DNS is the Internet Pivotal Basics and Fundamental

DNS is actually a distributed database. Its hierarchical structure is similar to the file system structure of UNIX (Figure 1), presenting an inverted “tree” with roots at the top.

Figure 1.

The composition and resolution of domain names follow the rule of “right to left” and flow in an orderly manner. They are the root domain name, the top-level (Level 1) domain name, the authoritative (Level 2) domain name, and the sub (Level 3, level 4, etc.) domain name, followed by “.” to distinguish. For example, “www.icbc.com.cn” is a three-level domain name. The United States attaches great importance to and closely controls the DNS hierarchical tree system domain name resolution, and never allows any reversible, variable and movable situation to occur.

According to the definition of “DNS terminology” (RFC 84992019-1), DNS “instances” allow multiple DNS servers to have the same IP address in anycast routing, and each server (cluster) is called a “node”; Such DNS domain name server nodes are also called “anycast nodes”.

Since 2008, all root domain name servers have applied the “anycast” technology to realize the transformation of the root domain name server into a “system of systems” and provide faster services. Therefore, the global Internet is no longer 13 root domain name servers, but the integration of 13 root domain name server systems [3].

The total number of nodes in the 13 root domain name systems increases or decreases dynamically.

The above Tble1 shows that with the help of anycast technology, the 13 root domain name server systems of the Internet have set up 1469 nodes in the world (configured with established IPv4 and IPv6 addresses).

Please note that any one root domain name server and its corresponding anycast site or node will not be composed of one or two computers or several cabinets, but a server (data cabinet) cluster designed and constructed according to the needs of the service object and scale (target and target group) and sufficient computing support. Among them, the core supporting the computing power of the server cluster is the algorithm.

In November 1983, the concept, facility, implementation and specification of domain name system DNS (RFC 882, RFC 883) was formally proposed.

The Internet Engineering Task Force (IETF)[4], established on January 14th 1986, is responsible for formulating and promoting the voluntarily adopted Internet standards and specifications, especially the standards constituting the TCP/IP protocol family. At present, RFC involving DNS and related to TCP/IP four-layer architecture and protocols includes 299 protocols (standards) in 7 categories. As shown in Table 2.

The service Zone of the root domain name is the top-level domain name. In other words, the root domain name system is available and serviceable only when the top-level domain name is registered and enabled. The authorization and management of the Zone File of the root domain name and the services of the root domain name system are currently only available for 1588 top-level (or first level) domain names. The registration of top-level (or first level) domain names requires the approval and authorization of ICANN [5].

On January 1st, 1985, six top-level domains “.com,.net,.org,.edu,.gov,.mil” were first registered, marking the official operation of the root domain name system. Among them, “com,.net,.org” is called the general top-level domain name, and “.edu,.gov,.mil” is used as the special top-level domain name.

The US national top-level domain name “.us” was registered on February 15th, 1985; The Chinese national top-level domain name “.cn” was registered on November 28th, 1990.

Currently, top-level domain names are divided into seven types (As shown in Table 3):

In practical applications, a large number of registered domain names are secondary (or authoritative) domain names, that is, the names of organizations, enterprises and websites, such as “ccb.com”.

VeriSign reported that as of June 2021, 367.3 million secondary domain names had been registered worldwide; among them, 181million are general top-level domain names (GTLD), accounting for 49.3%.

In 1984, the system software running on the first root domain name server was called “JEEVES”, which was designed and developed by Paul Mockapetris. At the same time, the first DNS software version, funded by the Defense Advanced Research Projects Agency (DARPA) of the US Department of defense, developed by Berkeley University (four graduate students) and released in May1984, is called “BIND”[6]. Later, Doug Kingston and Mike Muuss of the U.S. Army ballistic laboratory made major changes to the BIND software code, which was used in the H-Root domain name server of the U.S. Army ballistic laboratory in 1985. Perhaps the H-Root can be considered as the Taproot of DNS domain name resolution.

With the support of the U.S. Department of homeland security, BIND has been completely upgraded and changed from structural design modification to comprehensive code update. In September, 2000, the Internet Software Alliance Corporation (ISC) released the new main version of BIND (BIND 9), which has been used until now: from the release of version 9.0.0 on January 28, 2004 to the release of version 9.17.18 on September 15, 2021, 673 sub versions have been released in 18 years (the life cycle of the sub versions is generally one year), including software upgrade, defect modification and vulnerability patch.

With its first mover advantage and the “promotion” mode of providing free software and open source code, BIND has a market share (allegedly) of more than 90% and is also regarded as a “de facto standard” in the industry. It must be noted that the “free software” of BIND is not equal to “open source code” and should not be confused.

In May, 2002, NLnet Lab in the Netherlands released the DNS software independently developed, called “NSD”, which was enabled in the “K” root domain name server in February 2003, replacing “BIND”. At present, four root domain name server systems (D, H, K, L) have adopted “NSD” [7].

In addition, in March 2021, the National Security Agency (NSA) of the United States released the new DNS software developed, called “Protective DNS” (PDNS), which is currently mainly used in military networks and defense infrastructure (DIB) networks. In the sense that “DNS is the Internet”, it should also be a system that can be resolved and run independently.

The simplified relationship of the ICTs supply chain of the root domain name system DNS is shown in the following figure 2:

1) ICANN and IETF are parallel, or IETF has no direct relationship between the R & D of technical specifications and the authorization and management of digital resources;

Figure 2.

In the ecological environment of the root domain name system, if ICANN has the decision-making power over digital resources (domain name, IP address and Asn autonomous system number) and root domain name management, then the domain name execution power in applications and services is another matter.

In 1984, the first root domain name server of the Internet was established to serve only the ARPAnet network of the USD Epartment of defense.

In 1985, the number of root domain name servers increased to four, which were hosted by the American Academy of Information Sciences (ISI), Stanford Institute of International Studies (SRI) and the US Army ballistic Laboratory (BRL).

In 1987, the number of root domain name servers was increased to 7, and the services were extended to ARPAnet (Development and Testing network), MILnet (military network), NSFnet (National Science Foundation Network), SURAnet (Southeast University Network), BARRnet [9] (Western Silicon Valley Research Network) and NASA-Science (NASA research network).

In 1995, the year after China's full-featured access to the U.S. Internet, the number of root domain name servers increased to 9, the services were extended to NORDUnet, and the root domain name servers were renamed from “A” to “I”.

1997 was an important year for the United States and China to develop the internet almost synchronously. The United States has achieved and improved the Internet in DNS technology, and China has provided a large market for Internet applications: ▴

In January, the United States added four new root domain name servers from “J” to “M”. So far, 13 Internet root domain name servers have been built and renumbered from “A” to “M”, completing the overall architecture deployment of the Internet domain name system. On January 1st, China's people's network was connected to the Internet.

However, this does not mean that if the IPv6 address length is 128 bytes, the root domain name server can be added. In fact, after more than 30 years of transitional tests, IPv6 is still only attached to and subject to the existing 13 root domain name server (system) architecture of IPv4, and has not established a “pure IPv6” root domain name server (system).

The root domain name mirror server is divided into two types: Global and Local. Two or more servers with identical online content and synchronized updates are all mirror servers except the host server.

Mirror servers are also called “Instances” in the industry. Instances are not interconnected and can be controlled or managed independently based on the Web or the command line.

In the node list of each root domain name server, some instances are marked as “Whole Network”, while others are marked as “local”. The instance mark indicates the application range of the image server. The application range of the image server is determined and limited by the routing method of the instance (the Border Gateway Routing Protocol BGP of the autonomous system running on TCP).

The whole network instance allows routing announcements to be broadcast on the global Internet, that is, any router on the Internet can know the routing path to (link to) the instance. For a specific source, the established route of the instance may not be the best route, and other instances can be selected as the destination (via). All root domain name server operators must have at least one network wide instance to provide services for the global Internet [10].

For local instances, route advertisements are limited to connected networks. For example, the instance might be visible to only one network operator (ISP) or to an ISP connected at a particular switching point. Other (or remote) domain name resolution requests cannot be viewed and queried. Some root domain name server operators may also choose to deploy local instances according to their own and partner needs.

The mirror server is a server that shares the load of the host. It synchronously maps the data information passing through the host server like a mirror. It can be seen, but it may not be “retained” or complete. Because the mapping of the mirror server is subject to the mirrored host, what the host has can be mirrored, and no change, change or modification is possible or allowed.

It must be noted that the “anycast node” of DNS cannot be considered or used as the “mirror point” of the domain name; hosting an anycast node is conditional, and related parties must sign a confidentiality agreement (NDA).

The national telecommunications and Information Administration (NTIA), established in 1978 under the Department of Commerce, is an administrative department of the federal government. NTIA's plans and decisions mainly focus on expanding broadband Internet access and adoption in the United States, promoting the use of spectrum for all users, and ensuring that the Internet continues to be an engine of continuous innovation and economic growth.

The “cooperation agreement with Veritas” published on NTIA website states that Veritas manages the authorized root zone documents in accordance with the cooperation agreement No. NCR 92-18742 signed with the U.S. government. Verizon's responsibilities include: editing the root zone file according to the suggested changes, publishing the file, and then distributing the file (through the a root domain name server) to other root domain name server operators. From this point of view, the status and role of root a domain name server [11] in the 13 root domain name servers is equivalent to the parent root, or the “Female-child root” integrated into one.

Root A has been managed by Verizon for decades under the strong protection of the U.S. government and military. One of the main functions is to distribute and push authoritative updates of top-level domain names to other 12 secondary root domain name server systems every 24 hours to ensure the consistency and uniqueness of the real-time operation of global DNS domain name resolution. Any root set up by countries around the world (including China) according to the Internet layout (including all root domain name mirror servers around the world) must and can only follow root A for real-time synchronous update, coordination and domination, that is, subject to root A. Otherwise, the operation of the whole network (including China's local Internet) may be seriously disrupted, or even a large area of congestion, block and interruption may occur, and the normal service cannot (or cannot) be provided.

Based on the “cooperation agreement” between NTIA and Veritas, from october1, 1998 to october26, 2018, NTIA and Veritas signed 26 public amendment and supplementary agreements. According to the 2015 financial report submitted by Verizon to the Securities and Exchange Commission (SEC), it clearly states:

1) DNS is supervised by the Department of Commerce on behalf of the U.S. government. According to the letter of commitment (AOC) signed by the Ministry of Commerce and ICANN, which took effect on October 1st, 2009, the Ministry of commerce is one of the subjects of continuous review and accountability of ICANN's performance [12].

The key point is that all the above root domain names (regardless of the parent root, Taproot and secondary root), root domain name system (host and image distribution, establishment and operation control system), IPv4 and IPv6 protocols are the network terms, proprietary functions and specific elements of the Internet developed by the United States. The Network sovereignty of the Internet, including naming right, jurisdiction, design and planning right, rule determination right, operation dominant right, routing dominant right, data control right, as well as the distribution and lease right of domain name address, the distribution and coordination right of root domain name mirror server node, etc., can only be decided by the United States. Any country (including China, Japan, European countries, etc.) and organization (including the United Nations, ISO/IEC, ITU, etc.) outside the United States does not count.

Female root refers to the source root of the whole Internet. The U.S. military network evolved and reconstructed from ARPANET is the core network, origin network, network in network and leading network (main network) of the Internet. The “Female root” should be hidden in the “main network” that the U.S. military absolutely controls and provides a high degree of security.

Taproot is the direct root and the direct root of the Internet. Root A is considered to be the Taproot among the 13 Internet roots, and the Female 12 roots are Auxiliary roots. For example, root M in Japan is the Auxiliary root.

The U.S. government has carefully planned and constructed the jurisdiction (legal system) and control (governance mechanism) over the Female root, Taproot and the Auxiliary root of the root domain name, which can not be disobeyed and changed by any other countries, organizations and individuals.

With the increasingly prominent security problems and risks of domain name resolution system DNS, IETF has continuously issued a set of standards and specifications “Domain Name System DNS Security Extension” (DNSSEC) since 2005.

At 0:00 on October 12th, 2018 (Beijing time), ICANN implemented the domain name root zone key reversal (KSK, key signing key) on the global Internet, replacing the single trust root used to verify the consistency of DNSSEC response, which is the first time in the history of the Internet.

But so far, the application of DNSSEC is far lower than expected. Among them, the technical reasons include: the digital signature of DNSSEC increases the number of bytes of DNS resolution response packets, making most DNS resolution response packets remain under the UDP transmission limit of 512 bytes, which is becoming more and more challenging. At the same time, in order to keep the DNS specification unchanged, packets with more than 512 bytes can be truncated and switched to TCP to obtain domain name resolution responses with more than 512 bytes, potentially reducing the efficiency of DNS (and increasing the delay and fragmentation of packets).

Therefore, in reality, the deployment and application of DNSSEC are “layered and segmented”. For example, DNSSEC is adopted for the domain name resolution service of root domain name and top-level domain name, while DNSSEC is basically not adopted for the domain name resolution service of authoritative domain name, recursive domain name server and user terminal.

Geoff Huston, chief scientist of APNIC [13], believes that the current status shows that DNSSEC is one of the typical cases of application failure.

According to the measurement statistics of APNIC, as of May 6th, 2022, the average verification rate of DNSSEC in the world is 29.91%, of which (As shown in Table 4):

The interoperability of IPv6 and IPv4 technologies (“mutual incompatibility”) is one of the key foundations and fundamental cruxes of Internet security issues. Although both belong to the Internet Protocol (different versions) and are controlled and operated by 13 root domain name server systems that also use and rely on the Internet, there are still a large number of potential instability factors and unknown security risks that cannot be predicted and prevented, Necessary and necessary practical (parallel) operation experiments and verifications must be carried out to explore possible solutions, which requires incalculable economic costs and security costs, or the gains outweigh the losses.

In June 2015, ICANN launched the “Yeti DNS Project” proposed by American expert Paul Vixie and the Japan WIDE organization (Japanese translation “雪だるまプラン”,Translated into English as “Yeti DNS project”)

The “Yeti DNS Project” is an experimental project for parallel testing of IPv4 and IPv6 domain names. ICANN uses the “Yeti DNS” DNSSEC key to test all restart and Reset settings in the M root domain. It does not provide a substitute domain name space, but only changes (adds) the delegation information of the M root domain name system resolution.

American professionals acknowledge that this preliminary technical test project, which is temporary and allowed to fail in the test environment, is neither the experiment of “technical prototype”, nor the deployment of root domain name server system in the production environment, nor the “new pattern of IPv6 root domain name server hypothesis”, and has been completed at the end of December 2017.

American professionals clearly pointed out that the tests and experiments of the “Yeti DNS Project” have proved that:

1) The “Taproot root server” of IPv6 is not a truly independent Taproot server, but a testing server under the Taproot root server of IPv4. Technically, the status of the 25 new IPv6 root servers in the “Yeti DNS Project” is actually lower than that of the 13 IPv4 root servers.

In short, the United States has full sovereignty over both IPv4 and IPv6 domain name space. The US government, US politicians and US politics do not allow any country, any organization or any individual to change or shake the US “one net dominating the world”, which has become a well-known Internet common sense, scientific common sense and political common sense all over the world.

1) Since January this year, ICANN has widely publicized a revised action measure: “Knowledge-Sharing and Instantiating Norms for DNS and Naming Security”, referred to as “KINDNS”.

On March 10th, at the 73rd annual video conference of ICANN (ICANN 73) [14], the Middle East representative of AFRINIC, the management organization of Africa, issued a “statement” on “digital signature and verification of DNSSEC”:

It is emphasized that DNS is crucial to ensure the continuity of network services. Defective or invalid DNS services will have a negative impact on the experience of any institution and organization (including customers, partners or employees), affect e-commerce applications, cause loss of revenue and damage the brand image. It is disclosed that 63% of institutions and organizations will be offline and out of service due to DNS attacks in 2021; It is recommended to clarify the “return on investment” (ROI) in DNSSEC deployment and application and the “risk loss rate” (ROR) for delayed deployment and application of DNSSEC.

On May 19th, ICANN made an official reply, acknowledging that the importance of DNS Security operation to the overall stability and flexibility of the Internet was recognized, which is the core of ICANN's mission; Indicates that the series of recommendations put forward in the statement are consistent with ICANN's “five year strategic plan” and “five year plan for the Middle East and surrounding countries and regions”, that is, they are related to ICANN's regional objectives; Define the regional objectives of ICANN, including: —

Through cooperation and support with multi stakeholders, to develop technical capacity and establish a regional network of technical experts;

“Multi stakeholder”, in fact, is to build a new “threshold” of exclusive competition through the cooperation between the government and private enterprises, and take their own interests or vested interests. One of the “principles” put forward in the “Declaration on the future of the Internet” signed and issued by the United States with the EU, more than 50 countries and Taiwan on April 28, namely “protecting and strengthening multi stakeholder governance methods”.

2) The technology and services of DNS are undergoing fundamental changes, not only in the underlying protocols (and key technologies), but also in the alliance of governance models and the strengthening of management means.

The “QUIC” protocol [15], a new generation of network data transmission protocol based on the “UDP” protocol, is known as a subversive innovation comparable to the “TCP” protocol.

On May 11, IETF released the updated version RFC 9250 in the standardization process of “DNS based on private QUIC connection”; On May 20, IETF updated the second version of the standardization process based on the “UDP” protocol.

Combing the domain name system DNS, an intuitive and simple evolution is that DNS has already become the “hub” (command and control system) and “commanding point” (navigation system for positioning and redirection) of the Internet from its initial idea as the Internet “phone book” (file system).

DNS Security is not limited to “vulnerability” or “harassment”, but has a clear strategic and systematic nature, and has become one of the focuses of unprecedented struggle and competition, that is, “whoever controls DNS will own the Internet” [16].

The Internet is man-made. It is the creative result of human collective wisdom. It is a systematic innovation that carries forward the past and advances with the times with the continuous sublimation of human knowledge, culture, science and technology. Especially in the evolution and development of DNS domain name system and its security technology, there is no shortcut, no “one move to beat the world” and no “eternal” technical know-how once and for all.

DNS is the key foundation and foundation of the Internet. The innovation of DNS domain name system is not only a technical programming based on experience, but also an ecosystem project, including dynamic supply chain and potential political, economic, diplomatic and military strategies and strategies.

Complete the manuscript May 24, 2022.