DNS Abuse Forum - March 16

Home / Blogs

ICANN Gets the Root Zone, Too

A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN.

This has two and a half effects. The most obvious is political — if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign's A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can't publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. (Take that, ORSC.)

The half thing is that the agreement requires that when VeriSign sends ICANN zone info updates, ICANN has to apply them within a week. Since IANA has been taking a month to handle updates, this means IANA will have to get their act together enough to provide bad rather than horrible service on domain updates unless they provide a special express channel for TLDs that have contracts with ICANN, and give the current horrible service to everyone else.

By John Levine, Author, Consultant & Speaker

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Re: ICANN Gets the Root Zone, Too By JFC Morfin  –  Oct 26, 2005 10:53 am PST

very well seen. But I think this is ICANN IANA job protection stuff. The engaged battle is for the control of the IANA. ICANN, NTIA, Unicode, ITU are the challengers. DNSSEC is certainly a key point. Not only for what it operationnally means, but also for the difficuly of moving the DNSSEC root management.

Except if IANA moves to another structure as an entity.

A question is the impact on the cooperation agreement of Verisign witht the USG. I feel this might void the need for such an agreement. Is the USG OK? The big advantage for Verisign to be releived from the cooperation agreement is that they could go alt/open-roots.

The real "root" of the future is today with NeuStar. If Verisign enters a star in the NeuStar root, aside .gprs Sitefinder II will "pollute" quickly. I am working on a dedicated registry server and services system. Root access is obviously a problem in case of loss of connectivity. The solution is probably to get an MMS connectivity and the root there, as 1.5 billions of other users.

If Verisign comes with an attractive deal so my machine is made free to users because of a special deal for their services, I am interested.

Re: ICANN Gets the Root Zone, Too By bill manning  –  Oct 29, 2005 7:08 pm PST

John, i'm not sure why the myth of "A" being special continues to be perpetrated.  The root zone is distributed via a "distribution master" system and has been since early 2000. 


Re: ICANN Gets the Root Zone, Too By John Levine  –  Oct 29, 2005 7:28 pm PST

I don't know why the myth of "A" being special continues to be perpetrated, either, but I also don't understand why you're bringing it up.

The question at issue is who creates the root zone, not how it's distributed.  When I download the root zone from VRSN's FTP server, which is supposed to be the same root zone that goes into the root servers, it's got Verisign's fingerprints all over it, e.g., the SOA contact is NSTLD.VERISIGN-GRS.COM.  This agreement says now it'll be ICANN's fingerprints.

Add Your Comments

 To post your comments, please login or create an account.



DNS Security

Sponsored byAfilias

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Brand Protection

Sponsored byAppdetex