Home / Blogs

Splitting the Root: It’s Too Late

One of the consistent chants we’ve always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week’s ICANN meeting that due to ICANN’s inaction, it’s already too late.

Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set. The technical issues were settled a while ago in the IETF, with a scheme called punycode that encodes Unicode characters as ASCII strings stat start with xn—. ICANN has tied itself with the issue of homographs, different characters that look the same or mean the same thing. Once people noticed that IDNs let you register different names that look the same, the intellectual property crowd that has always had a mysteriously great influence on ICANN went into a tizzy and they went into lengthy discussions on what to do about them. Unfortunately, there is no technical way to make homographs go away, because there is no agreement on what ‘‘the same’’ means. ICANN came up with a draft recommendation on IDN policy which nobody implemented, and is now about to come up with a second draft which nobody seems likely to implement, either.

While ICANN dithered, groups in China and in Arabic speaking countries went ahead with experiments in IDNs for Chinese and Arabic, and set up experimental parallel root zones with names in the local character sets. These experiments worked (no surprise, Unicode and punycode are technically sound) and now those roots are the roots that everyone in those countries use.

A friend who traveled to Arabic countries reported that ISPs simply reroute traffic for the public routes to their own root servers, and most people are none the wiser except that Arabic domain names work. He only realized what was going on when he tried to reach the Red Cross web site and kept getting the local Red Crescent instead, and tracked it down to the DNS returning different answers from what he’d expected to get from the usual DNS.

Furthermore, at least one large ISP in Europe is doing the same thing, redirecting root server traffic to their own servers. In their case the goal more likely is to deal with users with misconfigured DNS clients by catching traffic to any name server, not just the roots, but it also offers the opportunity to make additions and deletions without the knowledge or consent of either the real domains or the users.

Now that the split root genie is out of the bottle, is there any way to get it back in? Not that I can see. Let’s hope that users in China and other countries with their own private roots figure out that there’s more to the net than their DNS shows them.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Ram Mohan  –  Dec 4, 2005 12:50 AM

The overly negative tone of this article hides the fact that for the first time since 2003, ICANN has taken IDNs full-on.

And, for the record, many gTLD registries

did

implement the 1.0 guidelines, and intend to implement the 2.0 guidelines also.

In addition, an effort has begun to take the 2.0 guidelines into an IETF BCP (Best Current Practices) document.

ICANN should continue to move and apply itself diligently to the issue.

John Levine  –  Dec 4, 2005 1:20 AM

I don’t understand this comment at all.

If I had noted that ICANN’s IDN dithering had led to a split root in a cheery and upbeat way, what difference would that make?  If Afilias has added IDNs to .INFO, that’s swell, but it’s too little too late.

Suresh Ramasubramanian  –  Dec 4, 2005 1:13 PM

So John, does IDN development inevitably lead to a split root?

Right now there’s this massive split in the implementations (keywords, anyone?), and a complete lack of standardization in character set for various languages. 

Makes the situation even more confusing right now.

Ram Mohan  –  Dec 5, 2005 6:07 PM

John,
My issue is with your statement that no registry had implemented the 1.0 guidelines (and therefore would not, the 2.0 guidelines either).

That’s all.

-Ram

Christopher Parente  –  Jan 4, 2006 8:31 PM

While ICANN dithered, groups in China and in Arabic speaking countries went ahead with experiments in IDNs for Chinese and Arabic, and set up experimental parallel root zones with names in the local character sets. These experiments worked (no surprise, Unicode and punycode are technically sound) and now those roots are the roots that everyone in those countries use.

A friend who traveled to Arabic countries reported that ISPs simply reroute traffic for the public routes to their own root servers, and most people are none the wiser except that Arabic domain names work. He only realized what was going on when he tried to reach the Red Cross web site and kept getting the local Red Crescent instead, and tracked it down to the DNS returning different answers from what he’d expected to get from the usual DNS.

Interesting—IYO what responsibility is there for disclosure? Let people know what is happening, and “vote with their browsers” whether they agree to be segmented off from the rest of the world.

And where is the line between legitimate national aggravation at the slow pace of IDN adoption, and using redirects for other, possibly unsavory control purposes?

John Levine  –  Jan 4, 2006 8:55 PM

Disclosure is fine, but if you rounded up a hundred typical Internet users from Egypt and China and asked them if they’d rather use the local root or the ICANN/IANA root, the response from at least 98 of them would be “Huh?”

Once the root is split it’s hard to put it back together. If they use the IANA roots they’ll lose the local names in the local root.  If they lose the local root, they lose whatever IANA names the local operator deletes or changes. Neither is particularly satisfactory.

As far as what’s legitimate and what’s not, ask ten people, get at least ten answers. I expect it’s more likely that whoever rerouted the Red Cross to the Red Crescent thought he was doing his local users a favor, not censoring infidel Western content.

Christopher Parente  –  Jan 4, 2006 11:17 PM

Fair points. But rephrase the question.

Ask 100 Internet users if they were aware that the same exact domain name brings back multiple responses, based on where they are physically located. Care to guess how many are aware of that?

People assume that a specific domain name brings them to specific data—the universality of the Internet is key to its power.

Compare to international phone service—what if a certain phone number was re-routed to where a particular government wants me to go, rather than to the destination I think I’m calling? All for my own good, of course…

John Levine  –  Jan 4, 2006 11:28 PM

Ask 100 Internet users if they were aware that the same exact domain name brings back multiple responses, based on where they are physically located. Care to guess how many are aware of that?

Oh, you mean like when I type http://www.google.com into my browser and it shows me the flavor of Google for the country where I am?  (Try it when you’re on the road.) You don’t need DNS tricks for that. To the extent that people even notice, they probably think it’s pretty cool.

what if a certain phone number was re-routed to where a particular government wants me to go, rather than to the destination I think I’m calling?
All for my own good, of course

Oh, you mean like the AAA’s 800 number that connects you to the closest open garage? It’s pretty cool, too.

Christopher Parente  –  Jan 5, 2006 12:22 AM

Interesting you call these things “cool”. 

You start your post by saying you support a single root, and end it by saying you “hope that users in China and other countries with their own private roots figure out that there’s more to the net than their DNS shows them.”

Suresh Ramasubramanian  –  Jan 5, 2006 2:30 AM

You didnt understand John too well, did you?

He’s saying that a lot of this is possible with the canonical set of root servers, doesnt need no steenkin’ alternate roots.

Extending his analogy of AAA tollfree numbers routed to the nearest garage based on where you are, to the “multiple alternate roots each with its own idea of how and where to resolve a host”, it’d mean something like “if you call the AAA tollfree from a Verizon phone you’d get routed to the nearest branch of one chain of garages, while if you used a different carrier’s phone to call in, you’d get routed to an entirely different chain of garages”

Taking it even further back (comparable to the hosts.txt days of the internet shall we say), you do know that Almon Strowger, an undertaker, invented the strowger crossbar telephone exchange because with the old manual system, one of the phone operators was a competitor’s wife and was deliberately rerouting calls meant for him to her husband’s mortuary.

Daniel R. Tobias  –  Jan 5, 2006 4:13 AM

Regarding Google redirecting google.com to various country-code sites depending on where you are, one glaring exception is the United States, where they as of yet still don’t use google.us as an actual site; it redirects to google.com.  If they were fully consistent, they’d redirect google.com to google.us when you were in the United States, and this would also make it possible to unambiguously address the U.S. Google site from overseas.

Christopher Parente  –  Jan 5, 2006 4:48 PM

Suresh:

You’ve outed me—I’m no engineer!

These comments have passed the point of diminishing returns, but I appreciate your efforts to help me out. I’m happy to admit that one of the things that is attractive to me about CircleID is the chance to learn. I know a lot about DNS from the standpoint of a guy working in technology PR. Not a lot from the standpoint of many in this community.

One of the most exciting (and to some entities destabalizing) things about the Internet was the concept that anyone could publish a web site and it would be accessible to anyone, from anywhere with an Internet connection. And that someone could access information from (almost)anywhere.

Only time will tell what will happen to global Internet usage when there begins to be broad public understanding that this is no longer the case. The WSJ is currently working on a story looking at this question.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign