from a scenario where the root server operators normally passively accept the root zone from ICANN/A-root but have the option to stop being so passive, to a scenario where they no longer have that option in practice.

Most resolver operators have no ideas which people operate the root servers and would have no way of verifying that a message of "we're splitting off" comes from a real operator, instead of a kook.

Rather than deploy a lock-in which *enforces* that the control *has* to happen centrally, we should be deploying around a model where the control *happens* to be central, for so long as it remains sane and uncensored.

As long as there is a realistic ability for the root server operators to split, there is a disincentive for anyone to actually censor the canonical root zone and it becomes more likely that everyone will continue happily using the ICANN/Verisign zone (modulo DNSKEY for root and the signatures). If we make that ability impossible in practice, we increase the temptation for someone in the future to exercise their control and censor.
John C.
Your blog post shows a mis-understanding of the role of the root-server operators and DNS name servers in general.

You say "each operator who controls what goes into the root zone" whereas in fact name servers publish what is passed to them they typically don't generate/edit a zone.

At the level of the authoritative servers for the roots and TLDs this is most definitely the case. The data management for the zone and hence the attesting to it's validity (signing) is a different part of the process which is completely separable from publishing the zone on nameservers answering DNS queries.

The most important factor of signing a DNS zone is that the signer is in a sense attesting to the "correctness" of the data contained within that zone and only those who manage the generation of the zone can attest to this. In the case of the root this is a combination of ICANN/Verisign and not the root-server operators
Categories: ICANN DNSSEC dns governance federation