Ever since the formation of ICANN (and before), the mere mention of “alternate DNS roots” has inspired apoplectic reactions in certain circles. The idea of running a DNS root that competed with the one managed by IANA was seen as heretical at best, and an evil destructive plot at worst. The IAB issued a fatwa on the subject in 2000 and a panicky ICANN board unilaterally declared that the IAB’s fatwa was a policy, despite never having gone through a policy development process. Yet the alternate root controversy, as this paper by Milton Mueller showed long ago, was entirely a product of the unwillingness of ICANN to add new TLDs. As a new TLD program progressed, the controversies around competing roots faded.

Or so we thought. A recent paper supported by the World Economic Forum seems to revive that old polarization. The WEF paper chastises the Yeti-DNS project for threatening to split the DNS:

…a current project called YETI plans to import the root zone of the DNS that is managed by ICANN, strip the digital signature from the zone and re-sign with a YETI key. While its proponents assert that it is not intended to provide an alternate root, it does, in effect, do exactly that. Once in place, it is possible for local resolvers to be configured to refer to the YETI name server rather than to the ICANN servers and all entries in the YETI root zone would appear to be valid if the YETI signing key is accepted. Although its ostensible purpose is to explore limits to root server performance and functionality, it has to potential to introduce an alternate root.

There is a delicious irony here. The instigator of the YETI project is Paul Vixie, creator of the BIND software for name servers and founder of Internet Systems Consortium, the operator of the F-root, one of the 13 root servers. Fifteen years ago, Vixie was one of the most adamant critics of competing roots. Has Vixie gone rogue?

The Yeti-DNS project is supported by Japan’s WIDE project, Vixie’s own collaborative engineering and security project TISF, and the Beijing Internet Institute, a self-proclaimed private research organization affiliated with the Chinese BII Group, which works with Internet governance bodies and many of the largest technology companies in the world on networking. The Yeti Project’s research agenda will explore questions around IPv6-only operation, DNSSEC key rollover, renumbering and scaling issues, and multiple zone file signers.

Vixie recently responded to the WEF paper. For careful readers, the response poured gasoline on the fire rather than tamping it down. Vixie claimed that the project itself does not support the development of an inconsistent root zone. But he acknowledged that “Yeti-DNS provides a precise blueprint for how someone other than IANA would go about building an alternate root.” As if that were not enough, he then linked the possibility of an alternate root to the geopolitical controversies around ICANN. Having reached out to operators in BRICS countries about participating in YETI-DNS, Vixie said, the project reflects his view

…that if some country decides some day that ICANN cannot be trusted, and they want to create their own Internet DNS system, I want them to have the necessary expertise and competence and awareness of tradeoffs, in-country, to pursue their own sovereign course.

Wait a minute. What does it mean, “pursue their own sovereign course”? Is Vixie encouraging a DNS aligned with national territories?

Vixie’s claim that he “consulted” with BRICs turns out to be a bit of an understatement. In 2014, Vixie worked closely with the state-owned registry of China (CNNIC) to promote a new IETF standard that would allow the number of authoritative root servers to increase beyond the current limit of 13. As a matter of technical scalability, that may be a good idea. The problem is its linkage to a country that has long shown a more than passing interest in a sovereign Internet, and in modifying the DNS to help bring about sovereign control of the Internet. For many years, China has wanted its “own” root server. The proposal was not adopted by IETF, and its failure there seems to have prompted the formation and continued work of the YETI-DNS project. We wonder how much of this is being funded by China. Perhaps Senator Ted Cruz should be sending Vixie letters, not Fadi Chehade.

Vixie was instrumental in developing the use of anycast to mirror root servers around the world, temporarily defusing the politics of root server placement. Yet now he seems to be catering to the most antediluvian impulses in Internet governance politics, seeking a way to give each country its “own” root server.

The IGP consistently supports the principles of innovation and competition in the Internet’s core infrastructure, thus we support Vixie’s right to set up an alternate root for experimental purposes. But the Yeti-DNS work does not occur in a vacuum.  We are entering a critical period of examination regarding the IANA transition proposal to remove U.S. oversight of the DNS. The point was to completely detach DNS governance from governments and sovereignty concerns. If successful, it would be a transformative moment in the governance of the Internet’s core infrastructure. In this environment, to encourage and actively facilitate sovereignty-oriented initiatives is a terrible mistake.

The risks of a split DNS root are often overstated. There are strong network effects associated with IANA root zone, which in turn create incredibly powerful disincentives to violate the global uniqueness of names. Beyond the strong incentives to maintain technical interoperability in a highly distributed system, countries’ economies and security are intimately tied to communications facilitated by the DNS root zone. E.g., in the United States alone, the amount of e-commerce now exceeds $340Bn dollars annually. Moreover, the number and kinds (e.g., IDNs) of TLDs continues to expand. If anything, this requires more empirical research focused on the transnational use of TLDs and the associated economic and social activities, not dismissal of ideas ex ante. While governments certainly pursue activities like web censorship or blocking, for example, tampering with DNS root zone queries and resolution to achieve this has been shown to be highly susceptible to circumvention, very difficult to implement without extraterritorial collateral damage, and in the most recent efforts to actually measure tampering, not very common.

In conclusion, neither dismissing a justifiable exercise in DNS innovation nor justifying it using realpolitik is very helpful.

2 thoughts on “Alternate DNS roots and the abominable snowman of sovereignty

  1. for clarity the full quote from that article is:

    …that if some country decides some day that ICANN cannot be trusted, and they want to create their own Internet DNS system, I want them to have the necessary expertise and competence and awareness of tradeoffs, in-country, to pursue their own sovereign course. If asked, I would advise such countries that any such independence would be nasty, brutish, and short. But I will not pretend that they have to listen to me.

    the omitted text is in bold.

    1. Deal Paul, Would you say that Regional DNS systems would also fall into such nasty, brutish and short destiny? And, furthermore, is it fisible for any alternative to be more brutal than the current apropiación of intimate personal private data of all Internet users?
      It is clear that Internet surveillance combined with the American system of patents deters anyone to publish anything serious, thus drastically slowing down the pace of scientific research and restricting humanity’s progress.

Comments are closed.