inter-root: a new self-governed architecture for dns root zone resolution binxing fang xiaohua chen...
TRANSCRIPT
Inter-Root:A New Self-Governed Architecture
for DNS Root Zone Resolution
Binxing FangXiaohua Chen
June,2015
1
In June 24, 2013 , the UN published A/68/98 file: Report of the Group of Governmental Experts on Developments in the Field of ICT in the Context of International Security.
20. State sovereignty and international norms and principles that flow from sovereignty apply to State conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory.
“State Network Sovereignty”is now a consensus among the international society
2
4 Fundamental Features :
Jurisdiction : to make legal decisions and judgments by oneself
Self-defense : to defend the well-being of oneself
Equality : to be NOT subordinate to others
Independence : the existence does not depend on others
Fundamental Features of State Sovereignty
3
Network Sovereignty
The Internet within one country cannot exist independently due to the DNS architecture
Almost every visit to any server in the Internet needs to use directly or indirectly the root name servers to resolve the server domain name, unless the IP address of the server is known. The root name servers could be utilized to disable the Internet within a country. This power is in the hand of the owner of root name servers, which is currently the ICANN / the US government.
4
Current DNS Architecture.
( root)
cn cu com
foo
www
Recursive Resolver
Root servers, responsible for the root zone and TLD resolutions, are the start point of resolution and the center of structure
1
2
3
• Namespace , represented by a label tree
• hieratical Distributed Database
• Lots of caching• Resolution protocol
recursive resolver
Authority Server
5
Root Zone Management
TLDoperator
rootzonefile
12 Root Server Operators(US 9 、 EU 2 、 Japan 1)
13 logical root servers and hundreds of mirrors
NTIA delegated IANA function to ICANN and VeriSign
Any change in the root zone needs to be approved by the US government
6
Independence
“Disappearing Threat”
ly cn com
foo
www
Recursive Resolver
1
2
3
The ccTLD of a country could be removed from the root zone database, so that the ccTLD is erased from the namespace , and the names under the ccTLD cannot be resolved. As reported, .iq (Iraq) in 2003 and .ly (Libya) in 2004 temporarily cannot be resolved.
Libya
China我 UR
Disappearing
I
. ( root)
7
Independence
so cn com
foo
www
Recursive Resolver
1
2
3
Recursive resolvers within a country could be denied to the resolution service by the root servers, so that the users in that country cannot access the Internet. As reported, Somalia has been denied by the root servers
Somalia
I 你根
Blindness
URChina
. ( root)
“Blindness Threat”
8
Independence
cu cn com
foo
www
Domestic recursive resolver
Foreign recursive resolver
. ( root)
The network of a country may be completely isolated, so that any name resolution traffic via international gateways will be interrupted.
Cuba China
I 你根
Isolation
UR
“Isolation Threat”
1
2
3
9
China CubaEdit the root
zone file我 UR
Disappearing
Very EasyI
China CubaEdit the ACLI 你根 Easy
Blindness
UR
China Cuba Physically isolate the
countryI 你根
NotEasy
Isolation
UR
Threats in the current DNS
10
Related Work Under 3 Threats
DisappearingBlindnes
sIsolation
Universal
root ☐
Alternativeroot ☐ ☐
Recursiveroot
☐
☐
Open root ☐
Fakeroot ☐
Difficult to counteract the disappearing threat , because root zone data still comes from IANA.
All solutions are sort of root mirrors in essence
11
Idea of Decentralizing Root Zone
Principle : maintain the logic structure with a single root , construct the system structure with multiple roots
• Names remain unique and human-
understandable
• Root zone governance and operation are
decentralized12
Inter-Root : A New Self-Governed Resolution Architecture for DNS Root Zone
13
• CRS : country self-governed public root server• CRS provides root zone resolution, independent with current
root server operators • CRS may use IANA root zone file ; In emergency, CRS
safeguards the root zone resolution for the country
1, Establish Country Root Servers (CRSes)
• Inter-Root : a system of interconnected CRSes• Inter-Root is established among countries , providing the root
zone information exchanges among the countries• In emergency , countries joining Inter-Root may provide
resolution service for each other
2, Establish‘Inter-Root’among CRSes
Mesh Structure in Inter-Root.CN
.RU
.UK
.DE
.CU
.COM
.NET
.GOV
CN root
RU root
UK root
DE root
CU root
TLD info exchange
Reciprocal resolution service
between countries
CRS adoptsIANA root zone file
IANA
14
Increments on current DNS
15
• Replicate ccTLD info in CRS
Namespace
• New CRS which coexists with current root servers• Reciprocal resolution service for emergency response
system
Authority server
• Add CRS info in root hint
Recursive resolver
• None
Resolution protocol
Features of Inter-Root
16
• Root zone resolution service is self-governed• Resolution service within a country is self-governed
Independence
• Inter-Root is open to any country joining or withdrawing• CRS is open to all recursive resolvers
Openness
• Inter-Root inherits the scalability of current DNS• The number of countries in Inter-Root is about 200 at most
Scalability
• Inter-Root is about name resolution , not domain delegation
• Inter-Root is transparent to resolvers not using any CRS
Compatibility
Significance of Inter-Root
17
Inter-Root provides a strategic deterrent that if a ccTLD is erased from the IANA root zone, then those countries concerning the threats will join Inter-Root. This supports the concept of “network sovereignty”.
Strategic deterrent against 3 threats
Recursive resolvers freely choose either CRS, or original root servers. Using CRS gets additional protection from their own government.
Country DNS security enhanced
In the first World Internet Conference, Chairman Xi Jinping said: “China is willing to work together with other countries in the world, in the spirit of mutual respect and trust. We together deepen international cooperation, respect for the sovereignty of the network, maintain network security, and build a peaceful, secure, open and cooperative network. We hope to establish a multilateral, democratic, transparent international Internet governance system".
Demonstrate Sovereignty Equality