Signposts in Cyberspace The Domain Name System and Internet Navigation (2005) / Chapter Skim
Currently Skimming:
3 The Domain Name System: Current State
3 The Domain Name System: Current State
Pages 79-151
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 79... ...
To meet the needs of this expanded and enhanced Internet, the DNS has developed into a complex socio-technical-economic system comprising distributed name servers embedded in a multilayered institutional framework. This chapter describes the DNS as it exists in 2005 to establish a base for consideration of the future of the DNS and of navigation on the Internet.
|
From page 80... ...
The design of the DNS ensures that the path down the tree will be followed without detours or false starts, leading directly to the desired file because the structure of the domain name spells out the route. This process may best be understood through an example, shown in Figure 3.1, which illustrates the use of the DNS to find the IP address corresponding to the hypothetical domain name indns.cstb.nas.edu.3 This is what would happen if, for example, the user wanted to access a Web site at that name, in which case the requesting application would be a browser.
|
From page 81... ...
Stub Resolver Application FIGURE 3.1 Operation of the Domain Name System without a local name server.
|
From page 82... ...
. Name servers can perform two important functions: · First, they are designed to reply directly to queries concerning the portion of the domain name space for which they have complete information, which is called their zone and for which they are said to be authoritative (see Section 3.1.2)
|
From page 83... ...
Similar behavior is common to all iterative resolvers at whatever level in the DNS hierarchy they are searching. The response of a root name server, which is configured to be authoritative only, takes the form: "The address of indns.cstb.nas.edu is not in my zone's name file, but here are the names or addresses of name servers that are authoritative for .edu." The ISP's iterative resolver then sends the same query to one of the .edu name servers, which responds: "The address of indns.cstb.nas.edu is not in my zone's name file, but here are the names or addresses of the name servers that are authoritative for nas.edu." 7Where a query goes first is a consequence of an explicit configuration choice made by the user, an ISP, an enterprise IT department, or by a dynamic configuration protocol whose values are supplied by one of those sources.
|
From page 84... ...
.1 Some of the operators of root name servers have implemented anycast addressing as a way to facilitate load sharing, to improve service, and to reduce vulnerability to attacks. The use of anycast addresses allows a root name server operator to install copies of the root zone file at different servers (in this report, those servers that replicate the root zone file are called satellites)
|
From page 85... ...
Therefore, the adoption of anycast addressing by the root name server operators is a positive development. However, more general use of anycast addressing is problematic because current methods for deploying these addresses waste a number of IP addresses.3 Given the importance of a robust DNS, this wastage is acceptable for the operation of the root name servers, but not necessarily for other domain name servers.
|
From page 86... ...
That can happen because the query is ill formed, contains a typographical error, is based on a user's incorrect guess about a desired domain name, refers to a name that does not exist or no longer exists, or refers to a domain name on a private network that is not on the public DNS.9 Since such inquiries do not correspond to a cached address, even the caching name server system will not normally relieve the load on the root name servers related to such requests. To minimize the load on the network and improve response time, however, it is desirable that name servers store information about such non-existent domains.
|
From page 87... ...
and "www.nas.edu" (without a trailing a dot) are equivalent domain names.
|
From page 88... ...
It is up to the organization responsible for a zone to maintain the corresponding zone file (thus, the organization has considerable motivation to provide satisfactory maintenance) -- the data file in the zone's name servers that contains pointers to hosts in the zone and to the name servers for delegated zones (see "DNS Zone Data File" in Section 3.2.4)
|
From page 89... ...
THE DOMAIN NAME SYSTEM: CURRENT STATE 89 Root = delegation com org edu edu zone ucla smu ucla.edu zone smu.edu zone mit mit.edu zone sloancf eecs sloancf.mit.edu zone eecs.mit.edu zone web web.mit.edu zone edu domain FIGURE 3.2 The .edu domain divided into zones. SOURCE: Based on Figures 2-8 and 2-9 of Paul Albitz and Cricket Liu, DNS and BIND, 4th edition, O'Reilly Media, Sebastopol, Calif., 2001.
|
From page 90... ...
Although originally written for Unix operating systems, BIND has been programmed for other operating systems, including Windows NT and Windows 2000.16 It has also been used as the basis for many vendor name servers.17 The rest of this section uses BIND as an example because it is widely deployed. However, other name server software may behave differently in some respects and still conform to the domain name server standards.
|
From page 91... ...
In general, the cache size for a new name server is determined by observation of the name server's operation over a few weeks to determine how much memory is required to respond to the query demand at its installation. 3.2.4 Standards The queries and responses that flow between name servers must be in a protocol that is readily interpretable by any name server, no matter which software and hardware it uses.
|
From page 92... ...
The practical limitation on the number of root name servers to 13 is a consequence of the DNS message format and the design decision to use datagrams employing a minimal protocol -- the User Datagram Protocol (UDP) 19 -- to send DNS queries and responses so as to achieve high per 18 Addresses are converted to names in the .arpa domain for DNS lookup.
|
From page 93... ...
21In theory, the response could be a list of name servers that contain the names and locations of root name servers. Also, the hints file, which is local, could contain information about more than 13 name servers.
|
From page 94... ...
Such decisions might include rejection of the draft, publishing it as a standards-track docu ment, or handling it in some other way. Documents that are considered valuable and permanent, including all standards-track documents, are then submitted to the RFC editor for publication as RFCs.3 1For a full description, see Susan Harris, "The Tao of IETF -- A Novice's Guide to the Internet Engineering Task Force," RFC 2160, August 2001, available at |
From page 95... ...
In 2003, the IETF identified a number of problems, both routine and structural, in its operations and initiated a process of problem resolution.22 As is typical, it did so publicly via the RFC process. Providing Root Name Server Software -- Internet Software Consortium, Inc., and Other Software Providers Internet Systems Consortium, Inc.
|
From page 96... ...
is stored in 13 root name servers, which use it to respond to queries to the root. As shown in Section 3.1, while queries can enter lower on the tree if their resolvers have current cached information, or if the query lies within the zone of the local name server, the root serves as the assured point of entry to the DNS for any other query.
|
From page 97... ...
Critical Characteristics The root zone and the root name servers are critical to the operation of the DNS. The effective and reliable operation of the DNS, and of the Internet, is entirely dependent on the accuracy and integrity of the root zone file (and its copies)
|
From page 98... ...
or because of regular maintenance. However, since the capacity of each name server is many times greater than its average load, and iterative resolvers can use any of the root name servers, other name servers can take up the load without degradation in the system's performance that is perceptible to users.
|
From page 99... ...
Consequently, many technologists and economists believe it is unlikely that an alternative root would achieve widespread success.30 In their view, while competition may serve a valuable purpose in the short term, the task of maintaining the root zone file will equilibrate on a single, dominant root zone file, albeit an equilibrium in which operational control is shared among a number of (non-competing) entities.31 There have been several attempts to create alternate roots that have data about the TLDs that are recognized by the current root servers plus some additional TLDs that the operator of the alternate root is trying to promote.
|
From page 100... ...
The Root Name Servers Like other zone files, the root zone initially had a primary or master server accessible from the DNS and several -- in this case, 12 -- secondary or slave servers. That primary zone file was the most current of the files, and all updates and changes were made to it; it served as the reference source for the root zone.
|
From page 101... ...
The widespread distribution of anycast satellites of the 13 root servers has improved the level of service provided to many previously less well served locations. Some have believed that 13 root name servers are too few to meet requirements for reliability and robustness, which requires sufficient capacity distributed widely enough to protect against system or network failures and attacks.
|
From page 102... ...
(See Section 5.3.) There is no standard hardware and software implementation of the root name servers.
|
From page 103... ...
VeriSign runs its own name server software.
|
From page 104... ...
most Internet technologists believe that variation in the underlying hardware and software of the root name server system is highly desirable, since it ensures that an error in a particular piece of hardware or software will not lead to the simultaneous failure of all of the root servers. As the number and rate of queries to the root name servers have increased, hardware and software upgrades have enabled the servers to keep up.39 However, the pace of inquiries is likely to continue to grow and it is conceivable that it could, in principle, exceed the capacity of a system comprising even the most powerful single computers.
|
From page 105... ...
Creating the root zone file, keeping it current, and distributing it to all the root name servers; 3. Selecting the locations and the operators of the root name servers; and 4.
|
From page 106... ...
Once the addition or change is approved, the DOC notifies IANA and VeriSign. VeriSign Naming and Directory Services then makes the change in the hidden primary, which distributes the changed root zone file to the other root name servers (see "Operating the Root Name Servers" in Section 3.3.3)
|
From page 107... ...
1Information about ICANN was derived from |
From page 108... ...
Furthermore, regular queries of the root by each of the TLD operators can be used to test the entries corresponding to their TLDs and provide further assurance that no undetected errors are present in the file. Selecting the Root Name Server Operators -- Self-Selection The current root name server operators were not selected through a formal evaluation and qualification process, although they play a fundamental role in ensuring the availability and reliability of the root.
|
From page 109... ...
Operating the Root Name Servers -- The Root Name Server Operators The role of the operators of the 13 root name servers is to maintain reliable, secure, and accurate operation of the servers containing the current root zone on a 24-hour-a-day, 365 days-per-year-basis. Each server is expected to have the capacity to respond to many times the rate of queries it receives and must increase its capacity at least as fast as the query rate 41The DNS Root Server System Advisory Committee has drafted a model memorandum of understanding, available at |
From page 110... ...
Data collected about root name server operation has revealed that a substantial fraction -- between 75 percent and 97 percent -- of the load on those servers may be the result of erroneous queries.44 These errors fall into three categories: stupid -- for example, asking for the IP address of an IP address; invalid -- for example, asking for the IP address of a nonexistent domain; and repetitive -- for example, continuing to send an incorrect query even after receiving a negative response. Analysis has revealed that the sources of many of these errors lie in faulty resolver or name server software and faulty system management that misconfigures name servers 42See Randy Bush, Daniel Karrenberg, Mark Kosters, and Raymond Plzak, "Root Name Server Operational Requirements," RFC 2870, June 2000, available at |
From page 111... ...
Conclusion: The root name servers are subject to malicious attack, but through overprovisioning and the addition of anycast satellites have substantially reduced their vulnerability to denial-of-service attacks. Furthermore, the widespread caching of the root zone file and its long time to live mean that the DNS could continue to operate even during a relatively long outage of most or all of the root name servers and their satellites.
|
From page 112... ...
Conclusion: The system of root name servers lacks formal management oversight, although the operators do communicate and cooperate. Not everyone would agree that formal oversight is desirable.
|
From page 113... ...
. These TLDs are, in turn, the top of a hierarchy of second-level domain names.
|
From page 114... ...
As noted above, some country code TLDs have further generic or geographic substructures. In those cases, the count of domains is the sum of those registered under each second- or third-level domain, depending on the highest level at which registration by the general public is permitted.
|
From page 115... ...
. These estimated counts represent about 16 percent of all ccTLD domain names.
|
From page 116... ...
Recharacterizing TLDs Although a distinction between generic TLDs and national or country code TLDs is widely accepted and used in policy discussions, the reality of practice is that the distinctions have been significantly eroded.
|
From page 117... ...
1,100c Internet Architecture Board/Internet Assigned ? c Numbers Authority (IANA)
|
From page 118... ...
until recently, register only at the third level under a limited number of restricted second-level domains, such as com.ar and com.au for commercial organizations. However, Great Britain, .uk, has some second-level domains that are restricted, such as ltd.uk and plc.uk, and others, such as co.uk, that are not.
|
From page 119... ...
, another Pacific island nation, markets .ws directly and handles the registration locally. Western Samoa had two ISPs and 3000 Internet users in 2002.52 52See CIA, The World Factbook, 2004, available at |
From page 120... ...
Some TLDs have as many as 13 name servers, depending on the query load, the need for security against attack, and their desire to improve access by their users. Each name server is implemented on one or more computers, most of which run a version of BIND.55 The zone files on all TLDs are larger, generally very much larger, than the root zone file.
|
From page 121... ...
A popular second-level zone can increase traffic to its parent TLD name servers by lowering its TTL, effectively defeating the DNS's caching mechanism. (The root name servers do not suffer from this potential problem to the same extent, since TLD name servers give out mostly referrals.
|
From page 122... ...
"Selecting new TLDs" means deciding which new TLDs will enter the root zone file. As described above, that decision is made by the U.S.
|
From page 123... ...
At its September 25, 2000, meeting, the ICANN board passed a resolution that approved for delegation as ccTLDs those codes from the ISO's exceptional reserved list for which the reservation permits any application requiring a coded representation of the entity.60 In March 2005, ICANN authorized the creation of the .eu TLD, which is expected to begin operation in early 2006.61 It will be open to any person living in the EU, as well as businesses with their headquarters, central administration, or main base in the EU.62 The exceptional reserved list is no longer published, and a policy has been implemented to prohibit the creation or reservation of an unrestricted name that is not on the ISO 3166-1 list. The process of deciding who will be delegated responsibility for operating a ccTLD upon its first entry into the root, or for redelegating responsibility subsequently, can become very complex.
|
From page 124... ...
ICANN treated the addition of gTLDs as an experiment in order to seek compromises that would satisfy the contending interest groups, although that did not prevent the additions from becoming controversial. Since that process also entailed selecting the organizations responsible for the TLDs and the TLD name server operators, its description is deferred to "Selecting the TLD Registry Operators" below.
|
From page 125... ...
name servers for the TLD satisfying Internet technical requirements and (2) a domain name registration process that meets the needs of the local or international Internet communities.
|
From page 126... ...
PIR has contracted with a Dublin-based company, Aflilias, to provide the registration services and Afilias has contracted, in turn, with a commercial provider of DNS services, UltraDNS, to run the name servers. For the ccTLDs and the legacy gTLDs, ICANN must have a process for recognizing the organizations that will be responsible for the TLD when a new ccTLD is added or when a change of responsibility is desired for whatever reason.
|
From page 127... ...
According to the proposed agreement for the triangular situation, ICANN would retain the responsibility to see that the ccTLD manager meets its responsibilities to the international Internet community and to any non-national registrants, while the local government would assume responsibility for ensuring that the interests of the local Internet community are served. According to ICANN, the decision as to which arrangement to pursue would be reached by the government and the ccTLD manager (or candidate manager)
|
From page 128... ...
The most significant instance was its negotiation with VeriSign Global Registry Services, the legacy manager of .com, .net, and .org. Because those three gTLDs contain the registrations of the vast majority of the Internet's gTLD second-level domains and, in particular, almost all of those on its unsponsored and unrestricted domains, VeriSign's position as the profit-making sole supplier of those three was felt by many in the Internet community to be detrimental to the long-term health of the Internet.
|
From page 129... ...
Selecting the TLD Registry Operators An organization that is responsible for reliably performing the functions of (1) operating the TLD name servers and (2)
|
From page 130... ...
Nic.AT was established in 1998 by the Austrian ISP Association to take over responsibility for the ccTLD from the University of Vienna, which had managed it from its inception but was faced with an increasing number of registrations, legal questions, and name conflicts beyond its competence. While Nic.AT handles the name registration, it contracts with the University of Vienna computer center to run the .at name servers.
|
From page 131... ...
ICANN announced that the selection criteria would be the following: · The need to maintain the Internet's stability; · The extent to which selection of the proposal would lead to an ef fective proof of concept concerning the introduction of top-level domains in the future; · The enhancement of competition for registration services; · The enhancement of the utility of the DNS; · The extent to which the proposal would meet previously unmet types of needs; · The extent to which the proposal would enhance the diversity of the DNS and of registration services generally; · The evaluation of delegation of policy-formulation functions for special-purpose TLDs to appropriate organizations; · Appropriate protections of rights of others in connection with the operation of the TLD; and · The completeness of the proposals submitted and the extent to which they demonstrate realistic business, financial, technical, and operational plans and sound analysis of market needs. ICANN received 47 applications, of which 2 were returned for nonpayment of the fee and 1 was withdrawn, leaving 44 to be evaluated.
|
From page 132... ...
(See Sections 2.3.4 and 2.5.3 for informa tion on the development of the Whois service and background on the is sues surrounding it.) ICANN-accredited registrars are contractually obligated to collect and provide access to information about the name being registered, the names and IP addresses of its name servers, the name of the registrar, the dates of initiation and expiration of the registration, the name and postal address of the registrant, and the name and postal, telephone, and e-mail addresses of the technical and administrative contacts for the registered name.
|
From page 133... ...
The issue of whether and how to add new gTLDs is examined in detail in Section 5.4. Operating the TLD Registries Every TLD registry operator must perform two basic functions: register domain names requested by registrants and operate the name servers that will link those domain names with their IP addresses and other critical information.
|
From page 134... ...
and about one-third in the ccTLDs.75 3.5.1 Technical System of the Second- and Third-Level Domains Second- and third-level domains may have their own name servers to respond to queries to their zone files, as most large organizations do, but often the services are provided by ISPs or other Web site hosting organi 74See Chapter 4 for a discussion of the Site Finder case. 75See Tables 3.2 and 3.3.
|
From page 135... ...
The zone file of a second- or third-level domain may be very small if it belongs, for example, to an individual, or it may be quite large, if it is owned by a commercial or governmental organization. In the latter case, a great many of the entries may be associated with the e-mail addresses of the thousands of employees of the institution, while several, tens, or hundreds may be associated with the name servers of lower-level zones.
|
From page 136... ...
There were in February 2005 more than 460 registrars from more than 20 countries accredited to register domain names in 1 or more of the 10 eligible gTLD domains.79 Many of them have decided to operate, at least in part, as wholesalers and suppliers of registrar services; those operations have enabled many agents to sell domain names without any rela 77For example, in February 2005, godaddy.com was offering .com registrations for $8.95. 78Some specialized TLDs might continue to have market power even if the total number of TLDs were very large.
|
From page 137... ...
Registering Domain Names Registration of second-level (or third-level) domain names occurs according to different processes in the different types of TLDs.
|
From page 138... ...
In addition, domain name theft has been one of the problems associated with inadequate procedures and security measures put in place by the registrars of domain names. In such cases, a third party fraudulently claims to be the registrant in order to have the domain name transferred to its ownership.85 There have also been instances of fraud charges against domain name registries and registrars of domain names.
|
From page 139... ...
91For further discussion of market issues and presentation of market data, see "Generic Top Level Domain Names: Market Development and Allocation Issues," Organisation for Economic Co-operation and Development, Directorate for Science, Technology and Industry, Committee for Information, Computer and Communications Policy, Working Party on Telecommunication and Information Service Policies, July 13, 2004, available at |
From page 140... ...
Resolving Domain Name Conflicts One of the most difficult institutional roles that the operation of the DNS requires is the resolution of conflicts among competing claimants for domain names. These conflicts arise for a number of reasons that are discussed in detail in Section 2.5.
|
From page 141... ...
For a time, Network Solutions did not allow registration of six of the Federal Communication Commission's "seven dirty words" in the domain name space.95 The World Intellectual Property Organization (WIPO) recommended eliminating a list of "famous" trademarks from the DNS database and reserving their use to the trademark holder.96 ICANN has provided all of its 94The deployment of internationalized domain names involves new processes and challenges with respect to the reservation of names to prevent some conflicts over domain names.
|
From page 142... ...
Exclusions do not make any distinction between legitimate and illegitimate users; they simply make it impossible to use the names. A rigid exclusion deprives these organizations of the right to register domain names corresponding to their acronyms or trademarks.
|
From page 143... ...
In addition, the United States has passed specific legislation at both the federal and the state levels addressing the rights of trademark owners to domain names. (These are discussed further below.)
|
From page 144... ...
Intentionally to attract, for commercial gain, Internet users to registrant's Web site or other online location, by creating a likeli hood of confusion with the complainant's mark on registrant's Web site or location. It also describes circumstances that would enable the registrant to demonstrate its rights and legitimate interests in the domain name.
|
From page 145... ...
The 15,710 domain names that had been disputed in 4 years represent 0.03 percent of the more than 46 million domain names registered in the gTLDs subject to the UDRP. Approximately 60 percent of these proceedings have been filed with WIPO, approximately 33 percent have been filed with the National Arbitration Forum (NAF)
|
From page 146... ...
With respect to such filings commencing during the period from November 2003 through April 2004, data were obtained directly from the Asian Domain Name Dispute Resolution Centre Web sites at |
From page 147... ...
These policies generally also cover the resolution of conflicts over domain names. Where the TLD limits itself to individuals and organizations that have an association with the country, many potential conflicts are readily addressed through national administrative, regulatory, and judicial institutions.
|
From page 148... ...
, which provided trademark owners with a further cause of action that was specifically directed to domain names.104 Under the ACPA, a trademark owner can bring a civil action against a person if that person has a bad-faith intent to profit from a mark and registers, traffics in, or uses a domain name that, in the case of a mark that is distinctive, is identical or confusingly similar to that mark; or in the case of a famous mark, is identical or confusingly similar to or dilutive of that mark; or is a trademark, word, or name protected by law.105 Mere registration of such a domain in bad faith may be sufficient to violate the trademark owner's rights under the ACPA; there is no further requirement for any use of the domain name in association with any goods or services. Under the ACPA, factors affecting the judgment of bad faith include, but are not limited to, whether (1)
|
From page 149... ...
In 1998, the Delhi High Court in India likewise extended its form of common law trademark protection to domain names, as did the Tribunal de Grande Instance of Draguignan in France. Many ccTLDs, 42 in all, including a number from the EU, have opted to rely on a form of alternative dispute resolution policy.107 Likewise, the new .eu ccTLD will apply the following rules regarding registrations: · Governments may reserve geographical and geopolitical names.
|
From page 150... ...
Conclusion: The UDRP is a unique cross-border, electronically based process that has resolved thousands of disputes over domain names without the expense and potential delay of court proceedings. The issues of dispute resolution and appropriate Whois balance are examined in Chapter 5, where the alternative approaches are described and the committee's recommendations presented.
|
From page 151... ...
Hence, the need did not seem to be to replace the DNS but rather to maintain and incrementally improve it. Furthermore, given the rapidly increasing installed base and the corresponding heavy investments in the technical system and the institutional framework, the financial cost and operational disruption of changing to a replacement for the DNS would be extremely high, if even possible at all.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.