Skip to main content

The Importance of the L-Root in the DNS World

David Soltero (left) and Terry Manderson (right)

Right now, many people are focused on the important work related to the IANA Stewardship Transition, and rightly so!  Well, we're going to shift gears for a moment to take a short journey into the exciting world of Internet technology. In fact, why not grab a coffee, put your feet up and join me in thinking about some of the underlying infrastructure that keeps the Internet running. Ready? Great!

Understanding the L-Root

We hear so much about what goes in to the root zone. The processes, the concerns, the successes – yet we sometimes miss the fact that the root zone is served by a bunch of servers. Of course I'm being flippant by just saying "a bunch of servers". In fact, the number of locations from where the root zone is served is quite staggering. If you wander over to www.root-servers.org you will find that, while there are 13 root servers, there are actually more than 480 root server locations! The twelve organizations that operate the 13 root servers are deeply committed to what they do and ICANN, as one of that 12, takes its obligation to operating "L-Root" seriously.

It's my hope that, from time to time, you've taken some time to learn about this incredible network. Maybe you've watched a presentation or two on the L-Root expansion work, read a previous blog about it or heard of networks near you that are hosting an L-Root server instance. Maybe even your company hosts one. And if not, maybe your company is interested in joining the community and hosting an L-Root in your network. If so, it's a click away.

Keeping the L-Root Running: Stability and Resiliency

ICANN has been walking down the road of expansion for a few years now, and we do so with the understanding that adding more instances of the L-Root infrastructure around the world improves the stability and resiliency of the Internet – something everyone can reap the benefits from. With this in mind, we have advanced our work into two other dimensions of the Internet's global stability and resiliency: increasing the robustness of L-Root and mitigating Distributed Denial of Service (DDoS) attacks and zero-day exploits potentially directed at "L".

With that in mind, allow me to propose a hypothetical: What if the L-Root was targeted by a massive denial of service attack. Let's say the traffic is 50 times the current global amount root DNS traffic. We certainly wouldn't want to stop serving the DNS from the L-Root, nor would we want to see that traffic impact any other of the 12 root servers.

Now, lets consider a perfect storm. Imagine that during this denial of service attack, some smart hacker discovers a flaw in the DNS software, or even an operating system exploit.

This possibility worries us a great deal. Which is why we are actively taking steps to ensure something like that never happens, and even if it does, we're prepared.

To that effect, the approach we are taking to make the L-Root as resilient as possible is multifaceted. A few days ago ICANN deployed an L-Root server cluster in Prague (which is being graciously hosted by CZ.NIC (http://www.nic.cz)). There are two key features about this cluster that are designed to protect it against the perfect storm scenario I described above:

  1. The cluster is capable of handling in excess of 700 times the load we see on the entire L-Root network. To get an idea of that capacity, feel free to mosey over to hedgehog.dns.icann.org, where we publicly display the volume of DNS traffic we see.
  2. This cluster is constructed using two different high performance DNS code bases. "Knot" from CZ.NIC (http://www.nic.cz), and "NSD" from NLNetLabs (http://www.nlnetlabs.nl). The servers within the cluster are built on two entirely different operating systems. This heterogenic approach means we are resilient to any future issues with one vendor.

Our plan is to deploy at least two more of these high performance installations, with Asia being the next deployment region.

We'd like to extend our deepest gratitude to the folks at CZ.NIC for a number of things. First, for partnering with us back in 2009 for our first externally hosted L-Root instance and prioritising the needs of the Internet community. Their time and effort in hosting our infrastructure speaks volumes to their commitment to the global DNS. Second, CZ.NIC has gone to great lengths to produce another high quality DNS server code-base that allows us to push heterogeneity ideals into the L-Root. So a huge thank you to Ondrej Filip and your amazing crew!

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."