PING

Testing RSSAC 028 DNS root server name choices


Listen Later

In this episode of PING, we talk with Willem Toorop about a measurement of 6 choices for naming the root servers of the global DNS. This measurement was motivated by RSSAC 028, a 2017 technical analysis for ICANN of the naming scheme used by the root DNS servers.
Root name servers are part of the global DNS system, and they provide basic bootstrapping for every other DNS resolver and authoritative name server worldwide. This is their primary role, but they also handle query load relating to the global DNS system all day and every day. There are 13 distinctly named root servers, each one identified by a letter from A to M under the domain root-servers.net. Although there are only 13 distinct "labels" there are in fact thousands of machines providing this service as independently operated clusters behind each of these letters, using the BGP "anycast" method we have discussed on PING before.
The special zone, root servers.net was instantiated in 1995. It's delegated as normal under the .net zone, which in turn delegates from the root "dot" zone. If you are bootstrapping a new resolver, to find a root server you appear to need to know about the delegation of .net in order to find root servers.net, to find the given server. This is a circular dependency because you don't know how to find .net until you have asked a root server instance. The circular dependency is resolved by the contents of an initial "priming" response. This response provides the additional "glue" information to seed direct knowledge of how to find each of these named root servers as is, without all the intermediate logic of the circular dependency.
This glue is inherently not signed in DNSSEC. It's insecure. The priming response is very carefully curated for both its size and the content but it would be good to give it some content security and increase trust in the message. RSSAC 028 explored the impact of applying DNSSEC over this domain, which in turn would add DNSSEC signatures to the priming response and impact a goal of keeping this a small 512 byte backwards compatible UDP packet.
By keeping this response small, it would continue to work on all legacy systems worldwide. Nothing happens quickly in DNS evolution, and this naming question has now been under consideration for almost a decade. Willem and his colleagues at NLNet Labs and SIDN produced two reports reflecting on the candidate naming schemes, application of DNSSEC, and the impact on the bootstrap fetch. There are some surprising outcomes!
...more
View all episodesView all episodes
Download on the App Store

PINGBy APNIC

  • 5
  • 5
  • 5
  • 5
  • 5

5

4 ratings


More shows like PING

View all
Risky Business by Risky Business Media

Risky Business

375 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,051 Listeners

The 404 Media Podcast by 404 Media

The 404 Media Podcast

392 Listeners