DNS root zone
The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.
Before October 1, 2016, the root zone had been overseen by the
A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented User Datagram Protocol[2] (UDP) packets, resulted in a practical maximum of 13 root name server addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries.[3][4]
Initialization of DNS service
The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the top-level domains of the Internet.[5][6] Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.
The root servers clusters have the official names a.root-servers.net to m.root-servers.net.
With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.
Redundancy and diversity
The root DNS servers are essential to the function of the Internet, as most Internet services, such as the
The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case.[10] Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers.[9] A comprehensive list of servers, their locations and properties is available at https://root-servers.org/. As of 24 June 2023[update], there were 1708 root servers worldwide.[11]
The modern trend is to use anycast addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net server, maintained by Verisign, is represented by 104 (as of January 2016[update]) individual server systems located around the world, which can be queried using anycast addressing.[12]
Management
The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the Internet Assigned Numbers Authority (IANA) functions. Verisign generates and distributes the zone file to the various root server operators.
In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA has exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it will transition its stewardship to a "global stakeholder community".[5]
According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of
NTIA's announcement did not immediately affect how ICANN performs its role.[5][13] On March 11, 2016, NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days.[14]
The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan,[15] it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.
Data protection of the root zone
Signing of the root zone
Since July 2010, the root zone has been signed with a
ZONEMD record
While the root zone file is signed with DNSSEC, some DNS records, such as NS records, are not covered by DNSSEC signatures. To address this weakness, a new DNS Resource Record, called ZONEMD, was introduced in RFC 8976. ZONEMD doesn't replace DNSSEC. ZONEMD and DNSSEC must be used together to ensure the full protection of the DNS root zone file.[19][20]
The ZONEMD deployment for the DNS root zone was completed on December 6, 2023.[21]
See also
References
- ^ "Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends". October 1, 2016. Retrieved December 25, 2017.
- ^ a b Jerry Brito (March 5, 2011). "ICANN vs. the World". Time.
- ^ "There are not 13 root servers". www.icann.org. Retrieved January 18, 2018.
- ^ "DNS root servers in the world « stupid.domain.name". stupid.domain.name. Archived from the original on February 11, 2021. Retrieved January 18, 2018.
- ^ a b c d Farivar, Cyrus (March 14, 2014). "In sudden announcement, US to give up control of DNS root zone". Ars Technica. Retrieved March 15, 2014.
- ^ a b "Root Servers". IANA. Retrieved January 17, 2020.
- ^ "named.cache". InterNIC. November 17, 2015. Retrieved November 17, 2015.
- ^ "SANS Institute InfoSec Reading Room". SANS. Retrieved March 17, 2014.
- ^ About.com. Archived from the originalon March 18, 2014. Retrieved March 17, 2014.
- ^ "DNS Root Servers: The most critical infrastructure on the internet". Slash Root. November 15, 2013.
- ^ "Root Servers Technical Operations Assn". Archived from the original on June 24, 2023. Retrieved June 29, 2023.
- ^ "Root Server Technical Operations Assn".
- ^ "An Update on the IANA Transition". National Telecommunications and Information Administration. August 17, 2015. Retrieved November 17, 2015.
- ^ Strickling, Lawrence. "Reviewing the IANA Transition Proposal". National Telecommunications and Information Administration. United States Department of Congress. Retrieved May 26, 2016.
- ^ "Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community" (PDF). March 2016.
- ^ "Root DNSSEC: Information about DNSSEC for the Root Zone". Internet Corporation For Assigned Names and Numbers. Retrieved March 19, 2014.
- ^ "First KSK Ceremony". Internet Corporation For Assigned Names and Numbers. April 18, 2010. Archived from the original on April 14, 2015. Retrieved October 19, 2014.
- ^ "Root KSK Ceremonies". Internet Assigned Numbers Authority. November 12, 2015. Retrieved November 17, 2015.
- ^ Wessels, Duane (April 18, 2023). "Adding ZONEMD Protections to the Root Zone". Verisign Blog.
- ^ D. Wessels; P. Barber; M. Weinberg; W. Kumari; W. Hardaker (February 2021). "RFC 8976 Message Digest for DNS Zones". Retrieved March 10, 2024.
- ^ Wessels, Duane (December 6, 2023). "[dns-operations] Root zone operational announcement: introducing ZONEMD for the root zone". Retrieved March 10, 2024.
- RFC 2870 – Root Name Server Operational Requirements
- RFC 2826 – IAB Technical Comment on the Unique DNS Root
Further reading
- "NTIA announces intent to transition key internet domain name functions". Office of Public Affairs. National Telecommunications and Information Administration. March 14, 2014. Retrieved March 15, 2014.
{{cite web}}
: CS1 maint: others (link)
External links
- Root Zone File
- root-servers.org
- IANA's Authoritative Database of TLDs on the DNS Root Zone
- ICANN's Root Server System Advisory Committee
- CircleID.com, on DNS Root Servers
- CAIDA.org, paper on root server location problem
- CirlceID.com, More root server instances outside the U.S. than inside
- List of public DNS servers Continuously verified and updated.