Skip to main content

Research Revealed on Authoritative Servers at the Second Level

ICANN is interested in the infrastructure supporting the identifiers that we help coordinate, and the Domaine Name System (DNS) has a wide variety of infrastructure. There has already been a fair amount of research about the root servers and the Top-Level Domains (TLD) servers, but there are many more authoritative servers in addition to those. We want to find out the general health of the authoritative servers at the levels below those that are typically studied, and to see what this indicates about the future of the DNS. This blog post covers research that was presented recently at the DNS OARC meeting in Dallas, Texas (https://indico.dns-oarc.net/event/25/).

A bit of terminology first: the root servers are the authoritative name servers for the root zone and the TLD servers are the authoritative name servers for zones at the first level below the root zone (such as for "com" and "org" and so on). This study looks at the authoritative name servers for the level below that: those that serve the information for names like "icann.org", "ford.com", "house.loan", and "loan.house". This is not the entire set of DNS name servers, but it represents the largest population of them.

The research starts with going through all of the zone files for all the generic Top-Level Domains (gTLDs); the result is 186 million domain names and 3.5 million name servers serving those names. One of the first things we found is that one tenth of the "glue records" in the zone files are possibly bad because they are not associated with names in the zone file itself. (Glue records are additional data that comes in responses that helps speed the process of searching for name servers). In the future, we will dig deeper to see how serious the issue is and if we can find patterns that might lead to fixing it.

One of the goals of this test is to see how many name servers on the second level use the Extension Mechanisms for DNS (EDNS0) protocol (https://www.rfc-editor.org/rfc/rfc6891.txt). This protocol is the primary way that the DNS has been expanded in the past few years and will be expanded in the future, so it is important to know how widely EDNS0 is deployed before relying on it. The good news is that, of the servers that responded at all, about 95% showed that they implemented EDNS0.

The research also looked at some ways that DNS name servers misbehave to determine if we could possibly identify patterns. We found that over 5% of the servers responded to queries that they should not have, and when they did, they gave wildly different answers. It is not likely that this behavior has any significant negative effect on the DNS infrastructure, but it does indicate a lot of misconfiguration.

Future Directions

This type of public research will help ICANN and the various technical communities understand the operational needs of the DNS now and in the future. Various researchers from around the world at the DNS OARC meeting had many suggestions for related research that they would like to see based on the ICANN presentation. Fortunately, the testbed for doing this research is easily adaptable, and it is our intention to run the tests to look for different reliability and extensibility indicators, probably collaborating with other researchers on an ongoing basis.

Comments

    Marina  09:32 UTC on 31 October 2016

    As I understand DNS, root servers return authoritative name servers for top-level domains. In the case of domain names with second-level domains, such as .co.uk or .com.au, root servers return authoritative name servers for the top-level only (i.e. .uk or .au). Assuming that's correct, do the top-level domain servers for .uk and .au domains return name servers for second-level domain servers (i.e. .co or .com), or are they 'smart' enough to return the name servers for, say, example.co.uk?

    Leonor Varela  23:14 UTC on 20 November 2016

    i got everything about DNS. i think ita may be in future DNA will be seeing to everyone about to incredible ways. anyway thanks for the nice blogging. i really thanks full to you. http://livepcservices.co.uk/epson-printer-support

    Leonor Varela  23:15 UTC on 20 November 2016

    HP ptinter Support number

    TeenaThomas  01:51 UTC on 09 December 2016

    The post was really very much amazing and i like it. This was really informative post.I got a very good idea about the domain name system I am a professional writer at the thesis writing service

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."