How is the root zone managed?
The management of the root zone is carried out by the Internet Assigned Numbers Authority (IANA), whose functions are currently performed by the Public Technical Identifiers (PTI), an affiliate of the Internet Corporation for Assigned Names and Numbers (ICANN). In performing this role, PTI assigns the operators of top level domains and maintains a database with their technical and administrative details.
The maintenance of the root zone file itself is performed by VeriSign, on the basis of an agreement with ICANN. VeriSign’s role in this regard is to edit the file (at ICANN’s proposal), publish it, and distribute it to root server operators. (Prior to the IANA stewardship transition, the root zone maintainer function was subject of a contract between VeriSign and the US government.)
The DNS root zone is served by root servers – also known as authoritative servers, which keep the public copy of the root zone file. There is a misconception that the total number of root servers is 13. The fact is that there are hundreds of root servers scattered at various locations around the world. The number 13 comes from the 13 different hostnames, due to a technical limitation in the design of the DNS. Twelve entities – academic/public institutions (6), commercial companies (3), and governmental institutions (3) – manage these primary instances and ensure that all root servers within the same instance have the updated copy of the root zone file.
If one of the 13 hostnames crashes, the remaining 12 would continue to function. Even if all 13 went down simultaneously, the resolution of domain names into IP addresses (the main function of root servers) would continue on other domain name servers, distributed hierarchically throughout the Internet.
The system of root servers is considerably strengthened by the Anycast scheme, which replicates root servers throughout the world. This provides many advantages, including an increased robustness of the DNS and the faster resolution of Internet addresses (with the Anycast scheme, the resolving servers are closer to the end-users).
Therefore, hundreds of domain name servers contain copies of the root zone file and an immediate and catastrophic collapse of the Internet could not occur. It would take some time before any serious functional consequences would be noticed, during which time it would be possible to reactivate the original servers or to create new ones.
Alternative root server systems – feasibility and risks
While ICANN, via PTI, operates and manages the DNS root that most users of the public Internet rely on, there are also active alternative DNS roots. Organisations operating such roots offer their own top-level domains (usually different from the ones administered within the ICANN framework); end-users wishing to use such services need to reconfigure their network settings to deviate from the universal root to the alternative one. Examples of alternative roots include AlterNIC, Open NIC, New.net, and Name.space. Most of them were unsuccessful, accounting for only a few per cent of Internet users. One more recent project – the Yeti DNS Project – plans to ‘build a parallel experimental live IPv6 DNS root system to discover the limits of DNS root name service’.
Creating an alternative root name server system is technically straightforward. The main question is how many followers an alternative server would have, or, more precisely, how many devices on the Internet would point to it, when it came to resolving domain names. Without users, any alternative DNS becomes useless.
Conceptual discussion: single vs alternative root server system
For a long time, the principle of the single root server was considered to be one of the main Internet mantras, which were not supposed to be touched or even discussed. Various arguments have been put forward in order to prevent any discussions about alternatives to the single root server. One argument is that the current (single root server) system prevents the risk of the DNS being used by some governments for censorship. However, this is losing ground on a functional basis. Governments do not need control over the DNS system or the root zone file in order to introduce censorship. They could rely on more effective tools, based, for example, on the filtering of web traffic.
A more solid argument is that any alternative root systems could lead towards the fragmentation and even, maybe, the ultimate disintegration of the Internet. Even though all root systems use the same system of IP numbers, they have different naming approaches and resolution techniques. It may happen that several root systems have the same domain names, but they resolve to different IP addresses (which host different content). Moreover, most of the alternative DNS roots are not interoperable – with ICANN’s DNS root or among themselves – thus breaking the principle of universal resolvability (according to which there is a single way to resolve a domain name into an IP address). Except for the cases when such alternative roots are used for strictly private purposes (e.g. within closed networks), their existence may prevent some parts of the Internet from reaching others. This fragmentation could endanger one of the core functions of the Internet – a unified global communication system.