October 2, 1999
Welcome to As the CaveBear Growls.
This publication is an occasional newsletter covering topics of interest to the author, generally related to the Internet to a greater or lesser degree.
Over to the left of the screen is the catalog of issues, past and present.
In July, the CaveBear Growls discussed the issue of multiple systems of roots for the Internet's Domain Name System (DNS.) As discussed in that issue, multiple systems of roots hold many potential benefits for the Internet, its users, and its providers.
To validate the idea in real-life practice, several of the CaveBear computer systems have been actually using DNS root systems other than the NTIA/ICANN legacy root. Indeed, the web server from which you have fetched this article is using another root system called the "Superroot". This writer can attest to the fact that not only have there been no problems with connectivity, but ,in fact, connectivity has been enhanced by the visibility of several new top level domains (TLDs) such as .web.
This last week, the IAB issued a statement entitled "IAB Technical Comment on the Unique DNS Root", which may be seen at http://www.iab.org/iab/IAB-Technical-Comment.txt
The IAB's statement says that I must be hallucinating, that the CaveBear computer systems are not working because multiple root systems can not and will not work. My own senses tell me the contrary. My own senses tell me that the IAB's statement is like a naked Emperor asserting that he is dressed in the finest of garments.
To give it its proper due, the IAB's "technical comment" is really nothing more than an opinion piece. But, it is an opinion piece that is afraid to be seen for what it is. Rather, the IAB's "technical comment" comes nicely wrapped in words designed to appear to be irrefutable technical truth. This is unfortunate because that purported technical truth is utterly flawed, thus undermining that document's conclusions, and consequently making the IAB's opinion piece completely irrelevant and quite dispensable.
This issue of the Cavebear "Growl" will discuss the faulty logic and faulty technical statements contained in the IAB's "technical comment."
It is worth nothing that the IAB's statement was made without any of the normal comment, review, and "consensus" process of the IETF. That could explain why the statement's flaws were not discovered before it was published.
Before we begin, let's not forget that multiple systems of root DNS servers have been operational on the Internet for several years and that those who use them have not reported any difficulties nor have they discovered themselves to be isolated from the rest of the Internet. In other words, the "implementation experience" indicates that multiple systems of DNS roots do, in fact, work.
Nor let us forget that even if the IAB's statement were true, there would still be the question as to which root system should be the dominant one. There is no technical reason to prefer the NTIA/ICANN system of root servers over any other. It's merely a matter of historical momentum.
Let's go through the IAB's "technical comment" paragraph by paragraph. (The original text is in italics.)
The Internet, to remain a global network, technically requires the existence of a globally unique public name space. The DNS name space is a hierarchical name space derived from a single, globally unique root. This is inherent in the design of the DNS system. Therefore it is not technically meaningful for there to be more than one root in the public DNS system. That one root must be supported by a small number of coordinated root servers, and administered by a unique naming authority.
Let's turn this paragraph around. Why does the Internet require the existence of a "globally unique name space"? Certainly the fundamental service of the internet, the transport of IP packets, will not cease if end-points are known by multiple names. In fact, the domain name system itself contains a form of record, called a "CNAME" that allows host computers to be known by any number of names. And the IETF itself is considering proposals to allow entire sections of the domain name space to be remapped so that when a user enters something like "www.foocorp.web" they end up at "newsite.somebody-else.biz".
In other words, having multiple names for a network end point has been a fact of life on the Internet for a very long time.
Let's look at the second sentence of the the quoted paragraph. It is true that the "DNS name space is a hierarchical name space". But the remainder of that sentence, "derived from a single, globally unique root" is factually untrue. If it were true, and the DNS required a single, globally unique root, then the IAB would not need to issue its statement, as an attempt to establish other roots would fail.
It's worth mentioning that a recent Internet-Draft flatly contradicts the IAB's statement:
3.3.1 Becoming Root
In practice, it is quite easy to put up a set of root servers. DNS resolvers which use those root servers will see the namespace they support. DNS has only downward pointers from zone to subzone and no upward pointers going from zone to superzone. Thus, in creating a root zone, it works technically to pick whatever top level domains (TLDs) you want including, if you wish, TLDs that are not generally recognized.
INTERNET-DRAFT - DNS IANA Considerations - August 1999
A single root is no more inherent in the design or operation of the Domain Name System then a single telephone directory is inherent to the operation means to lookup telephone numbers.
The IAB's statement then goes on to say "it is not technically meaningful for there to be more than one root in the public DNS system." Let's answer that with a question: If it is not technically meaningful, then why is the IAB concerned?
As it turns out, there are many reasons why more than a single root to the public DNS system is not only technically meaningful, but also technically beneficial. Let's start with reliability - a single root is a single point of failure for the Internet. Then let's proceed to efficiency - multiple root systems allow network operators to establish DNS "locality of reference" so that queries are answered by computers close to the person making the query. This can result in significant reductions in long haul traffic on the net, benefiting the carriers, some of which might even be able to reduce their charges to users as a result. And then let's not forget that multiple root systems allow communities of interest to subscribe to a root that gives them a view of the Internet landscape that is in accord to their desires, for example, by making porn sites invisible and far more difficult for their children to reach.
I would agree with the IAB that any given system of root servers ought to be run under a single administration. The reason for that is that any all servers in a system of root servers are fungible. However, there is no such need for coordination between distinct systems of root servers. In that case, each system of root servers is independent, and may be operated independently of all other systems of root servers.
The fact of life is that DNS does indeed work with multiple roots, and has been doing so for quite some time. The IAB's assertions do not accord with implementation experience. The IAB is much like those who said that bumblebees could not fly and failed to notice that bumblebees do in fact fly quite well in real life.
Put simply, allowing multiple public DNS roots would raise a very strong possibility that users of different ISPs who click on the same link on a web page could end up at different destinations, against the will of the web page designers.
To its credit, that paragraph recognizes that multiple systems of roots is not necessarily and absolutely going to cause problems. It's only a possibility. And it is a possibility that can be avoided by rational and self-interested decision making by those who operate the root systems.
Yes, there is no disagreement that multiple systems of roots could lead to people obtaining unexpected results. But discussion is the degree of the risk of that happening and whether the risk is worth the benefits that accrue. Those are policy questions, involving user and carrier needs, economics, and other matters well beyond the expertise and knowledge of the IAB.
It is worthwhile to mention at this point, that the most fundamental service of the Internet, that of delivering packets end-to-end, is run without a single packet routing authority. Rather, the decisions about how packets should be forwarded are made by independent ISPs and carriers, who compete with one another, and who make the packet forwarding decisions based on nothing more than their own self-interest in maximizing their profits. That is not really any different than multiple roots of the DNS system: Just as multiple DNS roots could possibly have names that don't resolve "correctly", the existence of multiple IP forwarding authorities could partition the net. But it doesn't happen. And it does not happen because such occurrences would be against the self-interest of ISPs, carriers, and root system operators. So they don't allow it to happen.
This does not preclude private networks from operating their own private name spaces, but if they wish to make use of names uniquely defined for the global Internet, they have to fetch that information from the global DNS naming hierarchy, and in particular from the coordinated root servers of the global DNS naming hierarchy.
DETAILED EXPLANATION
There are two reasons for a single DNS root:
1. For any communications between two parties to be effective there are two essential preconditions: The existence of a common symbol set, and the existence of a common semantic interpretation of these symbols. Failure of the first condition implies a failure to communicate at all, and failure of the second implies that the meaning of the communication is lost.
In the case of a public communications system this condition of a common symbol set with a common semantic interpretation must be further strengthened to that of a unique symbol set with a unique semantic interpretation. This condition of uniqueness allows any party to initiate a communication that can be received and understood by any other party. Such a condition rules out the ability to define a symbol within some bounded context. In such a case, once the communication moves out of the context of interpretation in which it was defined, the meaning of the symbol becomes lost.
Within public digital communications networks such as the Internet this requirement for a uniquely defined symbol set with a uniquely defined meaning exists at many levels, commencing with the binary encoding scheme, extending to packet headers and payload formats and the protocol that an application uses to interact. In each case a variation of the symbol set or a difference of interpretation of the symbols being used within the interaction causes a protocol failure, and the communication fails. The property of uniqueness allows a symbol to be used unambiguously in any context, allowing the symbol to be passed on, referred to, and reused, while still preserving the meaning of the original use.
The DNS fulfils an essential role within the Internet protocol environment, allowing network locations to be referred to using a label other than a protocol address. As with any other such symbol set, DNS names are designed to be globally unique, that is, for any one DNS name at any one time there must be a single set of DNS records uniquely describing protocol addresses, network resources and services associated with that DNS name. All of the applications deployed on the Internet which use DNS assume this, and Internet users expect such behavior from DNS names. Names are then constant symbols, whose interpretation does not specifically require knowledge of the context of any individual party. A DNS name can be passed from one party to another without altering the semantic intent of the name.
Since the DNS is hierarchically structured into domains, the uniqueness requirement for DNS names in their entirety implies that each of the names (sub-domains) defined within a domain has a unique meaning (i.e. set of DNS records) within that domain. This is as true for the root domain as for any other DNS domain. The requirement for uniqueness within a domain further implies that there be some mechanism to prevent name conflicts within a domain. In DNS this is accomplished by assigning a single owner or maintainer to every domain, including the root domain, who is responsible for ensuring that each sub-domain of that domain has the proper records associated with it. This is a technical requirement, not a policy choice.
2. Both the design and implementations of the DNS protocol are heavily based on the assumption that there is a single owner or maintainer for every domain, and that any set of resources records associated with a domain is modified in a single-copy serializable fashion. That is, even assuming that a single domain could somehow be "shared" by uncooperating parties, there is no means within the DNS protocol by which a user or client could discover, and choose between, conflicting definitions of a DNS name made by different parties. The client will simply return the first set of resource records that it finds that matches the requested domain, and assume that these are valid. This protocol is embedded in the operating software of hundreds of millions of computer systems, and is not easily updated to support a shared domain scenario. Morever, even supposing that some other means of resolving conflicting definitions could be provided in the future, it would have to be based on objective rules established in advance. (For example, zone A.B could declare that naming authority Y had been delegated all subdomains of A.B with an odd number of characters, and that naming authority Z had been delegated authority to define subdomains of A.B with an even number of characters.) Thus, a single set of rules would have to be agreed to prevent Y and Z from making conflicting assignments, and with this train of actions a single unique space has been created in any case. Of course this would not allow multiple non-cooperating authorities to assign arbitrary sub-domains within a single domain; it seems that a degree of cooperation and agreed technical rules are required in order to guarantee the uniqueness of names. In the DNS, these rules are established independently for each part of the naming hierarchy, and the root domain is no exception. Thus, there must be a generally agreed single set of rules for the root.
A PRACTICAL NOTE
There is one specific technical respect in which the root zone is different from all other DNS zones: the addresses of the name servers for the root zone come primarily from out-of-band information (named.root files from the ISC BIND distribution, your ISP, whatever) rather than via the NS RR delegation chain. NS RRs for the root zone, while present, are almost irrelevant. In effect, every full-service resolver in the world "delegates" the root of the public tree to the public root server(s) of its choice.
As a direct consequence, any change to the list of IP addresses that specify the public root zone is significantly more difficult than changing any other aspect of the DNS delegation chain. Thus, stability of the system calls for extremely conservative and cautious management of the public root zone (low churn rate, relatively tight update coupling between the servers, etc), because it's very difficult to route around a misbehaving root server.
CONCLUSION
The DNS type of unique naming and name-mapping system may not be ideal for a number of purposes for which it was never designed, such a locating information when the user doesn't precisely know the correct names. As the Internet continues to expand, we would expect directory systems to evolve which can assist the user in dealing with vague or ambiguous references. To preserve the many important features of the DNS and its multiple record types --including the Internet's equivalent of number portability-- we would expect the result of directory lookups and identification of the correct names for a particular purpose to be unique DNS names that are then resolved normally, rather than having directory systems 'replace' the DNS. There is no getting away from the unique root of the public DNS.
Until this week, the motto of the IETF has been: "We reject kings, presidents, and voting. We believe in rough consensus and running code."
Apparently it is time to add royal pronouncements; the statement of the IAB is nothing less.
This week, the chairman of the Internet Activities Board (IAB) issued purported to policy opinion in the guise of a technical statement.
It is the opinion of this writer that the IAB statement is nothing more than personal opinion intended to spread FUD in order to bolster ICANN.
The IETF if a technical standards body. Yet this statement appears to be an attempt to establish the IETF, or the IAB, in the role "hall monitor", saying what are appropriate ways to use the Internet and what are not. In other words, the IAB opinion appears to be an attempt to censor how the Internet may be used.
So let's look closely at that opinion. What we will find is that it is really nothing but the unsubstantiated conclusions of the IAB chair.
Updated June 19, 2001 11:48:59 PM -0700