back to article DNS ad-hocracy in peril as ICANN advisors mull root server shakeup

Internet overseer ICANN is considering a self-managed governance model for the world's Domain Name System root servers – and one of the outcomes could be a reduction in the number of root servers. Today, 12 companies operate the 13 DNS root servers that are used by browsers and other software to ultimately translate domain …

  1. Anonymous Coward
    Anonymous Coward

    Normally I prefer simpler infrastructure approaches as they are easier to design, implement and troubleshoot. Are they sure that consolidating the root servers is a good idea? Will the consolidated root servers have the capacity to function when one or more groups is under attack (looking at the BPQ here). Lastly, when is it a good idea to simplify an attackers targeting problem.

    Most likely, I can't see any issue here save ones sure to be brought up by the IETF. I always think Red Team when look at my designs.

    1. Charles 9

      I think what they're saying is that, once goodwill runs thin (and history indicates it WILL run thin), competition and attrition will result in one or more of the providers going away. Not because ICANN wants it that way, but because the providers want it that way.

    2. Voland's right hand Silver badge

      Will the consolidated root servers have the capacity to function when one or more groups is under attack (looking at the BPQ here)

      1. Most of them are at large peering points. LINX hosts one.

      2. Most of the information they supply is cached further down.

      3. The information is nowdays limited to ns records for TLDs and is 13-way redundant at DNS level and tens if not hundreds of times redundant at each root server level due to use of anycast by most of them.

      If you can conjure a DDOS on that scale there is plenty of better ways to use your time.

    3. Yes Me Silver badge

      Will the consolidated root servers have the capacity to function...

      I haven't read the white paper, but I read this as talking about consolidating the number of operators, not the number of servers. In any case the server addresses are all unicast addresses, i.e. in reality there are many instances of each of the apparent 13. So I don't think there's any issue about redundancy and DDOS resistance; this is an admin thing.

  2. Herby

    If it ain't broke

    Don't Fix It!!

    Enough said!

    1. monty75

      Re: If it ain't broke

      But equally, don't wait until it breaks.

  3. Voland's right hand Silver badge

    the RSOs [root server operators] today operate completely independently under their own goodwill and funding without any direct oversight by the stakeholders of the service,

    First of all, the stakeholders are all Internet users. Good luck consulting stakeholders on an any changes.

    Second, the only answer roots give in this day and age is referral - who is the nameserver for a particular TLD. There was a point when some roots (the one operated by ISC) were also sharing jobs with serving TLDs, that is long gone. The nameserver information in each TLD zone is what determines the query rate and the operational load onto the roots. It is not the roots themselves. F.E .com zone has 120K+ seconds TTL for their nameserver entries. Once a nameserver lower in the hierarchy learns where to look for .com it will not bother the roots until its next reboot (120k seconds is a very long time). Compared to that .org is about an hour. And so on. Standardization of this is in the ICANNs remit, but it cannot even get that right. In any case, back on the topic of root load. Want to decrease root load? Do what .com has done - jack up the TTL for the TLD nameservers across the board.

    Third, roots are hard-wired into nameserver software. I am old enough to remember the first root migration when we moved from a random selection of names in the DARPA project to the current root server file list which ships with every nameserver. There were mis-configured laggards for years after that.

    All in all, it works, do not f*ck with it.

    1. Anonymous Coward
      Anonymous Coward

      Next reboot?

      120Ksec is less than 2 days.

      org,com, net, uk and probably all the others have a ttl of 172.8k (which is 2 days)

      1. Voland's right hand Silver badge

        Next reboot?

        Commenting before my intravenous coffee drip has decreased the concentration of the blood in my coffee subsystem.

        You are indeed correct - you are not likely to have a server reboot in that amount of time. It is however time for which most mid-level and SP servers will probably discard the entry from the cache due to memory pressure and/or "other" validation criteria long before the TTL has expired.

        1. Anonymous Coward
          Anonymous Coward

          Fair enough. Lack of coffee is a valid excuse always! :-)

          <childish joke>

          2 days reboots.... there was me thinking you may be a windows admin

          </childish joke>

          and you're right about the TTL potentially being expired for other reasons.

          I don't know why your reply was downvoted... It wasn't by me. Have a balancing upvote.

          (original AC)

    2. Anonymous Coward
      Anonymous Coward

      "Third, roots are hard-wired into nameserver software. I am old " Carp, see: https://www.internic.net/domain/named.root

  4. Will Godfrey Silver badge
    Unhappy

    If it walks like a duck...

    Smells like another power grab to me. ICANN are not exactly known for being self-sacrificing for the good of society.

  5. Anonymous Coward
    Anonymous Coward

    Could be good. Could be bad.

    DNS security problems are growing. Maybe fixes/improvements will role out faster...

    But, it kind of defeats the purpose of having a distributed system...

  6. Giovani Tapini

    Its a solution to a problem that hasn't been defined

    supported by the wrong metrics

    DNS equivalent of devs being paid by lines of code written - it will drive the wrong behaviours.

  7. Doctor Syntax Silver badge

    ICANN challenging somebody else's governance? Maybe there's a market for panes of glass out there.

  8. Alan Brown Silver badge

    Misdirection

    And the register swallowed it hook line and sinker

    The 13 roots are setup the way they are _specifically_ to prevent any entity attempting to capture them.

    They are the 13 keys that rule the kingdom and putting them into the hands of ICANN would not end well for anyone except ICANN.

    Thankfully this is an attempt which would likely see ICANN finding out that whilst they "own" the DNS space, it's only at the pleasure of the roots delegating it to them.

    1. Voland's right hand Silver badge

      Re: Misdirection

      The 13 roots are setup the way they are _specifically_

      In more than one way - several are also under the admin control of non-USA entities.

  9. Rich 2 Silver badge

    Just say no

    Of course, the 13 root server admins could just ignore ICANN.

    And what could ICANN (or anyone else for that matter) do about it? Short of blocking the IP addresses of the servers (which would require an awful lot of co-operation from lots of other people), not much.

    ...and the cyber-world would carry on spinning...

    1. stiine Silver badge
      FAIL

      Re: Just say no

      ICANN runs one of them...

      1. Rich 2 Silver badge

        Re: Just say no

        Ok, 12 is enough to be getting on with

  10. Alphebatical
    Mushroom

    Somehow, I suspect a DNS system entirely ruled by ICANN would have trouble mapping to places that don't collect "proper" WHOIS information.

  11. Mike 16

    Trust

    It amuses me that Almon Strowger invented his automatic telephone switch specifically because the telephone operator in his home town would connect calls intended for him to a competitor (both were undertakers) who just happened to be the operator's husband. His belief was that an incorruptible machine would be an improvement.

    Fast forward to today, when your ISP is probably knobbling your DNS requests, possibly in addition to your OS vendor (and perhaps a few others, wearing hats of various shades of grey). Not to mention the various rank-fiddling by search engines, recommendation sites, and SEO. How's that "incorruptible machine" thing coming along?

    Meanwhile, isn't "secure DNS" also subject to MITMing by a number of players, and dependent in any case on the certificate issuers also being incorruptible, not to mention invulnerable to malfeasors?

    1. Charles 9

      Re: Trust

      The problem is that machines are still made by man. Meaning it's possible to corrupt the machine.

    2. Charles 9

      Re: Trust

      "It amuses me that Almon Strowger invented his automatic telephone switch specifically because the telephone operator in his home town would connect calls intended for him to a competitor (both were undertakers) who just happened to be the operator's husband."

      I wonder if it was less that and more she knew when bereavement calls were going around and let her husband know about them so he could get the jump on Strowger.

      1. Alan Brown Silver badge

        Re: Trust

        "I wonder if it was less that and more she knew when bereavement calls were going around and let her husband know about them so he could get the jump on Strowger."

        Strowger's belief that calls were being redirected was never proven (his claim was investigated) and people have put that idea forward as an alternative before. Either way, removing the hooman from the middle removes the ability for insider trading to occur.

      2. SImon Hobson Bronze badge
        Pint

        Re: Trust

        I wonder if it was less that and more she knew when bereavement calls were going around and let her husband know about them so he could get the jump on Strowger.

        While that is possible, remember that in those days all calls were operator connected. In the case of a bereavement, the caller would most likely ask "to be connected to the undertaker" - and if there was more than one, then it would be for the operator to choose. Obviously, if her husband is an undertaker, the operator is going to put such calls through to him.

        I'd say impossible to determine the reality now - but regardless of reality regarding the claims, it prompted development of what has to be considered the cornerstone of telephony for many decades.

        As a sidenote, to watch "Strowger gear" in operation, it's an engineering marvel - mechanically counting pulses, searching for a free circuit, just amazing that it ever worked at all, let alone reliably. It is said that an experienced exchange engineer could tell if the exchange was working properly (as a whole) just by the noise it made - and a room full of Strowger gear in full flow was certainly far from silent. There's a reason telephone engineers like Tommy Flowers were involved in the Bletchly Park operations. Icon for all of them, they deserved a good round.

        1. swm

          Strowger gear

          I once saw a 30,000 subscriber step by step exchange in Albuquerque NM. It was absolutely amazing - the noise, the alarms, etc. I was amazed that enough of the stuff actually worked to be useful! It had to be seen to be believed!

  12. Peter2 Silver badge

    Ever since ICANN took full stewardship of various crucial internet functions – such as overseeing DNS and domain names – from the US government's Department of Commerce, it has been considering questions like: who holds root server operators accountable and to what rules;

    Ever since ICANN took full stewardship of various crucial internet functions – such as overseeing DNS and domain names – from the US government's Department of Commerce, practically everybody on the internet has been wondering who the fuck holds ICANN responsible, and to what rules.

    They ignore their own guidence rules and byelaws, and attempt to eliminate their ability to be held to account in court via contract.

    The root servers aren't a problem at the moment. ICANN is.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like