[dns-operations] Domain Name System without Root Servers

Daniel Karrenberg dfk at ripe.net
Tue Oct 3 08:10:12 UTC 2017

On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
> (because they would distribute a
> compilation of NS and DS records in the software).

That's what I consider too complicated in the paper. Just distribute a
complete copy of the root zone and include code that fetches it from a
choice of sources using arbitrary protocols. Imagine a resolver with a
config like this:

# <priority> <transport> <name> <address> ...

# first try a local source, maybe provided by local ISP or IXP, or ...
 1     HTTPS     my.local.source.org/root.zone 2001:1234::1

# other local source
# no address provided, thus needs 'org.' glue from locally stored root
zone copy
# saved earlier or distributed with software
 2     HTTPS     my.other.source.org/service/root.zone

# what IANA publishes
 5     HTTPS     www.internic.net/domain/root.zone  2620:0:2d0:200::9
 6     FTP       rs.internic.net/domain/root.zone

# last but one resort, axfr via tcp from root servers we like
 50    AXFR      K.ROOT-SERVERS.NET. 2001:7fd::1
 51    AXFR      B.ROOT-SERVERS.NET. 2001:500:200::b

# if all else fails traditional hints file and traditional caching operation
# just for illustration; in reality this better be implicit.
100    DNS       A.ROOT-SERVERS.NET.
100    DNS       A.ROOT-SERVERS.NET. 2001:503:ba3e::2:30
100    DNS       B.ROOT-SERVERS.NET.
100    DNS       B.ROOT-SERVERS.NET. 2001:500:200::b
100    DNS       C.ROOT-SERVERS.NET.
100    DNS       C.ROOT-SERVERS.NET. 2001:500:2::c

The important bit to preserve a unified root, e.g. to guard against your
sources 'lying' to you, is to validate each delegation against the ICANN
trust anchors before using it. The devil is in the detail of how the
resolver recovers if a signature does not validate of course.

Resolver authors could start this off defaulting to root servers as
sources and DNS as transport so that using it would require a conscious

Will this split the root? It would have a number of years ago. But today
we are comfortable with DNSSEC and can validate delegations. So a
resolver does not need to trust the source of the root zone because it
can validate each delegation in that zone.


More information about the dns-operations mailing list