Home / Blogs

ICANN Gets the Root Zone, Too

A small but intriguing paragraph in the VeriSign settlement says that ICANN gets to maintain the root zone. I thought they did now, but I guess VRSN does, following advice from ICANN.

This has two and a half effects. The most obvious is political—if ICANN rather than VRSN is distributing the root zone, it removes the symbolic significance of VeriSign’s A root server. The second is DNSSEC key management. Until now, the contents of the root zone have been pretty boring, a list of names and IP addresses of name servers. If DNSSEC is deployed in the root, which is not unlikely in the next few months, ICANN rather than VeriSign will hold the crypto keys used to sign the root zone. If a tug of war develops, whoever holds the keys wins, since without the keys, you can’t publish a new version of the root with changed or added records unless you publish your own competing set of keys and can persuade people to use them. (Take that, ORSC.)

The half thing is that the agreement requires that when VeriSign sends ICANN zone info updates, ICANN has to apply them within a week. Since IANA has been taking a month to handle updates, this means IANA will have to get their act together enough to provide bad rather than horrible service on domain updates unless they provide a special express channel for TLDs that have contracts with ICANN, and give the current horrible service to everyone else.

By John Levine, Author, Consultant & Speaker

Filed Under


JFC Morfin  –  Oct 26, 2005 6:53 PM

very well seen. But I think this is ICANN IANA job protection stuff. The engaged battle is for the control of the IANA. ICANN, NTIA, Unicode, ITU are the challengers. DNSSEC is certainly a key point. Not only for what it operationnally means, but also for the difficuly of moving the DNSSEC root management.

Except if IANA moves to another structure as an entity.

A question is the impact on the cooperation agreement of Verisign witht the USG. I feel this might void the need for such an agreement. Is the USG OK? The big advantage for Verisign to be releived from the cooperation agreement is that they could go alt/open-roots.

The real “root” of the future is today with NeuStar. If Verisign enters a star in the NeuStar root, aside .gprs Sitefinder II will “pollute” quickly. I am working on a dedicated registry server and services system. Root access is obviously a problem in case of loss of connectivity. The solution is probably to get an MMS connectivity and the root there, as 1.5 billions of other users.

If Verisign comes with an attractive deal so my machine is made free to users because of a special deal for their services, I am interested.

bill manning  –  Oct 30, 2005 2:08 AM

John, i’m not sure why the myth of “A” being special continues to be perpetrated.  The root zone is distributed via a “distribution master” system and has been since early 2000. 


John Levine  –  Oct 30, 2005 2:28 AM

I don’t know why the myth of “A” being special continues to be perpetrated, either, but I also don’t understand why you’re bringing it up.

The question at issue is who creates the root zone, not how it’s distributed.  When I download the root zone from VRSN’s FTP server, which is supposed to be the same root zone that goes into the root servers, it’s got Verisign’s fingerprints all over it, e.g., the SOA contact is NSTLD.VERISIGN-GRS.COM.  This agreement says now it’ll be ICANN’s fingerprints.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix


Sponsored byDNIB.com


Sponsored byVerisign