Home / Blogs

Let Me Make Yeti-DNS Perfectly Clear

Paul Vixie

The following rather alarming text caught my eye today:

"There is nothing in the Internet design that inhibits the creation of alternative ways to map identifiers into IP addresses. There have been experimental attempts to create alternate roots so as to allow users to choose different mappings of domain names to IP addresses or new identifiers spaces to be mapped into IP addresses. ... Alternate domain name roots create a prima facie hazard since the same names may map to different IP addresses and thus different servers. ...

A variation of this hazard has arisen in a current project called YETI that plans to import the root zone of the DNS that is managed by ICANN, strip the digital signature from the zone and re-sign with a YETI key. While its proponents assert that it is not intended to provide an alternate root, it does, in effect, do exactly that. Once in place, it is possible for local resolvers to be configured to refer to the YETI name server rather than to the ICANN servers and all entries in the YETI root zone would appear to be valid if the YETI signing key is accepted. Although its ostensible purpose is to explore limits to root server performance and functionality, it has potential to introduce an alternate root.

Had this text appeared under a less august letterhead, or signed by less qualified authors, there would be no cause for alarm. However, the letterhead was World Economic Forum and the authors were William J. Drake, Vinton G. Cerf, and Wolfgang Kleinwächter. As one of three coordinators for the Yeti-DNS project, this feels a bit like I'm in big trouble now. So, let's discuss the matter. Note that I am only one of several Yeti-DNS coordinators, and I'm speaking personally rather than officially here. I am also a member of Cogent Communications' C-Root team, but it's safe to say that Cogent would disavow any of the following ravings as being unrelated to their corporate communications.

Technically speaking, any set of DNS root name servers that serves any DNS root zone that did not come from IANA is an "alternate root". However, not all alternate roots are created equal. I have watched many attempts to fork the IANA name space and offer non-standard top level domains to varying, sometimes global, audiences. Every such attempt has failed. Often that failure followed public ridicule by me. I think alternate roots of the "name space fork" variety are a terrible idea for the global Internet, although I recognize the need for this kind of name space augmentation inside many enterprise networks. Competing against IANA for eyeballs is a loser's game, since to the degree that one might succeed, they would by definition inspire competitors. Vibrant competition among Internet name spaces is bad for all of us — bad for business, bad for freedom of expression, bad for national and personal security.

So, yes, technically speaking, Yeti-DNS not only has the potential to introduce an "alternate root", it is, in fact, an alternate root. However, it is not a name space fork, and cannot become such. Yeti-DNS is not the first experimental "alternative root DNS" system I have proposed. In 2005, while I was a member of the ISC F-Root team, and after a decade and a half of maintaining BIND, which at the time was the most popular open source implementation of DNS, I suggested to ICANN that they create an alternate root zone. The slides I presented at the Root Server System Advisory Committee (RSSAC) meeting are here. Far from trying to shake the foundations of digital society, I wanted ICANN to create an "advanced services" version of the DNS root zone, so that we could add new features like internationalized domain names, IPv6, and DNSSEC, without having to worry about older DNS clients that might misunderstand these new protocol patterns and thence behave badly. My proposal was not uptaken, even though it called for the existing root name server operators, and ICANN, and the United States Department of Commerce, to continue in their existing roles. Alternate root name service is the "third rail" of Internet governance: if you touch it, you die.

Nevertheless, global scale experimentation in root name server technology remains a valid topic for network science. So, each of the three Yeti-DNS coordinators has made a strong public statement opposing name space "forking" (sometimes called "name space augmentation" or more simply "name space piracy"). The operators of the Yeti-DNS root name servers all know this. The experimenters and hobbyists who deliberately select Yeti-DNS root name servers to handle their root DNS lookup need to know this. If any of us changed our position, the whole project would explode. We are marching forward into this dangerous ground because there's stuff we need to know, like what if root name service was only available by IPv6? Or, what if we rolled the root zone signing key really often? Or, what if we rolled the root key signing key? These are not things that you can find out in a test lab. And they are not things that we can afford to test using the live production DNS root name server system.

So, does this mean that Yeti-DNS could, as the World Economic Forum white paper suggests, "introduce an alternate root"? That depends on what we mean by "alternate". If we mean name space augmentation, where someone other than IANA could effectively edit the top level domain name space, for example to add a new TLD or change the ownership of an existing TLD, the answer is absolutely not. Yeti-DNS operates in a fish bowl environment where everything that happens is transparent, and everybody is suspiciously watching everybody else to see if name space piracy is in any heart.

Far more dangerously in my opinion, Yeti-DNS provides a precise blueprint for how someone other than IANA would go about building an alternate root. And in that sense, the answer is that indirectly, Yeti-DNS could cause the introduction of alternate roots that do in fact intend name space piracy. There's a valid and common need for this kind of alternate root name service within large enterprise, and the documentation and tools to support this don't really exist yet, especially in a DNSSEC environment.

Note well: I have personally reached out to operators inside the BRICS countries (Brazil, Russia, India, China, South Africa) to ensure that they know about the Yeti-DNS project, and can participate if they so choose. This reflects my view that if some country decides some day that ICANN cannot be trusted, and they want to create their own Internet DNS system, I want them to have the necessary expertise and competence and awareness of tradeoffs, in-country, to pursue their own sovereign course. If asked, I would advise such countries that any such independence would be nasty, brutish, and short. But I will not pretend that they have to listen to me.

I will also not pretend that root DNS service is something that only the high priests can understand. Anybody who wants, for whatever reason of their own, to craft their own root zone as a derivative of IANA's root zone, ought to get all the help they need. Our industry's holy scriptures ought to be written in english not Latin, ought to be read by the laity, and ought to be understood and argued about by the world wide Internet community.

Open and transparent network science is no threat to Internet governance. "Steady as she goes."

Join us!

By Paul Vixie, CEO, Farsight Security
Follow CircleID on
Related topics: DNS, ICANN
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Hope there is a response Christopher Parente  –  Apr 06, 2016 12:32 PM PDT

Good commentary. I've always appreciated how you write in a way that non-engineers can grasp, Paul. This harkens back to your DNS filtering posts in the days of SOPA.

I also appreciate how you engage openly in debate here on CircleID. I hope some of the august persons you reference respond in this thread.

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign