Inter-Root: A New Self-Governed Architecture for DNS Root Zone

Download Report

Transcript Inter-Root: A New Self-Governed Architecture for DNS Root Zone

Inter-Root:
A New Self-Governed Architecture
for
DNS Root Zone Resolution
Binxing Fang
Xiaohua Chen
June,2015
1
“State Network Sovereignty”is now a
consensus among the international society
20. State sovereignty and
international norms and principles
that flow from sovereignty apply to
State conduct of ICT-related
activities, and to their jurisdiction
over ICT infrastructure within their
territory.
In June 24, 2013,the UN published
A/68/98 file: Report of the Group of
Governmental Experts on Developments in
the Field of ICT in the Context of
International Security.
2
Fundamental Features of State Sovereignty
4
Fundamental Features:
 Jurisdiction: to make legal decisions and
judgments by oneself
 Self-defense:to defend the well-being of
oneself
 Equality:to be NOT subordinate to others
 Independence:the existence does not
depend on others
3
Network Sovereignty
The Internet within one country cannot exist
independently due to the DNS architecture
Almost every visit to any server in the Internet needs
to use directly or indirectly the root name servers to
resolve the server domain name, unless the IP address
of the server is known. The root name servers could be
utilized to disable the Internet within a country. This
power is in the hand of the owner of root name servers,
which is currently the ICANN / the US government.
4
Current DNS Architecture
Root servers, responsible for
the root zone and TLD
resolutions, are the start
point of resolution and the
center of structure
•
Namespace,
represented by a label tree
•
Authority
Server
hieratical Distributed
Database
recursive
resolver
• Lots of caching
• Resolution protocol
.
(roo
t)
cn
com
cu
1
foo
2
www
3
Recursive
Resolver
5
Root Zone Management
NTIA delegated IANA function to ICANN and VeriSign
Any change in the
root zone needs to
be approved by the
US government
root
zone
file
TLD
operator
12 Root Server Operators
(US 9、EU 2、Japan 1)
13 logical root servers and hundreds of mirrors
6
“Disappearing Threat”
 Independence
The ccTLD of a country could be
removed from the root zone
database, so that the ccTLD is
erased from the namespace,and the
names under the ccTLD cannot be
resolved. As reported, .iq (Iraq)
in 2003 and .ly (Libya) in 2004
temporarily cannot be resolved.
R
(roo
t)
ly
U
com
cn
1
foo
2
www
Disappearing
Li
I
by 我
a
.
3
China
Recursive
Resolver
7
“Blindness Threat”
 Independence
Recursive
resolvers within
a country could be denied
to the resolution service
by the root servers, so
that the users in that
country cannot access the
Internet. As reported,
Somalia has been denied by
the root servers
So
ma
li
a
R
根
(roo
t)
so
U
你
com
cn
1
foo
2
www
Blindness
I
.
3
China
Recursive
Resolver
8
“Isolation Threat”
 Independence
.
The network of a country may
be completely isolated, so
that any name resolution
traffic via international
gateways will be interrupted.
(roo
t)
cu
cn
com
1
foo
2
www
Isolation
Cuba
I
R
根
Ch
U in
你
a
3
Domestic
recursive
resolver
Foreign
recursive9
resolver
Threats in the current DNS
China
我
I
Disappearing
R
Cuba
U
Edit the root
zone file
Very
Easy
Edit the ACL
Easy
Physically
isolate the
country
Not
Easy
Blindness
China
I
R
根
U
你
Isolation
China
I
R
根
Cuba
Cuba
U
你
10
Related Work Under 3 Threats
Difficult to counteract the disappearing threat,because
root zone data still comes from IANA.
All solutions are sort of root mirrors in essence
Open
root
Universal
root
Recursive
root
Fake
root
Alternative
root
Disappearing
Blindness
Isolation
☐
☐
☐
☐
☐




☐




☐
11
Idea of Decentralizing Root Zone
Principle:maintain the logic structure with a
single root,construct the system structure
with multiple roots
• Names remain unique and humanunderstandable
• Root zone governance and operation are
decentralized
12
Inter-Root : A New Self-Governed Resolution
Architecture for DNS Root Zone
1, Establish Country Root Servers (CRSes)
•
•
•
CRS:country self-governed public root server
CRS provides root zone resolution, independent with
current root server operators
CRS may use IANA root zone file;In emergency, CRS
safeguards the root zone resolution for the country
2, Establish‘Inter-Root’among CRSes
•
•
•
Inter-Root:a system of interconnected CRSes
Inter-Root is established among countries,providing the
root zone information exchanges among the countries
In emergency,countries joining Inter-Root may provide
resolution service for each other
13
Mesh Structure in Inter-Root
CRS adopts
IANA root zone file
.CN
CN root
.NET
.COM
IANA
.GOV
.CU
TLD info
exchange
CU root
Reciprocal
resolution service
between
countries
RU root
.RU
UK root
.UK
DE root
.DE
14
Increments on current DNS
Namespace
•
Replicate ccTLD info in CRS
Authority server
•
•
New CRS which coexists with current root servers
Reciprocal resolution service for emergency response
system
Recursive resolver
•
Add CRS info in root hint
Resolution protocol
•
None
15
Features of Inter-Root
Independence
• Root zone resolution service is self-governed
• Resolution service within a country is self-governed
Openness
•
•
Inter-Root is open to any country joining or withdrawing
CRS is open to all recursive resolvers
Compatibility
• Inter-Root is about name resolution,not domain delegation
• Inter-Root is transparent to resolvers not using any CRS
Scalability
•
•
Inter-Root inherits the scalability of current DNS
The number of countries in Inter-Root is about 200 at most
16
Significance of Inter-Root
Country DNS security enhanced
Recursive resolvers freely choose either CRS, or original root servers.
Using CRS gets additional protection from their own government.
Strategic deterrent against 3 threats
Inter-Root provides a strategic deterrent that if a ccTLD is erased from
the IANA root zone, then those countries concerning the threats will
join Inter-Root. This supports the concept of “network sovereignty”.
Demonstrate Sovereignty Equality
In the first World Internet Conference, Chairman Xi Jinping said:
“China is willing to work together with other countries in the world, in
the spirit of mutual respect and trust. We together deepen
international cooperation, respect for the sovereignty of the network,
maintain network security, and build a peaceful, secure, open and
cooperative network. We hope to establish a multilateral, democratic,
transparent international Internet governance system".
17
Thanks
18