Home / Blogs

Inquiring About the “Unthinkable”

There has been no shortage of speculation within the ICANN community regarding the continued show down between the ICANN Board and its Governmental Advisory Committee (GAC) over new generic Top-Level Domains (gTLDs) and the pending expiration of the IANA contract this September. Now one of the more interesting topics of discussion that I have had with multiple independent parties was the potential of ICANN making changes to the L root zone file which would not mirror the root zone file contained in the A root. The first time I heard this suggestion from a third party I kind of blew it off, but when I heard multiple other independent sources raise this same point it made me stop and think. In my eleven years within the ICANN eco-system it has been my experience that very little happens by coincidence. This reality coupled with my first hand experience of the ICANN Board—GAC Brussels consultation made me think: could the unthinkable happen?

Being an open and transparent type of guy I thought I would ask the following questions to ICANN under its Documentary Information Disclosure Policy:


I would like to request the following information under ICANN’s Documentary Information Disclosure Policy:

  1. Can ICANN please explain and provide the legal chain of custody in connection with how it became the operator of the L Root;
  2. Any documents/communications/analysis regarding any circumstances in which the L Root would not contain the “identical” set of information contained in the A Root; and
  3. Could ICANN provide all documents/analysis regarding the change in IP addresses associated with the L-Root in 2007, with specific attention paid to any Internet security and stability concerns raised regarding this change.

If any such documents/communications/analysis exists and ICANN claims that under the existing Documentary Information Disclosure Policy it is not required to produce such documents/communications/analysis, can ICANN produce a privilege log detailing the dates, authors, recipients, and nature of such documents/communications/analysis.

Thank you in advance.

Best regards,


By Michael D. Palage, Intellectual Property Attorney and IT Consultant

Filed Under


Ever hear of DNSSEC? David Conrad  –  Mar 10, 2011 5:23 PM

Today, if any one of the root server operators decided to modify the root zone to make it different than that what comes out of the distribution master at VeriSign (not “A” btw), responses from that root server would fail DNSSEC validation.  The end effect to end users behind validating resolvers (currently a small number relatively speaking, but does include a large number of folks using Comcast, lots of folks in Sweden, etc. and is increasing) would be the equivalent of the DNS ceasing to work.  I have “a bit” of skepticism any root server operator would knowingly do this.

With regards to the “L” renumbering event in 2007-2008, I wrote a blog posting about it: http://blog.icann.org/2008/05/ghosts-of-root-servers-past/. ICANN followed all then-existing norms and policies prior to and during the renumbering event.

Hope this helps assuage your fears.

David -- Wouldn't users simply ignore responses David A. Ulevitch  –  Mar 10, 2011 6:34 PM

David -- Wouldn't users simply ignore responses from that particular root server knowing they have other valid sources to get answers for '.' ?

Yes, although it might depend... David Conrad  –  Mar 10, 2011 7:47 PM

Yeah, apologies, I worded that poorly. Unless all the root servers mucked over the root zone file, the effect to end users would likely be a small amount of additional latency as the resolver declared the modified root server to be 'bad' and move on to the next. At least I assume that is what would happen. I don't personally know if anyone has actually tested it (I mean, I'm sure someone has for particular implementations, but people come up such interesting ways to implement the DNS).

Just questions Michael D. Palage  –  Mar 10, 2011 6:54 PM


Thanks for the quick response, just some follow-ups since usually one has to wait 30 days for a DIDP response.

My first concern is the legal chain of custody as to how ICANN became the operator of the L Root. I noticed there was no specific reference of it the IANA Notice of Inquiry. When I was on the ICANN Board I personally questioned the not insignificant expenditures ICANN made in upgrading the L Root. As a technical “coordinating” body I believe ICANN should have no operational role in Key Internet Infrastructure.

However, the fact that ICANN continues to operate the .INT registry in clear violation of its bylaws, is just another mystery in the great ICANN unknown.

Now turning to your response to my third point, I did read your blog post in connection with the L Root IP address transition. Nice piece by the way. It was my impression that there were “no stability and or security concerns” raised during the transition. However, I wanted to ask just in case there was some non-published report that had not been made public. Now the reason I asked this third question was because since there appeared to be no stability or security concerns raised during this “transition” it would be equally feasibility to transition operation of the L Root to another operator other than ICANN.

As follow-up tot his line of discussion does ICANN enter into any legal agreements with operators of L root mirrors, if so where do they appear on the ICANN website.

Thank you again for your proactive response to my second question, I want to do a little more research before responding to you on that one.

Again I appreciate your prompt response which I must admit is much more timely than Mr Jeffrey and his legal team that usually handle DIDP request.

Best regards,


L root David Conrad  –  Mar 10, 2011 8:37 PM

"Legal chain of custody" is an interesting concept when applied to the root servers in general. It would undoubtedly be fascinating (to some) to try and nail something like that down. As I'm not a lawyer, I can't really comment on legalities. Historically, Jon Postel asked folks to run the root servers as far as I'm aware without any legal formalisms in a very different Internet than exists today. Today, A/J might be tied into VeriSign's contract with USG (I haven't looked at VeriSign's contract to be sure) and I believe C was considered an asset acquired by Cogent when they purchased the post-bankruptcy remains of PSI, but those are exceptions. As "L" is not part of the IANA Functions contract, it wouldn't be a topic for the NOI. My personal view is that given ICANN does play a role in key Internet infrastructure, it should do an exceptional job at it and try to lead by example. When I was at ICANN, we invested in building out "L", both in terms of infrastructure as well as monitoring and I think the results speak for themselves. Whether ICANN should play that role is a matter of opinion. Re: .INT, my understanding is that ICANN operates .INT for primarily historical reasons (.INT was originally going to be the home of what is now in .ARPA). This doesn't strike me as particularly mysterious. Succession planning for any of the root server operators is another interesting concept however in the case of "L", I suspect if the community and/or the board decided it was in the best interests of ICANN or the Internet for ICANN to divest itself of "L", the transition could be implemented quite smoothly (once a successor was chosen which might be a bit complicated) since the address space "L" uses is (now) uncontentious and dedicated to root service. However, as things stand now, "L" is the only root server that can be directly affected by ICANN's open policy processes. This is fundamentally different than (say) root servers operated by commercial companies, the US government, or universities. As far as I'm aware, ICANN directly operates all the "L root mirrors" (by which I assume you mean the various instances of "L") thus there are no legal agreements. And just to clarify, these are personal views and recollections which given my rapidly degenerating memory due to age and/or misspent youth, may be completely wrong. ICANN responses should obviously be considered authoritative.

Ugh... Further Misdirection Jothan Frakes  –  Mar 10, 2011 7:01 PM

Michael, with all due respect, David Conrad is 100% accurate in the description of the root trust chain.  Another root server that is not aligned with the ‘A’ root will be treated by most resolvers as invalid.

Please, I implore you… stop with the social sabotage that is contributing further delay.  I respect you for your tenure in this space, one that I truly think is one of the finest industries.

As a long-term player in the space, think it through…  20 years from now, when we’re done pole vaulting over the miniscule issues that are holding things up, and we have 100s or 1000s of TLDs, do you want the legacy of the name “Palage” to be tarred with taint for having been such an enemy of progress and freedom?

There is no misdirection Michael D. Palage  –  Mar 10, 2011 7:36 PM


Social sabotage - please spare me. I have been asking questions about the L root since before the 2004 sTLD round. New gTLDs will happen as soon as the terms of the IANA contract get done. No we do not have to wait until September for that to happen unless ICANN staff really mucks things up during the RFP process but then again based on ICANN’s performance in Brussels one never knows.

So while I appreciate your concern about the Palage legacy, can you help me with any legal basis as to ICANN’s claim to operate the L Root, whether there is any security and or stability concerns if the L Root was moved to another operator, and if you know of any legal agreements between ICANN and the mirror operators of the L root.

No operational role in Key Internet Infrastructure? John Curran  –  Mar 10, 2011 10:31 PM

Michael -

  Could you explain why you feel that -

As a technical “coordinating” body I believe ICANN should have no operational role in Key Internet Infrastructure.

Particularly when it comes to root server operators, I see no reason to see why ICANN would not be as or more qualified as any other party involved in such, and see a real benefit to the community from having one of the root servers operated by ICANN.


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix