Internet Engineering Task Force S. Higgs
Internet-Draft May 2001
Category: Informational
Expires: November 2001
Document: draft-higgs-virtual-root-00.txt
Alternative Roots and the Virtual Inclusive Root
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026 except that the right to produce
derivative works is not granted.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This Internet Draft discusses the "alternate roots" and the "virtual
inclusive root", in an attempt to help clear up misunderstandings on
their use in the Internet. This document solves the problem of
duplicate colliding top level domains by identifying the "virtual
inclusive root", in compliance with the IAB's RFC 2826, "IAB
Statement on the Unique DNS Root"[1].
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC2119[2].
Background
For the past 6 years or so various organizations and individuals have
implemented "alternate roots" to support their own Top Level Domains
(TLD)s[3]. The origin of these alternative roots can be found in the
rough consensus and running code behind Draft Postel[4] (which was
subverted by the gTLD-MOU, which itself was terminated upon
intervention by the U.S. Government). That ICANN (the replacement
process set in place by the U.S. Government) has since failed to run
with the ball has only caused more alternative roots to spring up.
I define the term "alternate root" to mean "a DNS root zone connected
to the Internet, but with contents that differ from the ICANN roots".
An alternate root by definition includes "alternate top level domains
(TLDs)". This is perfectly acceptable, and one example is RFC 2606
/ BCP32[5] which shows how to create localized TLDs from the reserved
TLD pool.
Impact Of Alternative Roots In DNS
The following examples show the impact to the DNS from a multiple
root zone environment. It should be noted that each root zone, as a
singular entity, is fully compliant with RFC2826. The problems
described in RFC2826 surface when the user has no ability to
determine which root zone is being used for a particular transaction.
Each example also is marked as "STABILIZING" or "DESTABILIZING". This
is an important concept to grasp. The primary fallacy that must be
overcome is contained in the following set of statements:
"If a non-ICANN root service mounts a new TLD without ICANN
permission, this is defined to be destablizing."
and
"If ICANN corrects this situation by adding a conflicting TLD to
the ICANN ROOT, this is defined to be stabilizing."
There's no other way to say this: THE ABOVE STATEMENTS ARE WRONG!
The fact is that there is no conflict and no harm to the internet
until the 2nd version of a given TLD (the duplicate) is created.
In order to remedy this, the correct statements are as follows:
1. If any root service mounts a new TLD which does not conflict
with a pre-existing TLD, this SHOULD be defined as stabilizing.
2. If any root service mounts a new TLD which conflicts with a
pre-exisitng TLD, this SHOULD be defined as destabilizing.
Therefore, any new TLD which conflicts with a pre-existing TLD is
destabilizing, no matter where it comes from. The following examples
illustrate which is correct, and which is not correct:
Example 1 (STABILIZING):
ICANN Alt
root root
/|\ /|\
/ | \ / | \
/ | \ / | \
/ | \ / | \
/ | \ / | \
.com............ .com....... .biz
Example 1 does not create any TLD conflicts. The Alternate Root,
has been enhanced by the inclusion of the .biz TLD. Both roots
use the legacy root, now maintained by the US Government (ICANN
root), as the baseline.
Example 2 (STABILIZING):
ICANN Alt Alt
root root(A) root(B)
/|\ /|\ /|\
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
.com............ .com....... .biz(A) .com....... .biz(A)
Example 2 does not create any TLD conflicts. Both Alternate Root A
and Alternative Root B have been enhanced by the inclusion of the
.biz(A) TLD. The important thing to note is that the same .biz TLD
is supported by both Alternative Roots. All roots use the legacy
root, now maintained by the US Government (ICANN root), as the
baseline.
Example 3 (DESTABILIZING):
ICANN Alt Alt
root root(A) root(B)
/|\ /|\ /|\
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
.com............ .com....... .biz(A) .com....... .biz(B)
Example 3 creates a TLD conflict. Both Alternate Root A and
Alternative Root B have .biz TLDs, but these TLDs are not
coordinated, or peered, and therefore duplicate zones may exist.
Note that all roots use the legacy root, now maintained
by the US Government (ICANN root), as the baseline.
Example 4 (DESTABILIZING):
ICANN Alt Alt
root root(A) root(B)
/|\ /|\ /|\
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
.com........biz(C) .com....... .biz(A) .com....... .biz(A)
Example 4 creates a TLD conflict. Both Alternate Root A and
Alternative Root B have been enhanced by the inclusion of the
.biz(A) TLD. These .biz TLDs are coordinated (or peered) and are
conflict free. Adding a different .biz(C) TLD to the ICANN root
causes a conflict, and therefore duplicate zones may exist. Note
that all roots use the legacy root, now maintained by the US
Government (ICANN root), as the baseline. As you can see, this
example causes a bigger (META) problem, in that it changes the
supported baseline of TLDs that all the other roots are supposed
to recognize.
Alternate Roots do in fact exist. No one can prevent them from
existing, because the selection of a root zone to point to is a
voluntary act by DNS name server administrators and end-user client
software.
Name Conflicts
Name conflicts are generally considered a bad thing. If company "A"
uses the ICANN Root, and company "B" uses an Alternative Root, then
"A" and "B" will see identical versions of all the TLDs that both
roots support (such as .COM). Company "B" will also benefit from the
additional TLDs visible from the Alternative Root. So far, so good.
The problems arise when two roots do not support the same TLD manager
for a given TLD. As identified in RFC1591:
The designated manager must be equitable to all groups in the
domain that request domain names.
and
Significantly interested parties in the domain should agree that
the designated manager is the appropriate party.
Obviously, if there is a disagreement, it is possible to create a
duplicate TLD, in a different root, and managed by a different party.
This will lead to the inevitable delegation of duplicate domain names
(and thus create the name conflicts).
Disagreements are caused by a number of factors. Lack of entry into
a particular root zone is currently the primary cause of new root
zones (the Alternative Roots) being created.
So what happens when a duplicate domain name is created? Quite simply,
a number of things in the DNS break. These breakages happen in all
the root systems, including those roots that don't support either
version of the conflicting TLD.
The first visible sign will simply be the domain names resolving to
different IP addresses depending on which root zone is being
supported. Company "A" may put its web page in .biz(A), and Company
"B" may put its web page in .biz(C). Internet users will only be able
to reach Company "A" by using root zones supporting the .biz(A) TLD,
and Company "B" by using root zones supporting the .biz(C) TLD.
The second visible sign will be email failures. Internet users can
send a message to a user@example.biz, but there can be two separate
sets of recipient mail servers for example.biz depending on which
root zone is used (.biz(A) or .biz(C)). To complicate this further,
each intermediary mail server that the message is routed through,
will only pass the message on to the .biz mail server from the root
that it resolves. It's quite possible that a message sent within a
particular root zone could "leak out" of that root zone via an
intermediary server that supports a different root zone. Lastly, as
soon as the email path finds a non-supporting mail server, the
message is bounced.
The third visible sign (see Example 5) is the most deadly. DNS
nameserver (NS) record pollution. This is where the NS name records
for a domain name are identical, but resolve to different IP
addresses depending upon which root zone is queried. With the
caching effect of the DNS, an NS record from one root zone may
become cached in a nameserver from a different root zone. Any
subsequent queries will point to the server for the domain name in
the other root zone.
Example 5:
.biz(A) .biz(B) in-addr.arpa
/|\ /|\ /|\
/ | \ / | \ / | \
.. | .. .. | .. / | \
| | / .. 1.2.3.4->sex.biz
sex->1.2.3.4 sex->4.3.2.1 /
/|\ /|\ 4.3.2.1->sex.biz
/ | \ / | \
.. | .. .. | ..
| |
ns1->1.2.3.5 ns1->4.3.2.2
Eventually, these problems will become magnified as more duplicate
domain names are created. To solve this, we create a meta level
solution, called the "virtual inclusive root".
Virtual Inclusive Root
The above discussion of name conflicts underscores a fundamental
point: DNS wasn't designed to deal with name conflicts.
The fundamental design goal of the DNS is to provide unique
and stable names for certain resources on the Internet. A "resource"
may be, for example, an IP address (or, in some cases, a group of IP
addresses), an email server, or a portion of the Domain Name Space
itself. The resources are represented by objects in DNS; the
fundamental service provided by the DNS is retrieval of an object,
given the name for the object.
The names provided by the DNS are structured in a hierarchical
manner, which allows the management of the names to be distributed.
Instead of a single gigantic name registry, the registration of names
can be spread across many registries.
The visible DNS hierarchy starts with what are called "Top Level
Domains" (TLDs). The next level of the hierarchy is made up of
"Second Level Domains" (SLDs), the level are "Third Level Domains"
(3LDs), and so on. The familiar ".com" is a TLD, "example.com" is a
SLD, "an.example.com" is a 3LD. "this.is.an.example.com" would be a
domain name with 5 levels.
So how do we do that if there is more that one root zone? The answer
is the Virtual Inclusive Root. It's nothing more than applying
RFC2826 to create a larger, virtual, root zone comprised of the sum
of all the variations of local root zones.
Example 6:
ICANN Alt Alt
root root(A) root(B)
/|\ /|\ /|\
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
/ | \ / | \ / | \
.com(A)... .net .com(A).... .biz .com(A).... .web
From the above example (Example 6), the Virtual Inclusive Root would
consist of the .COM, .NET, .BIZ, and .WEB TLDs (all roots support
the same .COM TLD).
The Virtual Inclusive Root can be considered the best view of
consensus and co-operation for the DNS name space.
Co-ordinating The Virtual Inclusive Root
Obviously, conflicting TLDs cannot be supported in the Virtual
Inclusive Root.
The first basic rule of domain name registration is that the first
eligible applicant to register a domain name receives the exclusive
delegation of that domain name. This is traditionally known as
"first come, first served" (FCFS).
The second basic rule, as identified in the examples above, is that
there is no harm done to internet until a duplicate top level
domain is created. Users may not be able to resolve a domain name
that exists in a top level domain from a different root zone. But
this is no different to today, and does not break the DNS overall.
Adding the TLD to the Virtual Inclusive Root solves this problem.
The third basic rule is that there is no limit to the number of top
level domains that can be put in the DNS. The DNS is recursive and
the recent examples of several million domain names registered in
.COM shows that this is possible. The reality is that the demand
for TLDs is not that high.
The main objection to the virtual inclusive root is that it really
only raises the root zone up a level and that someone, somewhere,
has the job of managing it. This is not true, as the ICANN root
zone being a "single point of failure" on the Internet is the
problem that the Alternative Roots have already solved.
The Virtual Inclusive Root is the sum of the consensus between all
root zones on the public internet. The methods for allowing
DNS clients and resolvers to resolve Virtual Inclusive Root will
be described in a different document.
Other Considerations
The United States Patent and Trademark Office has determined that
top level domains are not trademarkable. This removes any
possibility of "sunrise" claims or other trademark claims to top
level domains.
If ICANN "endorses" other roots, then it would of course coordinate
its TLD selections with them, and there would be fewer, if any, name
collisions. This is by far the most pain-free solution.
If ICANN doesn't "endorse" other roots, then it will most likely
create TLDs that conflict with ones publicly in use by Alternate Root
servers (see Example 4 above). This sets precedents directly opposed
to the IETF tradition of "rough consensus and running code". It
allows the pioneer work of developers and entrepreneurs to be taken
away at the whim of others.
ICANN could also try to make it illegal to run an alternate root.
This would involve regulating the configuration of every computer
connected to the Internet, and defining what technology and service
provider everyone had to use. It would be like a law dictating that
everyone had to use the same government approved computer operating
system to avoid "instability."
The FCFS method of registration has recently been co-opted by ICANN
for financial gain, by the registry/registrar community (there is a
major kick-back in fees paid to ICANN by the registries and
registrars) for the benefit of the intellectual property community
(who are paid to secure domain names). The internet user community
is the loser, paying several times over just to secure a single
domain name. The Alternative Roots exist, at the behest of the
internet user community, to bypass this kind of profiteering.
Security Considerations
This memo does not introduce any new security issues.
This memo does not address DNSSec issues.
Acknowledgments
The author would like to thank Karl Auerbach, Scott Bradner,
Milton Mueller, Brian Reid, Richard Sexton, and Einar
Stefferud for their constructive comments.
References
1 Internet Architecture Board, "IAB Technical Comment on the Unique
DNS Root", RFC 2826, May 2000
2 Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997
3 Postel, J., "The IANA's File of iTLD Requests",
http://www.gtld-mou.org/gtld-discuss/mail-archive/00990.html
4 Postel, J., "New Registries and the Delegation of International
Top Level Domains"
http://www.newdom.com/archive/draft-postel-iana-itld-admin-02.txt
5 D. Eastlake, A. Panitz, "Reserved Top Level DNS Names", BCP32,
RFC 2606, June 1999
Author's Address
Simon Higgs
Higgs Communications
P.O. Box XXXX
XXXXXXXX, XX XXXXX-XXXX
Phone: XXX-XXX-XXXX
Email: XXXXX@XXXXX.XXX
###
