Home / Blogs

China’s New Domain Names: Lost in Translation

This morning I got a bunch of alarmist messages from friends asking about this English-language People’s Daily article titled: China adds top-level domain names. The paragraph that’s freaking people out is:

Under the new system, besides “CN”, three Chinese TLD names “CN”, “COM” and “NET” are temporarily set. It means Internet users don’t have to surf the Web via the servers under the management of the Internet Corporation for Assigned Names and Numbers (ICANN) of the United States.

Not for the first time, it appears that the People’s Daily’s English translation is very misleading.

Here is a Chinese language story on the subject, and here is the original announcement in Chinese on the Ministry of Information Industry website. Below are the two most important sections, which I am translating/explaining in English (please post corrections in the comments section if you read Chinese and think I got anything wrong):


2. “In China’s internet domain name system, aside from the “CN” top-level domains, there will be three Chinese language top-level domains: 中国 (which means “China”), 公司 (which means “company”), AND 网络 (which means “net”).”

In other words, China is NOT, I repeat NOT creating alternative .COM and .NET top-level domains that would be separate from those now administered by ICANN. (Though it is true that CN, 中国, 公司, AND 网络 will not be administered by ICANN, but by a Chinese entity.)



3. “Beneath the CN top-level domain, there will be 2 kinds of sub-domains: topical categories and administrative regions. There will be 7 “topical domains”: AC for research institutions; COM for commercial; EDU for educational institutions; and GOV for China’s government organizations, MIL for Chinese national-defense organizations; NET for organizations providing internet services; and ORG for non-commercial organizations.”

Note that these are sub-domains, not top-level domains. So in other words, the websites will look like this: http://website.ac.cn, http://website.com.cn, website.edu.cn, website.gov.cn, website.mil.cn. website.net.cn and website.org.cn.


This section outlines the English letters used for administrative region domains. So Beijing will be website.bj.cn, Shanghai will be website.sh.cn, Tianjin will be website.tj.cn, and so forth.

A more accurate Interfax story is here. So my understanding is this: China will administer the 4 top-level domains of: CN, 中国, 公司, AND 网络—and all their sub-domains—independently of ICANN. China has not shut out the global internet, or created parallel evil twins of our well-loved and well-used top-level domains. What China has done is create its own Chinese sub-internet adjacent to the global one run by ICANN. This is precedent-setting. Will other governments follow? An Iranian-administered set of top level domains in Farsi? A Russian-administered set of TLD’s in Russian? Why not?

But to my knowledge, if you can read and write Chinese and have the ability to enter Chinese characters on your computer, you should be able to access those domains from anywhere, and the creation of this new Chinese sub-internet does not preclude Chinese internet users from typing in their usual .com and .net domains and getting at the same sites that we would from the U.S.—that is unless the Chinese government happens to be filtering those particular sites that you want to access.

UPDATE: This is not entirely correct, as Steven Murdoch explains.

Will the existence of a Chinese-administered sub-internet make it easier for the Chinese government to filter the international internet more aggressively? Once the new Chinese domain system becomes well-populated and full of content, it seems likely that the answer would be “yes.”

By Rebecca MacKinnon, Journalist and activist; Co-founder, Global Voices Online

Filed Under


James Seng  –  Mar 1, 2006 3:18 AM

I just posted this on IPer where the news is spreading. I hope everyone calm down.


Hi Dave,

Just saw this news and find it funny because I just had dinner with Mao Wei and Prof. Qian last night (Mao is the Executive Director of CNNIC). To be exact, they have no idea of the news as they are in Perth right now. But after showing them the news and speaking to them, this is what I gathered.

The focus of the news is actually the launch of .MIL.CN, a new 2LD CNNIC is launching which requires a change in their Article. As a matter of procedure, they announced the revise Article that includes the the policy for the three Chinese TLD for .NET, .COM and .CN (????????). The Chinese TLDs was actually added 3 years ago in 2003. It is hardly news now.

It has been in operation for 3 years now as you can see from http://www.cnnic.net.cn/index/0B/index.htm

In practice, they did not actually use any alternative/parellel root. Instead, when someone registered a domain name like ??.??, what they get is ??.??.cn and the append of .cn is done automatically by the client resolution.

Dave, hope you can help to clarify this issue. The news is just .MIL.CN.

-James Seng

Gadi Evron  –  Mar 1, 2006 4:00 AM

Which is still an alternate root. :)

No one is saying China is messing with .com, etc., at least not yet.

What I said in my text is that China has an alternate root and has indeed been sending most of the root servers queries to their own for a while now.

I am surprised how anyone considers this “news item” new.

“Client resolution” is still a query being made, and resolved by the .CN root server, as it has been done for a while now.

Alternate roots are bad. That said, China is the hero in this story as the USG has been the bully.

James Seng  –  Mar 1, 2006 4:14 AM

It is not an alternative root because there is no “root” being setup. And the ISPs continue to use the same default (IANA) root that ship with BIND.

Ian Peter  –  Mar 1, 2006 5:23 AM

Well, I guess we can all stop panicking now?

It’s not the end of the world at all. We are talking about .com.cn, not an alternative .com with chinese character sets run by a “nasty foreign government”.

There will be a few embarrassed editorials out there, but otherwise it’s business as usual.

The Famous Brett Watson  –  Mar 1, 2006 7:31 AM

Firstly, regardless of whether this constitutes an alternate root or not, there’s no point panicing about it.

Secondly, regardless of wether this constitutes an alternate root in some narrow technical sense, it operates as though it were an alternate root, and has the same impact as an alternate root. It’s one of those “looks like a duck, quacks like a duck” situations where you may as well call it a duck, even if there’s some bizarre botanical reason why it’s technically something else.

The all-important thing which the single root gives us is universality. Whether China has established an alternate root or is transparently appending “.cn” to the end of certain queries, the result is the same: loss of universality. It doesn’t really matter how one undermines the property of universality; what matters is that the answer to DNS queries becomes a product of where you ask the question.

I don’t know how much of this news is genuinely new, but don’t dismiss it just because it’s not the second root some have been dreading: it’s yet another crack in the foundations of universality nonetheless.

Gadi Evron  –  Mar 1, 2006 11:47 AM

Brett Watson has the right of it. Let’s not waste time on definitions. They may not be taking over .com, but they can. Point is, even if they don’t - they control the system and provide with ccTLD’s and domain names in the Chinese language. That *is* an alternate root.

Like I wrote, this doesn’t change the world one but and no one is going to die, but it’s how it is.

McTim  –  Mar 1, 2006 2:34 PM

Brett’s hypothesis is empirically testable.

The question is this: If I am in China, and type in http://www.circleid.com IN ENGLISH, will I get this very website, or will I get http://www.circleid.com.cn ?

If I get CircleID, then we still have universality.  If not, then Brett’s point is well taken.

Anyone reading this in China?

As for Gadi’s point, I think we


be very careful about definitions.  If this is just a case of adding SLD, well lots of countries do that, in fact, it is an integral design feature of the DNS.

It’s absolutely NOT an alt root in any case.

Gadi Evron  –  Mar 1, 2006 2:40 PM

Okay, I’m game. Let’s invent a new name for this than. I am used to that.
Spam, Spit, Spim, Phishing, Pharming…

Alternate root.. erm.. uhm.. maybe “Supplamental Root” or “Alternate Languages Root Adaptation”?

The Famous Brett Watson  –  Mar 1, 2006 3:16 PM

Well, be careful which hypothesis you’re testing: I wasn’t claiming that “.com” had lost universality. I was speaking in reference to comment #1 by James Seng, where he said the following.

In practice, they did not actually use any alternative/parellel root. Instead, when someone registered a domain name like ??.??, what they get is ??.??.cn and the append of .cn is done automatically by the client resolution.

He also says it’s been going on for three years, so it’s not new news, but hey—since the subject has been brought up, let’s have a little chat about it. Personally, I’d like clarification on “the append of .cn done automatically by the client resolution.” When and where, exactly, is the “.cn” appended in the resolution process? And which domain name(s) exactly does the registrant think he has acquired?

What Gadi Evron and I have been saying is that it makes little difference whether the process involves an alternate root or some special mapping between the China-namespace and the IANA-namespace: universality of the affected names is lost either way. So far it hasn’t been lost in any way that most people are going to care about, because our precious “.com” remains unblemished, so far as we can tell. Presumably that’s why it’s been such a non-issue for several years.

Milton Mueller  –  Mar 1, 2006 5:03 PM

I believe that Brett Watson is correct and James Seng is a little too mundane in his interpretation. I know well that the Chinese-character TLDs - and note that in China they do refer to them as TLDs, not as SLDs—have been in existence for more than two years. But until now China has claimed that they are “experimental.” As I claimed on ICANNWatch, China is basically constructing a national root rather than a global alternate root, and in that respect I agree with Brett that “it makes little difference whether the process involves an alternate root or some special mapping between the China-namespace and the IANA-namespace.” In either case, China’s national government is in control of the Chinese-language version of “COM” and “NET.” Chinese users - in China - could easily become isolated from the .com’s .net’s and .org’s websites, and it would be very easy for Chinese client software to stop appending .cn onto the domains. But it would be best to conduct an experiment. Anyone know someone who has registered one of these “gong si” domains?

Steven J. Murdoch  –  Mar 1, 2006 6:45 PM

@James Seng

It is not an alternative root because there is no “root” being setup. And the ISPs continue to use the same default (IANA)
root that ship with BIND.

I have only performed initial tests, but it does appear that there is an alternative root in China and that some ISPs are using it.

For testing I am using “????.??” which I think means Peking University in the new “.china” TLD. As Unicode cannot be used directly with DNS, it needs to be translated into Punycode. This gives xn—1lq90ic7fzpc.xn—fiqs8s.

One of the DNS servers for customers in China appears to be ns4.bta.net.cn. When I ask this server to resolve the non ICANN domain name, it does so successfully:

<br /> ================================<br /> $ dig xn—1lq90ic7fzpc.xn—fiqs8s @ns4.bta.net.cn<br /> ...<br /> ;; QUESTION SECTION:<br /> ;xn—1lq90ic7fzpc.xn—fiqs8s.  IN     A</p> <p>;; ANSWER SECTION:<br /> xn—1lq90ic7fzpc.xn—fiqs8s. 2678 IN   CNAME   <a href="http://www.pku.edu.cn">http://www.pku.edu.cn</a>.<br /> <a href="http://www.pku.edu.cn">http://www.pku.edu.cn</a>.      85167   IN     CNAME   tulip.pku.edu.cn.<br /> tulip.pku.edu.cn.    86400   IN     A<br /> ================================<br />

This means that according to ns4.bta.net.cn, the domain ????.?? is another name for http://www.pku.edu.cn and can be found at the IP address

If this nameserver was configured with the IANA distributed root zone file, this request would have failed (as it does on my UK DNS server). Instead it looks like this ISP has adopted an alternative root. Oddly when asked for the root servers it is using, it only lists the standard IANA [A-M].root-servers.net. However when I ask it for the nameservers for .?? it returns cdns[3-5].cnnic.net.cn and hawk2.cnnic.net.cn.

I am outside of China and have limited knowledge of the ISP environment there so I am not in a position to tell how widespread this change is, but there clearly is something different going on at the ISP side in addition to client-side plugins.

JFC Morfin  –  Mar 1, 2006 7:39 PM

Thank you Murdoch for reacting as a technician in a real world, and not as story teller. Looking at the facts and testing. This way you tell us the true story.

What you describe - seen from outside - is what we have named an “ULD” in the dot-root experiment. We coined “ULD” as “User/Upper Level Domain”. This means that when you have access to a root including the TLD “.abc” you can directly resolve “name.abc” but if you have not you can resolve “name.abc.com” (as Brett documented it). You have different solutions to do this. One is a plug-in. This is the New.net solution. I understand that one or two hundred millions of Multilingual plug-ins have been distributed (supporting other ML TLDs as well). This permits a worldwide access to users.

There is also the possibility to enable ISPs to massage the names (New.net does it too), but I understand the Chinese technology is far better and more inclusive. And eventually the possibility to support an inclusive root.

I ran that kind of access in France for several years with an ISP. I supported ULD (parallel SLD and TLD) and tens of thousands of test TLDs (for every city) plus all the open roots.

Again I do not know for sure if this is the way CNNIC operates, but it looks like (and from their documentation) that when you register a name, it is actually registered twice. In Chinese (as SLD) and in ICANN (as a 3LD) environments. In China they do not need the ICANN environment since the ISP have been enabled or they use the CNNIC servers.

What I suggest you do is to use the punycode of the new TLDs, and try to find their nameserver. I document them everyday for years in my INTLFILE. But I would prefer you cross-check my understanding. Thank you!

In all this the real problem is the A in “IDNA”, wanting to address multilingualism at the application layer. But there may be ways of addressing that IETF created problem :-) Too bad we had to waste all that time.

The important point is however the usage issue. We see here either emerging the balkanization of the Internet or the Multilingual Internet. Depending on the way the IETF and ICANN want to read this (they tried for a long to convince themselves the Chinese names did not exist). And to support it. Today the Internatonalized US Internet meets the Internationalised Chinese Internet. Others will follow. Will they conflict or harmonize as the Multilingal Internet? My fight for 15 months on this very issue at IETF, ISO, WSIS etc. shown me the US industry interest at stake ... and the victories we obtained.

fnord  –  Mar 1, 2006 7:44 PM

I’m at a loss to understand all this folderol. New.net has been doing this for years (with little success), both as a plugin and through ISP partners including Earthlink. Admittedly new.net does not offer alternative character sets (which I’ve said from the beginning would have brought them success, and which, while non-trivial, was probably doable). Anyone else wanting to access these alternatives could append .new.net and get to the same place.

Nevertheless, so what if there’s a Great FireWall of China? So what if you go to google.cn and get different results? I’m in Canada and when I request google.com on a standard box it susses out my IP and I am instead fed google.ca, and an identical search query to each URL will produce different results. Am I missing something important, or is the rest of the world? I guess we’ll never know.

It’s not about TLDs or sTLDs or faux TLDs. If I can’t find what I’m looking for after burrowing through 16 pages of google.com or google.ca or google.cn, it’s either unavailable or not worth the bother. I’ve seem a stat that over half of all internet users by 2010 will be in China (with India second). Mebbe they should own the internet, there is no more justification for the US owning it now. -g

Steven J. Murdoch  –  Mar 1, 2006 8:21 PM

@JFC Morfin

What I suggest you do is to use the punycode of the new TLDs, and try to find their nameserver. I document them everyday for years in my INTLFILE. But I would prefer you cross-check my understanding. Thank you!

Assuming I understand your question correctly, according to the DNS server I tried, the nameserver for .?? (xn—fiqs8s), .?? (xn—55qx5d), .?? (xn—io0a7i) is hawk2.cnnic.net.cn.

I also have tried the i-DNS plugin, which apparently has official Chinese government support. It resolves these domain names in the UK, but by a different mechanisms. When I ask for “????.??” (xn—fiqs8sc4nx3b.xn—55qx5d in Punycode) the plugin actually requests xn—fiqs8sc4nx3b.xn—55qx5d.aced.net from my local name server. This resolves to I get the same answer if I request xn—fiqs8sc4nx3b.xn—55qx5d from ns4.bta.net.cn.

The domain aced.net is registered to i-DNS and the nameservers responsible are ns[a-d].i-dns.net. These also say that the authoritative nameserver for xn—55qx5d.aced.net is hawk2.cnnic.net.cn.

I first looked at the i-DNS plugin today, so it is possible it has other behaviour which I have not observed.

JFC Morfin  –  Mar 1, 2006 11:42 PM

Dear Steve,
it seems that you said it all and we are in full agreement. China created an externet (a external network look alike within the same digiatl ecosystem or not). This is the basic concept of the international network architecture, as introduced by Robert Tréhin and Joe Rinde in 1977. Ported to OSI and not used the Mono-(class)-Internet. I have online some personal notes on the root name principles and consequences, including externets.

So, the Chinese Internet has two naming systems at least (we understand easily how the DNS registry works and is maintained with a few configuration lines). One is for the externet internal users (resolving the Chinese TLDs) and the other, as you documented uses proximity machines and plug-in to offer a good quality service.

There is no violation of the DNS root. There is just an Internet split. I suppose others will occur in the coming months, once the externet concept is better understood and used again. This is the situation we known in 1978 when we had to “sovereignise” parts of the International Tymnet network.

There is no real physical gateway between the Internationalized US Internet and the Internationalized Chinese Internet [both are virtual]), but you will easily determine the class of users, the group of hosts, the registry, the governance, etc. of these two first TCP/IP externets.

Externets offer a very simple, stable and secure (they contain risks) organisation of the network. The only problem is that when they are not acknowledged as such, there are risks of pollution if the roots of two externets are not synchro. The best way to address this problem IMHO is a concerted root system (we called it root matrix).

The only questions remaining now, is to know how Chinese users needing to access .com, .net etc. (which are IDNs from their side) will do. And how will the International Network Intergovernance will be organised. Two externets already call for some technical and political considerations, when we have a few hundreds and many more, we will need to organise.

The next step is obviously to consider the IP address distribution issue.

Steven J. Murdoch  –  Mar 1, 2006 11:43 PM

I have written a post on my research group’s blog where I expand on some of the points I mentioned here.

James Seng  –  Mar 2, 2006 1:41 AM

The timing of the launch of the 3 Chinese “TLD” is important because 3 years ago, we have no IDN standard and no ICANN process for IDN. The popular way to introduce IDN back then is using what we called “Zero Level Domain”. Layman may call it “Alternative Root” but I expect people in CircleID to be more educated then layman.

Anyway, zLD is what CNNIC did in its client available for download on CNNIC website. The client will detect the URL and if it is all english, it lets it goes. If it contain the 3 Chinese “TLD”, then it introduce a zLD (in this case, .cn) to the domain name. The exception is . ?? which they will just replace it with.

This is not exactly compliance to RFCs by today standard but once again, remember this is done 3 years ago. CNNIC has being active in implementing standard RFCs IDNs but just waiting for ICANN to delegate them the strings.

It is also pointless to discuss what CNNIC *could* do or couldnt do. CNNIC could create .?? (.us) on its client or MII could declare ICANN illegal in China or add your own “nightmare”. Lets keep the discussion to what they *are* doing and not what they could do because the latter is endless.

The Famous Brett Watson  –  Mar 2, 2006 3:49 AM

James, I’m happy to focus on what is happening, rather than what could, but your explanation so far falls short of reality as we know it. Can you be any more specific about this “client available for download on CNNIC website”? Is it intended for end-user machines? Is it a browser plug-in, a patch for the resolver built into Windows, or some other beast?

If it’s any of these things, it still doesn’t explain the DNS response elicited by Steven J. Murdoch in comment #11. He queried that server for a name under a TLD that does not exist in IANA namespace, and got a positive (albeit non-standards-compliant) response. (Note that the “http://” prepended to those domain names is NOT present in the DNS—I suspect it was added, somewhat presumptuously, by the blog software.) He was even able to find the authoritative nameservers for this non-existent domain.

This looks like a DNS server configured to overlay additional names onto the root—to give positive responses for certain names even though the queried server isn’t authoritative for the root, and the names don’t exist in the root. This is a dodgy approach to adding names into a view of the DNS, since it only works when your clients make “recursion desired” queries. Still, this works in practice for most clients most of the time, and given the rather bad DNS practices in evidence so far, it comes as no surprise that their root overlay is a bit dodgy. If they were to do the root split properly, they would copy the root zone and modify it, but Steven’s queries show that they haven’t done so.

This was a query against one nameserver in use by one particular provider. It doesn’t tell us how widespread this kind of configuration is, or whether it’s mandated by regulation, or other significant facts like that. It does make me extremely sceptical of the “this is a client download” explanation, however. The query works for me, and I haven’t downloaded anything but Ubuntu. Maybe this practice started out life as a plug-in of sorts, but it seems they’ve since discovered they can achieve the same effect with DNS configuration tricks.

JFC Morfin  –  Mar 2, 2006 11:45 AM

Brett, what James Seng and Steven Murdoch describe is exact. What you discuss is correct. So, what I suggest is we try to think how we would set-up an externet (now China has shown the model, we will have many of them I presume), to better understand the way they did it. And then to experiment and compare.

An externet is first based on a name and a dedicated user class, host group and registy.

There is no place in the Internet technology yet to refer to an externet name (EN, and here a Multilingual ExtName, MEN). This is not a region, this is not a domain. The MEN is as fundamental to an externet as the DN is to an Internet domain. Let call the Internationalized Chinese Externet “CNNET”.

In the IETF current technology there is actually only one mainly used class (IN). The number of possible classes is too limited to scale. This is why one can talk of “Mono-Internet” - some other architectural parameters such as language, script, clearing house, namespace, addressing plan, etc. are also set to a fixed “1”, instead of a default “1”. Also browsers, etc. do not support classes. So, we must find how to work out de facto virtual user classes.

The same, the IETF technology does not explicitely support Hosts Groups.

It however supports name registries freely. A project like HIP could support multiple addressing registries? However culture is to consider core registies not being a copy of the most used registries (Vint Cerf’s definition of the authoritative file) as “alt-root”. We need a better granularity to name them as they do not all have the same purpose. ICANN ICP-3 explain how private roots are essential to the network.

There is in the Internet technology the concept of stub: can it be used to support an externet?  There is also the pollution? I run a multidaily survey of the top zone to generate the INTLFILE and its intlroot compilation. To do that I start from the NTIA root file (and possible additional info like the Chinese TLD punycode). I dig the nameservers. This results in a nameservers list I dig again. I suppose I could continue another round. This shows that there are servers declared in db.files and not in the root. Probably for test, by lack of response of the IANA, etc. This may give some ideas.

With that in mind and the indications we collected in this thread, I think we can imagine the CNNET config (just remember that ISPs not yet cooperating to the Externet access - either resolving in using the Externet root or adding the appropriate suffix - make necessary a plug-in converting the TLD into a zLD [ULD mechanism]). This can be done in different places we should investigate: plug-in, ISP adaptation, CNAME? Then the point is how to set-up a similar Externet and to test it. This is what ICANN asked in their ICP-3 document more than four years ago. They correctly investigated the use of classes (after a proposition of John Klensin). But as I said classes do not scale enough to be attractive, and they are poorly supported right now.

What we also need to understand all the architecture is where a plug-in is needed and for what. At application level (like VRSN’s)or more generally at socket or OS level (like the CNNIC’s one? I had joined the WG-OPES in the hope they could specify the support of a network access shim carrying the job. An middle box could also carry the job like an access firewall, protecting against the relations with some externets (for example lingual oriented ones, I do not speak the language).

Vittorio Bertola  –  Mar 2, 2006 12:17 PM

I don’t understand why people are so upset by the Chinese going their way. The “uniqueness of identifiers” and “universality” of the Internet are myths that never existed in reality; the Chinese are doing this since years ago, and then think of new.net or other alt roots, but also of NATs, firewalls and other devices that prevent certain parts of the network from being globally accessible.

I think that it’s clear that, since the US Government is not going to relinquish control on ICANN and since full IDN deployment at ICANN is so slow, many other parties are going to set up something else to fit their needs. The Internet has always been going this way - if you need something (or even just want something) and you can’t get it from the existing technologies and services, write your own.

I think we should rather focus on how to keep the bloom of multiple root server systems friendly rather than confrontational.

Steven J. Murdoch  –  Mar 2, 2006 2:26 PM

@The Famous Brett Watson

Note that the “http://” prepended to those domain names is NOT present in the DNS—I suspect it was added, somewhat presumptuously, by the blog software.

Yes, the blog software added it (due to the www) and also didn’t respect my tags. There is a better version of the response in my own blog.

This was a query against one nameserver in use by one particular provider. It doesn’t tell us how widespread this kind of configuration is…

Indeed, and I would also be very interested in the answer to this question. For some more evidence, Florian posted a comment to my blog with the results of two DNS servers in China. His own ISP’s one did not have the new TLDs but another one he tried did. Also in a post on NANOG, Peter Dambier points out that


Tiscali (Netherlands) supports the new TLDs too.

I checked the main DNS servers for the .cn ccTLD (b.dns.cn and c.dns.cn—I can’t connect to the rest) and they also accept the new TLDs. This is not particularly informative as no well-behaved resolver should ask these servers for domain names other than those under .cn, but it does suggest the new TLDs are somehow “official”.

Ali Farshchian  –  Mar 2, 2006 4:56 PM

We have fixed the problem causing the “http://” issue in the comment mentioned above (Comment #21). Please send us a feedback if there are any more problems encountered. Thank you.

Karl Auerbach  –  Mar 3, 2006 2:51 AM

This is a very interesting thread, but it leaves me confused.

It leaves me confused regarding what name manipulation is being done (in the style of new.net or the /etc/resolv.conf “search” directive) in the user’s computer before the DNS name (perhaps embedded in a URL) leaves the user’s computer.  (Is this what James S. might be describing as zero-level names, i.e. appending a suffix before the name leaves the user’s computer?)

It leaves me confused about what might be happening within intermediate (Chinese ISP) resolvers located in China.  Might those resolvers be configured to be authoritative for one or more top level names, thus short-cutting queries and avoiding recourse to any root server?

It leaves me confused whether China has established its own suite of root servers that contain a root zone file that contains more names than are found in the NTIA/ICANN/Verisign root zone file?

(I’d add that a couple of years ago Tawain established, and since has discontinued, a strange hybrid in which their .tw servers were delegated-to via the normal root servers but if you asked the .tw servers for the root zone (”.”) NS records you got an a set of records referencing a distinct set of machines which, in turn, if asked for the NS records for “.” answered, authoritatively, that they themselves were the authoritative root.  Very confusing, but I never saw a complaint that it was causing harm.)

What is the “hints” file that is used to initialize Chinese resolvers?  Is it different from the one used to bootstrap into the legacy root servers?

By-the-way, are the Chinese servers accessible via IPv6 as well as IPv4?  (This isn’t really relevant, but, given the relative emphasis different countries put on IPv6, I’m somewhat curious.)

Has ICANN taken any steps to initiate monitoring for problems that might arise?  Has ICANN initiated a study to know *exactly* what China is doing?  (Aren’t these among of the jobs that ICANN really should be doing? [I recommended to ICANN that it establish a DNS monitoring system on my first day on ICANN’s board.  But ICANN’s institutional phobia of engaging on issues of technical stability seems to have prevented even the mere consideration of the possibility of such a system.])

Given ICANN’s ICP3 and its fearsome Chimera “cache pollution”, ought not ICANN be concerned that its dire predictions might come true?

On a final note - I’m always amused by the claim that DNS names are “universal”.  In these days of content management and application level servers that give different answers based on perceptions of client location, and in these days when every one of us has had the experience of stale URLs and changed email addresses, I wonder why we continue to think that DNS names are archivally stable when our experience is that they most definitely change with the passage of time and that user experiences differ with changes in geography.

The Famous Brett Watson  –  Mar 3, 2006 4:29 AM

Karl, I’m unable to decipher a lot of the obscure and invented jargon being thrown around in this thread, but this much is clear.

There is a downloadable plug-in (for IE, I assume) which adds Chinese-character domain names to the root zone by mapping them into another zone. The browser’s view of the DNS has these new root domains, but that is all. (I don’t own any machines running Windows anymore, so I can’t give you a first hand account.)

Certain DNS servers in China, provided by Chinese ISPs for the use of their customers, are adding these Chinese-character domain names into their responses. It’s not entirely clear which configuration technique (or patch) they’ve used, but the outcome is as follows.

1. If you ask one of these servers about the Chinese-character root name, it will give a positive response.
2. If you ask one of these servers about the root nameservers, it will give the IANA root server list.
3. If you ask the IANA root servers about the Chinese-character root names, you are given an authoritative “does not exist”.

This inconsistency shouldn’t happen: it violates DNS technical standards. The net effect, however, is that most customers of the ISP will be able to resolve the Chinese-character root names most of the time.

As to how widespread it is, Stephen J. Murdoch tells points us to a NANOG post (in comment #21) which gives us a clue as to how many other parties are taking these new phantom root domains on board.

Cesidian-Root, Public-Root, Unified-Root and of course Tiscali do serve them for quite some time now.

An example (successful) query against ns1.tiscali.nl is provided in the post. For what it’s worth, the query failed for me at an Australian ISP (optusnet.com.au), an Australian university (mq.edu.au), and a virtual host in the USA. Presumably all these sources defer to the IANA root without any sleight of hand.

My references to “universality” state a technical requirement of the DNS, not an actual real-world state of affairs, and not whether particular uses of the DNS (as in HTTP, for example) result in globally uniform results. Deliberately breaking universality is problematic, in part, because an assumption of universality is built into the DNS protocols. The system can break in unexpected, unintended, and difficult-to-debug ways when universality is broken.

I have no argument with the statement that universality is frequently broken in practice. We’re looking at examples of it.

Oddly enough, your description of the Taiwan nameservers sounds like a cleanly-implemented root split.

McTim  –  Mar 3, 2006 5:23 AM


Let’s call it “plain old vanilla DNS, with a sprinkling of IDN”, as that’s what it seems to be.

TLD Ops creating SLDs is the way things have always been done, no?

Steven J. Murdoch  –  Mar 3, 2006 3:29 PM

@Karl Auerbach

I cannot answer all your questions, but I have done some tests which I hope will partially explain the situation.

I have observed two separate mechanisms implementing the new TLDs, which I think is the reason for some confusion. These are a browser plugin and changes to Chinese ISPs’ recursive resolver.

I have documented my understanding of the resolver changes on my own blog, along with the evidence which I base these opinions on. As The Famous Brett Watson points out in #24, the implementation is unusual. As far as I can tell, they are still using the unmodified ICANN root.hints file. Instead they appear act as authoritative for the three new TLDs, but without setting the AA flag. I don’t know how this change has been implemented. It could either be a patch which hides the fact that it is doing a recursive lookup to an, as yet unknown, alternative root, or maybe the nameservers for the three new TLDs are hardcoded.

I have also explained my experience with the i-DNS plugin. It only works for Microsoft Internet Explorer and silently “rewrites” the domain names. It replaces the TLD “.??” (China) with “.cn” and appends .aced.net to “.??” (company) and “.??” (network), all using IDNA. So far, the answers I have received through the mechanism the plugin uses have been the same as those returned by the Chinese ISP’s recursive resolver. Both the resolver changes and plugins appear to being deployed in parallel, to maximise the new TLD’s usability. The plugin works for users whose ISP has not made the required DNS changes (such as those outside of China), and the ISP changes give access to people who haven’t installed the plugin (e.g. Firefox users).

As for your comments on universality, I agree that it is already broken in places, but these new TLDs just break it further. I also think there should be a distinction made between the network breaking universality (as the new TLDs do), and the edges (as location-based services do). If I publish a link to a webpage then I want users, regardless of location, to be able to get to the “same” service as I got to. For reasons of availability the service operator may send this user to a closer server, and might also serve content that he considers to be more appropriate, based on location. Whereas if the link is to a non-universal TLD then the link may work for me, but not for other users, or may even go to a service controlled by an independent operator.

The important difference is that me as a link publisher has a relationship with the service operator. If I don’t like the location-based service, I can complain and decline to link. On the other hand, I don’t have a relationship with the user’s ISP, so if their DNS servers are configured to send him to somewhere completely different then there is very little I can do. In the case of foreign government dictated TLDs it is even more difficult for someone to complain. The further the changes move from the edges into the network, the more problematic this becomes. Furthermore, there are typically ways to bypass location-based services for the linker, as they often work by URL rewriting so I can send users to exactly the page I saw. This is not the case with DNS, since to ensure a user gets the same service as me, he would have to use my DNS server.

As for IPv6, it appears that the nameservers for the new TLDs do not have IPv6 entries, although those for .cn do.

Tee  –  Mar 8, 2006 5:42 AM

Hello. I am a member of a domain name forum (DomainState.com). We are having a discussion about the new TLDs in China.

The thread is here:


Maybe someone could comment on it? Is this what has happened?


Anne Peterson  –  Jul 21, 2006 4:01 PM

I’m amazed that China is one of the few countries that let foreigners register and run websites with their domain name extension - witness Home Mortgage In China (it’s only a beginning, it will get better - really!)

JFC Morfin  –  Jul 21, 2006 4:36 PM

The lingual TLDs are different in nature. The global domain name is perceived by the user as an Internet global name. The lingual TLDs are perceived by the users as local. A Chinese.Chinese domain name is therefore perceived by the Chinese as a Chinese local site, by people who are definitly interested in Chinese people.

This means that the delivery target is not to protect the rights of national registrants, but to support local activities.

BTW something ICANN is certainly not concerned about.
BTW offering names to non nationals is quite common. Some do it to sell more. Some do it as one welcome tourists or develop commercial ties.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign