Abstract
We present a variation to the infrastructure of the Domain Name System (DNS) that works without DNS root servers. This allows to switch from a centralized trust model (root) to a decentralized trust model (top-level domains). By dropping DNS root in our approach, users have one entity less that they must trust. Besides trust issues, not relying on DNS root means that DNS root servers are no longer a central point of failure. Our approach is minimally invasive, builds on established DNS architecture and protocols and supports the DNS Security Extensions (DNSSEC). Furthermore, we designed our approach as an opt-in technology. Thus, each top-level domain operator can decide whether to support rootless DNS or not.
The challenge of a rootless DNS is to keep track of changing IP addresses of top-level domain servers and to handle key rollovers, which are part of normal DNSSEC operation. Top-level domains opting in to rootless DNS must follow constraints regarding the frequency of changes of IP addresses and DNSSEC keys. We conducted a four-year measurement to show that 82% respectively 72% of top-level domains fulfill these constraints already.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abley, J., Lindqvist, K.: Operation of Anycast Services. RFC 4786 (Best Current Practice), Internet Engineering Task Force, December 2006. http://www.ietf.org/rfc/rfc4786.txt
Root Zone KSK Policy Management Authority: DNSSEC Practice Statement for the Root Zone KSK Operator, October 2016. https://www.iana.org/dnssec/icann-dps.txt
Koch, P., Larson, M., Hoffman, P.: Initializing a DNS Resolver with Priming Queries. RFC 8109, March 2017. http://www.ietf.org/rfc/rfc8109.txt
St.Johns, M.: Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011, Internet Engineering Task Force, September 2007. http://www.ietf.org/rfc/rfc5011.txt
Bortzmeyer, S.: DNS Query Name Minimisation to Improve Privacy. RFC 7816 (Experimental), Internet Engineering Task Force, March 2016. http://www.ietf.org/rfc/rfc7816.txt
Internet Corporation For Assigned Names and Numbers: New Generic Top-Level Domains. https://newgtlds.icann.org
Lentz, M., Levin, D., Castonguay, J., Spring, N., Bhattacharjee, B.: D-mystifying the D-root address change. In: Proceedings of the 2013 Conference on Internet Measurement Conference, IMC 2013, pp. 57–62. ACM, New York (2013)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Making the case for elliptic curves in DNSSEC. SIGCOMM Comput. Commun. Rev. 45(5), 13–19 (2015). http://doi.acm.org/10.1145/2831347.2831350
Mueller, M.L.: Competing DNS roots: creative destruction or just plain destruction. J. Netw. Ind. 3, 313 (2002)
Open Root Server Network. http://www.orsn.org
Ramasubramanian, V., Sirer, E.G.: The design and implementation of a next generation name service for the internet. In: ACM SIGCOMM Computer Communication Review, vol. 34, no. 4, pp. 331–342. ACM (2004)
Wachs, M., Schanzenbach, M., Grothoff, C.: A censorship-resistant, privacy-enhancing and fully decentralized name system. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 127–142. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12280-9_9
Cox, R., Muthitacharoen, A., Morris, R.T.: Serving DNS using a peer-to-peer lookup service. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 155–165. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_15
Theimer, M., Jones, M.: Overlook: scalable name service on an overlay network. In: Proceedings of the 22nd International Conference on Distributed Computing Systems, pp. 52–61 (2002)
Danielis, P., Altmann, V., Skodzik, J., Wegner, T., Koerner, A., Timmermann, D.: P-DONAS: a P2P-based domain name system in access networks. ACM Trans. Internet Technol. 15(3), 11:1–11:21 (2015). http://doi.acm.org/10.1145/2808229
Massey, D., Lewis, E., Gudmundsson, O., Mundy, R., Mankin, A.: Public key validation for the DNS security extensions. In: Proceedings of the DARPA Information Survivability Conference & amp; Exposition II, DISCEX 2001, vol. 1, pp. 227–238. IEEE (2001)
Malone, D.: The root of the matter: hints or slaves. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, IMC 2004, pp. 15–20. ACM, New York (2004)
Kuerbis, B., Mueller, M.: Securing the root: a proposal for distributing signing authority. Paper IGP07-002 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Wander, M., Boelmann, C., Weis, T. (2018). Domain Name System Without Root Servers. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-76687-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76686-7
Online ISBN: 978-3-319-76687-4
eBook Packages: Computer ScienceComputer Science (R0)