[dns-operations] Domain Name System without Root Servers
dfk at ripe.net
Tue Oct 3 08:10:12 UTC 2017
On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
> (because they would distribute a
> compilation of NS and DS records in the software).
That's what I consider too complicated in the paper. Just distribute a
complete copy of the root zone and include code that fetches it from a
choice of sources using arbitrary protocols. Imagine a resolver with a
config like this:
# <priority> <transport> <name> <address> ...
# first try a local source, maybe provided by local ISP or IXP, or ...
1 HTTPS my.local.source.org/root.zone 126.96.36.199 2001:1234::1
# other local source
# no address provided, thus needs 'org.' glue from locally stored root
# saved earlier or distributed with software
2 HTTPS my.other.source.org/service/root.zone
# what IANA publishes
5 HTTPS www.internic.net/domain/root.zone 2620:0:2d0:200::9
6 FTP rs.internic.net/domain/root.zone
# last but one resort, axfr via tcp from root servers we like
50 AXFR K.ROOT-SERVERS.NET. 2001:7fd::1
51 AXFR B.ROOT-SERVERS.NET. 2001:500:200::b
52 AXFR K.ROOT-SERVERS.NET. 188.8.131.52
53 AXFR B.ROOT-SERVERS.NET. 184.108.40.206
# if all else fails traditional hints file and traditional caching operation
# just for illustration; in reality this better be implicit.
100 DNS A.ROOT-SERVERS.NET. 220.127.116.11
100 DNS A.ROOT-SERVERS.NET. 2001:503:ba3e::2:30
100 DNS B.ROOT-SERVERS.NET. 18.104.22.168
100 DNS B.ROOT-SERVERS.NET. 2001:500:200::b
100 DNS C.ROOT-SERVERS.NET. 22.214.171.124
100 DNS C.ROOT-SERVERS.NET. 2001:500:2::c
The important bit to preserve a unified root, e.g. to guard against your
sources 'lying' to you, is to validate each delegation against the ICANN
trust anchors before using it. The devil is in the detail of how the
resolver recovers if a signature does not validate of course.
Resolver authors could start this off defaulting to root servers as
sources and DNS as transport so that using it would require a conscious
Will this split the root? It would have a number of years ago. But today
we are comfortable with DNSSEC and can validate delegations. So a
resolver does not need to trust the source of the root zone because it
can validate each delegation in that zone.
More information about the dns-operations