[dns-operations] Domain Name System without Root Servers

Suzanne Woolf suzworldwide at gmail.com
Tue Oct 3 12:35:05 UTC 2017

> On Oct 3, 2017, at 4:10 AM, Daniel Karrenberg <dfk at ripe.net> wrote:
> On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
>> (because they would distribute a
>> compilation of NS and DS records in the software).
> That's what I consider too complicated in the paper. Just distribute a
> complete copy of the root zone and include code that fetches it from a
> choice of sources using arbitrary protocols.

One of the reasons why I wanted to see the root zone signed and DNSSEC validation code widely available is that even if it weren’t in everyday, in-band use, it could be used to validate root zone data. Root servers went from being a protocol element (source of truth for bootstrapping) to being an optimization (get the data there if you didn’t have a better way, but you can decide whether to believe data you have without caring how you got it).

This is simple partly because of some assumptions we can make about the root zone— that it’s relatively small and relatively static— but it would have to be a lot larger and more dynamic before there was a problem with this approach even with relatively limited resources in the resolver.

> The important bit to preserve a unified root, e.g. to guard against your
> sources 'lying' to you, is to validate each delegation against the ICANN
> trust anchors before using it. The devil is in the detail of how the
> resolver recovers if a signature does not validate of course.

The win here is that the “unified root” is now clearly (not just hypothetically) separate from the mechanisms you use to obtain it. If you value a “unified root,” the IANA-signed root is still the important one and the IANA trust anchor is still the one you use for validation. But that decision is unrelated to fooling around with DNS protocol for obtaining the data to implement it.

> Will this split the root? It would have a number of years ago. But today
> we are comfortable with DNSSEC and can validate delegations. So a
> resolver does not need to trust the source of the root zone because it
> can validate each delegation in that zone.

Exactly. If you want a split root, you can have it, but then, you always could. Simplicity of resolution isn’t the only reason why people want a unified, consistent root zone; in fact I suspect it really goes the other way around— people want a unified, consistent root available (even when it’s not the only thing they want, as in the case of split-horizon or mixed DNS/mDNS environments or "special use" names like .onion), so implementers and operators will continue to make it easy for them to have one.


More information about the dns-operations mailing list