en

The Importance of the L-Root in the DNS World

11 September 2015

Terry Manderson, Sr. Director, Security and Network Engineering

In addition to the U.N. six languages, this content is also available in

David Soltero (left) and Terry Manderson (right)

Right now, many people are focused on the important work related to the IANA Stewardship Transition, and rightly so!  Well, we're going to shift gears for a moment to take a short journey into the exciting world of Internet technology. In fact, why not grab a coffee, put your feet up and join me in thinking about some of the underlying infrastructure that keeps the Internet running. Ready? Great!

Understanding the L-Root

We hear so much about what goes in to the root zone. The processes, the concerns, the successes – yet we sometimes miss the fact that the root zone is served by a bunch of servers. Of course I'm being flippant by just saying "a bunch of servers". In fact, the number of locations from where the root zone is served is quite staggering. If you wander over to www.root-servers.org you will find that, while there are 13 root servers, there are actually more than 480 root server locations! The twelve organizations that operate the 13 root servers are deeply committed to what they do and ICANN, as one of that 12, takes its obligation to operating "L-Root" seriously.

It's my hope that, from time to time, you've taken some time to learn about this incredible network. Maybe you've watched a presentation or two on the L-Root expansion work, read a previous blog about it or heard of networks near you that are hosting an L-Root server instance. Maybe even your company hosts one. And if not, maybe your company is interested in joining the community and hosting an L-Root in your network. If so, it's a click away.

Keeping the L-Root Running: Stability and Resiliency

ICANN has been walking down the road of expansion for a few years now, and we do so with the understanding that adding more instances of the L-Root infrastructure around the world improves the stability and resiliency of the Internet – something everyone can reap the benefits from. With this in mind, we have advanced our work into two other dimensions of the Internet's global stability and resiliency: increasing the robustness of L-Root and mitigating Distributed Denial of Service (DDoS) attacks and zero-day exploits potentially directed at "L".

With that in mind, allow me to propose a hypothetical: What if the L-Root was targeted by a massive denial of service attack. Let's say the traffic is 50 times the current global amount root DNS traffic. We certainly wouldn't want to stop serving the DNS from the L-Root, nor would we want to see that traffic impact any other of the 12 root servers.

Now, lets consider a perfect storm. Imagine that during this denial of service attack, some smart hacker discovers a flaw in the DNS software, or even an operating system exploit.

This possibility worries us a great deal. Which is why we are actively taking steps to ensure something like that never happens, and even if it does, we're prepared.

To that effect, the approach we are taking to make the L-Root as resilient as possible is multifaceted. A few days ago ICANN deployed an L-Root server cluster in Prague (which is being graciously hosted by CZ.NIC (http://www.nic.cz)). There are two key features about this cluster that are designed to protect it against the perfect storm scenario I described above:

  1. The cluster is capable of handling in excess of 700 times the load we see on the entire L-Root network. To get an idea of that capacity, feel free to mosey over to hedgehog.dns.icann.org, where we publicly display the volume of DNS traffic we see.
  2. This cluster is constructed using two different high performance DNS code bases. "Knot" from CZ.NIC (http://www.nic.cz), and "NSD" from NLNetLabs (http://www.nlnetlabs.nl). The servers within the cluster are built on two entirely different operating systems. This heterogenic approach means we are resilient to any future issues with one vendor.

Our plan is to deploy at least two more of these high performance installations, with Asia being the next deployment region.

We'd like to extend our deepest gratitude to the folks at CZ.NIC for a number of things. First, for partnering with us back in 2009 for our first externally hosted L-Root instance and prioritising the needs of the Internet community. Their time and effort in hosting our infrastructure speaks volumes to their commitment to the global DNS. Second, CZ.NIC has gone to great lengths to produce another high quality DNS server code-base that allows us to push heterogeneity ideals into the L-Root. So a huge thank you to Ondrej Filip and your amazing crew!

Sr. Director, Security and Network Engineering

Terry Manderson