[dns-operations] Domain Name System without Root Servers
Daniel Karrenberg
dfk at ripe.net
Tue Oct 3 08:10:12 UTC 2017
On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
> (because they would distribute a
> compilation of NS and DS records in the software).
That's what I consider too complicated in the paper. Just distribute a
complete copy of the root zone and include code that fetches it from a
choice of sources using arbitrary protocols. Imagine a resolver with a
config like this:
# <priority> <transport> <name> <address> ...
# first try a local source, maybe provided by local ISP or IXP, or ...
#
1 HTTPS my.local.source.org/root.zone 1.2.3.4 2001:1234::1
# other local source
# no address provided, thus needs 'org.' glue from locally stored root
zone copy
# saved earlier or distributed with software
#
2 HTTPS my.other.source.org/service/root.zone
# what IANA publishes
#
5 HTTPS www.internic.net/domain/root.zone 2620:0:2d0:200::9
6 FTP rs.internic.net/domain/root.zone
# last but one resort, axfr via tcp from root servers we like
#
50 AXFR K.ROOT-SERVERS.NET. 2001:7fd::1
51 AXFR B.ROOT-SERVERS.NET. 2001:500:200::b
52 AXFR K.ROOT-SERVERS.NET. 193.0.14.129
53 AXFR B.ROOT-SERVERS.NET. 192.228.79.201
you
# if all else fails traditional hints file and traditional caching operation
# just for illustration; in reality this better be implicit.
#
100 DNS A.ROOT-SERVERS.NET. 198.41.0.4
100 DNS A.ROOT-SERVERS.NET. 2001:503:ba3e::2:30
100 DNS B.ROOT-SERVERS.NET. 192.228.79.201
100 DNS B.ROOT-SERVERS.NET. 2001:500:200::b
100 DNS C.ROOT-SERVERS.NET. 192.33.4.12
100 DNS C.ROOT-SERVERS.NET. 2001:500:2::c
...
The important bit to preserve a unified root, e.g. to guard against your
sources 'lying' to you, is to validate each delegation against the ICANN
trust anchors before using it. The devil is in the detail of how the
resolver recovers if a signature does not validate of course.
Resolver authors could start this off defaulting to root servers as
sources and DNS as transport so that using it would require a conscious
choice.
Will this split the root? It would have a number of years ago. But today
we are comfortable with DNSSEC and can validate delegations. So a
resolver does not need to trust the source of the root zone because it
can validate each delegation in that zone.
Daniel
More information about the dns-operations
mailing list