Welcome:
Login
|
Sign Up
|
About CircleID
Follow:
|
|
|
|
||
|
||
ICANN’s ill-timed review of the Internet’s Root Server System Governance Structure puts it on a collision course with the Trump Administration and the US Secretary of War, Pete Hegseth, as early as next week in Mumbai, India. If the ICANN Board chooses to continue down the path outlined by the RSS Governance Working Group, it would vest the Root Server System Council with the ability to revoke the United States Government’s (USG) administration of critical national infrastructure. Despite having a global monopoly over the allocation of the Internet’s unique identifiers and an annual budget of $170 million, the ICANN Board is potentially about to self-inflict a fatal injury that may lead to its ultimate demise.
The Root Server System is composed of thirteen Root Server Operators, who sit at the apex of the global domain name system (DNS) that seamlessly handles trillions of queries per day, resolving domain names such as <ICANN.ORG> to their corresponding IP address 192.0.43.7. Given the historic leadership role that the USG had in the creation and growth of the Internet, the USG currently operates three of the thirteen Root Servers: E (NASA); G (US Department of Defense - NIC); and H (US Army - Research Lab). The proposed governance structure that the ICANN Board is poised to move forward on would give the Root Server System Council the authority to revoke a Root Server Operator’s status. While some of the governance principles set forth in the framework are sound, the proposal to move forward with a governance framework that would allow a committee acting under the auspices of a California public benefit corporation to revoke the Department of War’s status over critical national infrastructure is just tone-deaf.
Despite ICANN’s recent representation that it has been constructively collaborating with the National Telecommunication and Information Agency (NTIA). There does not appear to be much love for ICANN, which was established during the Clinton administration and gained its autonomy from the USG in the waning days of the Obama administration. Perhaps there is no clearer insight into the Trump Administration’s thinking than this statement from Stephen Miller from back in 2016 regarding the pending expiration of the IANA functions contract:
“The US created, developed and expanded the Internet across the globe. US oversight has kept the Internet free and open without government censorship—a fundamental American value rooted in our Constitution’s Free Speech clause. Internet freedom is now at risk with the [President Obama’s] intent to cede control to international interests, including countries like China and Russia, which have a long track record of trying to impose online censorship. Congress needs to act, or Internet freedom will be lost for good, since there will be no way to make it great again once it is lost.”
Another key concept in the Governance Principles for the Root Server System is that a Root Server Operator has “no authority to publish an altered or alternative root zone.” While this is an incredibly prudent and sound technical principle, I do not know whether the Trump Administration would agree with it if it were to engage in a military operation against a foreign government. As President Trump’s former press secretary Sarah Huckabee Sanders recently stated, “the fastest way to get [President Trump] to do something is to tell him that he can’t.”
There will undoubtedly be readers who question the timing of this article, which I would like to address proactively. I have invested over 25 years in ICANN’s unique multistakeholder model. I still believe that is the optimal governance model for the Internet’s unique identifiers. However, it is clear that the current ICANN model has been captured and is broken. By suggesting an off-ramp for the ICANN Board, they can avoid a direct confrontation with the Trump administration. The alternative, raising this issue after any ICANN Board action, may invite a broadly scoped Presidential executive order seeking to reclaim the IANA function.
The views and opinions expressed in this article are solely my own and do not reflect the views, positions, or policies of any employer, client, or affiliated organization.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byVerisign
A World-Renowned Source for Internet Developments. Serving Since 2002.
It might be time to undertake the creation of a global architecture similar to that undertaken for the global vulnerabilities and exposures infrastructure and enabling multiple trusted roots. The US as a global trust singularity clearly has ended.
I’ve not been tracking this ... but I have questions:
1. What is the legal relationship, if any, between ICANN and the various root server (cluster) operators? I am not aware of any, but I’m not up to date. I am unclear what chain ICANN has to yank in this matter apart from restricting dissemination of the root zone file, a matter that I suspect would be met with resentment, if not overt legal actions.
I would remind everyone that ICANN doesn’t have the best record of overseeing the 13 operators. I am thinking of what was perhaps the most important single step in improving DNS root-layer reliability - a step that was done by the root server operators, without telling ICANN and without ICANN’s consent. This step was to deploy anycast technology so that rather than 13 server machines we have 13 clusters (each extensively geographically distributed) of root servers.
There ought to be no end of praise for the quality of the work done by those thirteen operational groups.
However, a large percentage of those groups are under the control (actually, they are part of ) the US government. I can understand why this is seen by many as a scent of US hegemony over the internet. (Oh boy, that is an awful mixed metaphor!)
I am also wondering about the old question “why thirteen?” It used to be based on the size of a 512 byte DNS UDP packet. But with eDNS extensions, not to mention the increased deployment of DNS over HTTP or TLS I wonder if anyone has done research about what would happen if we moved to more than 13 (especially with those long IPv6 address supporting NS resource records, and also with the erosion of the ability to do DNS compression because server names may not be as well structured as they have been.)
In a different dimension, I am wondering about the erosion of the root servers when many people are aiming their machines at the DNS resolver clusters offered by Google, Cloudflare, Comcast/Xfinity, and others (e.g. 8.8.8.8 and 1.1.1.1) - those have the potential of being effectively root+everything else resolvers. (And, of course, I wonder how long those for-profit companies can resist the temptation to data mine the DNS query stream - it can be a very rich vein of data ore.)
Back in the day several of us explored the concept of competing systems of DNS roots - with the proviso that those systems all contain a core of the most common TLDs and that for any TLD that is carried, that the contents be consistent between the competing systems.
Basically competing root systems - as long as those provisos are met - do work (even with DNSSEC, although maybe not with DNS over HTTPS or over TLS if TLS full walk-back-to-a-trusted-authority certificate validation is performed by both ends.)
In other words, we may be entering a world in which anyone can set up - without ICANN or any other permission - root server systems and users (or their proxies) get to choose. The key to avoiding user frustration and surprise would be to assure that the contents of the preferred TLDs are consistent.
Good points, Karl. Indeed, Google and Cloudflare root servers have consistently provide considerably better resolution performance as well as offering diversity, equity and inclusion of a greater array of end-points. Arguably, between the two of them, they offer greater trust than the ICANN cartel.
As far as I know, Google does not operate a root server. Cloudflare also does not (officially) operate a root server, although as I understand it, ISC has entered into an arrangement (not documented publicly anywhere to my knowledge) to make use of Cloudflare infrastructure to augment ISC's root service. You may be confusing root service with Google's and Cloudflare's public resolvers. Public resolvers like any resolver, at least those not configured to use RFC 8806, query the root servers when they do not have TLD information in cache.
Hi David, The discussion was about resolver performance as critical infrastructure. I think every knows what Google's infrastructure accomplishes or not, and in case they don't Google AI provides a good description. :-) ----- AI Overview Google Public DNS is a free, fast, and secure recursive DNS resolver (IPs: 8.8.8.8, 8.8.4.4) operated by Google since 2009. It improves internet speed, reliability, and security by using global anycast servers, supporting DNSSEC, and offering encrypted protocols (DoH/DoT) to prevent hijacking and spoofing. Key Aspects of Google DNS Resolver: Performance & Speed: By using a vast, global network of anycast servers, queries are directed to the nearest available server, reducing latency. Security & Privacy: Encrypted DNS: Supports DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) for secure, private browsing. Protection: Helps protect against cache poisoning, DDoS attacks, and unauthorized interception. Data Handling: Google does not use personal information collected through the Public DNS service to target ads, though it does log some data for security and abuse prevention. How to Use (Configuring 8.8.8.8): IPv4: Use 8.8.8.8 and 8.8.4.4. IPv6: Use 2001:4860:4860::8888 and 2001:4860:4860::8844. Setup: Can be configured in network settings on routers, Windows, macOS, Android, and iOS devices. DNS-over-HTTPS/TLS Setup: DoH: https://dns.google/dns-query. DoT: dns.google (port 853). Reliability: It is one of the world's largest public resolvers, handling over a trillion queries daily.
Hi Tony. Mike's article is about root server governance and its potential implications, particularly in the context of the current US administration, not governance or operation of resolvers. Karl mentioned folks pointing their "machines" at public "root+everything else" resolvers, but those resolvers (unless they've implemented RFC 8806) are still querying the root servers and his pipe dream of "competing root systems" has, to date, failed every time it has been attempted. Quoting our new AI overlord's view of Google Public DNS is silly/irrelevant when the discussion is about governance policy/processes of the root server "identities". Contrary to your assertion, Google does NOT run a root server and, as mentioned, neither does Cloudflare (at least officially).
Michael’s hostility to the independence of ICANN from the U.S. government is well known. But trying to use DNS Root Server System governance reform as a cudgel to re-impose “America First” Internet governance takes it to a new low. It’s particularly amusing now that the Trump administration’s ICE raids, illegal tariffs and unilateral military attacks have discredited the administration among virtually everyone outside the MAGA fold. Really, Mike, should the global Internet community be looking to Stephen Miller, an acknowledged neo-fascist, as a guide to policy?
Calling a root server “critical [U.S.] national infrastructure” is absurd. It’s a global infrastructure and, like the DNS, it is supposed to operate neutrally for all organizations in the world. Three of the 13 root servers (E, G, and H) are managed by U.S. government agencies: NASA (E), DOD/NIC (G), and U.S. Army/Research Lab (H). Two of them are military. These are just legacy arrangements and do not reflect current needs. What’s the problem with considering reducing the U.S. share by one or two? The performance of root servers run by the U.S. military is known to be among the worst of the whole system.
The governance gap around root servers has been well known for years. We have no institutionalized method to award or withdraw root server status. That needs to be fixed. We have other governments claiming - equally irrationally - that a RS is a “critical national infrastructure” and so they want one in their territory. Statements like Palage’s simply encourage the further politicization of a function that needs to be nonpolitical, technical, and multistakeholder in nature.
RSS governance was supposed to be reformed in the original 1999ish agreements between the U.S. Commerce Department and the fledgling ICANN. It took 20 years to finally get around to it. It’s sad to see divisive nationalistic politics interfering with that process.
Karl:
You are correct that “the most important single step in improving DNS root-layer reliability ...was to deploy anycast technology so that rather than 13 server machines we have 13 clusters (each extensively geographically distributed) of root servers.” You are also correct that this was done independently of ICANN - a testimony to the resilience and benefits of Internet self-governance; no central authority was needed.
What you may not realize is that national governments - and you can guess who, but China, India and Russia come to mind - are not satisfied with anycast. They want “their own” root server. They - like Mr Palage - mistakenly think of it as “critical national infrastructure” when it’s not, it’s a globally shared infrastructure rooted in civil society and the private sector. Palage doesn’t realize (or maybe does) that casting RS governance in these terms only encourages other powerful nation-states to insist on “digital sovereignty” in ways that encourage fragmentation of the infrastructure along geopolitical lines.
So yes, we can now have more than 13 RSs. That raises the question: who gets them, who runs the new ones? How do we answer this question? Either we answer it in a cooperative, institutionalized manner - and ICANN is the best place to do that - or we move to the kind of intergovernmental contention that we saw in WCIT 2012, WSIS 2003, etc. We should all hope that ICANN’s RSS reform process takes the lead, but if that fails then bottom-up measures, such as the local root initiatives coming out of the IETF, may be necessary.
The points you are underscoring have continuing historical roots going back to the 1850 Dresden international telecommunications treaty instrument. Network traffic identifiers and resolution are under the sovereign jurisdiction and control national jurisdictions, and their global instantiations are established through treaty arrangements.
The EU reminded the U.S. of these fundamental legal norms in the mid-1990s. The U.S. subsequently hosted the ITU Plenipotentiary Conference at Minneapolis in 1998 - at which the U.S. crafted Res. 102 was adopted and effectively applied the long-standing norms to TCP/IP network domain names and addresses. The U.S. and most nations are a party to the provisions. Although the current U.S. administration ignores most law, the rest of the world still follows it. Any attempts to ignore these norms will simply result in more ICT infrastructure resources and institutions moving to other stable national jurisdictions.
It is surprising that ICANN itself is still incorporated in the U.S. rather than Switzerland. It can join DONA there. :-)
Read “Declaring Independence in Cyberspace, my friend.
https://mitpress.mit.edu/9780262552585/declaring-independence-in-cyberspace/
Reasserting treaties from 1850 - ones that you yourself discarded in the early days of the Internet’s evolution - doesn’t change facts on the ground.
Hey, the Dresden treaty, written for the telegraph, says that no messages should exceed 100 words. Why don’t we apply that, eh?
My comments were provided to support your statements. Technologies change. The challenges tend to remain the same.
The irony passed over my head.
Nice to see so many old timers still involved:-)