Home / Blogs

Why I Am Participating in the ORSN Project

As a long time supporter of the universal namespace operated by IANA, it may come as a surprise that I have joined the Open Root Server Network project (ORSN). I’ll try to explain what’s going on and what it all means.

There Can Be Only One

If one of my kids, or anybody anywhere, sits down in front of a web browser and keys in a URL, it ought to just work. They ought to see the same web page that anybody else would see, no matter what country they’re in or what their ISP wants or what their local church or government wants. This universality of naming is one of the foundations on which the Internet was built, and it is how the Internet fosters economic growth and social freedoms. It’s what makes the Internet different from old Compuserve, old AOL, old MSN, old Minitel, and everything else that has come—and gone—before.

The thing I’m describing is called the Domain Name System, and the “universality” of it is a basic design property—to be challenged or altered only by great wizards or by fools—mostly by fools. Those who claim to be able to add new “suffixes” or “TLDs” are generally pirates or con-men with something to sell. On the NANOG mailing list, I outlined the situation as follows:

I am not neccesarily an admirer of the US-DoC/ICANN/VeriSign trinity, but i work to uphold it in spite of its flaws and my misgivings, simply because of the end-game mechanics. if any hair-brained alternate root scheme ever gets traction and starts to be a force to be reckoned with, then THAT is when the gold rush will begin. instead of a few whacko pirates like new.net and unidt, we’ll be buried in VC-funded “namespace plays”. every isp will have to decide whether to start one, join one, or stay with the default. most will decide to outsource or consort, but the money plays and consortia will come and go and fail and merge just like telco’s and isp’s do today. the losers will be my children, and everybody else who just wants to type a URL they saw on a milk carton into their browser and have it work.

These are harsh words, but then, I drink a lot of coffee. Also, my employer operates a root name server (today’s episode was brought to you by the letter “F”).

But, One Of What, Exactly?

So, what is ORSN and why am I helping them? ORSN, according to their website, is an attempt to make DNS more reliable for a community of interested and self-selected participants. They serve only data that comes from the universal namespace operated by IANA, other than a difference of small technicality that’s necessary to enable their service to work. The key point in understanding ORSN is their fealty to the universal namespace, as explained in their FAQ:

What can’t be accomplished by ORSN?
Furthermore, no additional (alternative) top level domains will be added to the ORSN root-servers like ORSC, NEW.NET, public-root and other networks did it.

What this means in practice is, that the people who “subscribe to” ORSN will not be able to see different domain names than the rest of the world; they’ll merely be talking to a different set of nameserver computers when they get the same (“universal”) answer they would have got from IANA’s own nameserver computers. On the NANOG mailing list, I explained this:

I’m indifferent to their reasons, as long as they don’t add any new TLD’s or otherwise display the kind of piracy or foolishness i have so often decried among new.net, unidt, united-root, public-root, alternic, open-rsc… and i forget how many others.

So, What Does It All Mean?

Let’s return to that last NANOG article I was just quoting from:

with or without the approval or participation of the folks who started it all, and those who wrote most of the code and specifications and those who are now working hard to keep it running, the world is going to pursue autonomy and independence. the internet allows, among other things, not having to care very much what other people think about what ought, or ought not, to be done.

however, there’s still a chance to encourage responsible independence, which i think ORSN is demonstrating, as opposed to piracy and foolishness, such as those who falsely respond to queries sent to the IANA root server addresses, or those who shortsightedly add TLD’s that only their own customers can see… the list goes on. (in fact, the list is only getting started.)

I hope that clears things up somewhat.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under


JFC Morfin  –  Oct 2, 2005 2:18 AM

I am not indifferent to the reasons which are part of the architecture of the Internet. I am not indifferent to the management of the IANA file. For a more sure, stable, secure and innovation oriented DNS.

But bravo: this is a first step in the proper direction, which may help a lot, in unlocking a debate ICANN’s ICP-3 had not succeeded to recenter. It may permit to discuss more calmly the issues currently under review.

Joe Baptista  –  Oct 3, 2005 1:22 PM

I am not surprised that Vixie has joined an alternative root.  Paul’s motivation in joining the ORSN was mainly inspired by Public-Root (http://www.public-root.com - www.inaic.com and [url=http://www.unidt.com]http://www.unidt.com)[/url]

The article published here is not the original Paul first wrote.  That article contained references to UNIDT (public-root) being pirates.  I’m glad he toned down his claims.

Pauls action confirm the Public-Root has done a considerable service to the Internet community - irrespective of the fact the Public-Root is still a corrupt organization:


What I don’t like about Pauls write up is that I don’t think he should really rationalize himself into a corner.  It is obvious many people were wrong about ICANN and so was Paul.  Now it’s time to move forward.

It’s as simple as that.

JFC Morfin  –  Oct 3, 2005 2:05 PM

I am glad of Joe’s comment. It seems that we could proceed further now. There are many issues involved in a global revision of the concepts of distributed registries and in the DNS see NewStar and GPRS where the accumulated proven experience of the DNS could help a lot. I hoped the IETF could be the place for that. I may have been wrong because big status quo commercial interests are still involved trying to grab control over central IANA.

Anyway IMHO there is a lot to investigate between MDR (JTC1/SG32/W2) and DNS. This is what I call the DRS (distributed registry system) which would also call on IPv6 help for a true multilingual support. Let forget the mistries of the past and let focus on a new architecture building on them. But this architecture is NOT necessarily TCP/IP dedicated, and can bring a lot to the Internet architecture.

Christopher Parente  –  Oct 3, 2005 4:53 PM

Interesting post. My question is technical rather than political—hope you can educate me here.

Paul, you say ORSN is working to make DNS more reliable by by mirroring the root hierarchies managed and distributed by ICANN.

I’m familiar with the secondary protection firms like VeriSign and UltraDNS provide to enterprises. Does ORSN provides secondary DNS protection for entire TLDs? Or are they offering just an alternative, not a replacement to switch over to in case of catastrophic failure?

The FAQ says this has been in place since early 2002—could ORSN really handle the entire global Internet load (once the TTLs expired, of course), if theoretically ICANN went dark, or didn’t exist?

John Palmer  –  Oct 3, 2005 4:56 PM

Joe, Public-Root is not a corrupt organization. There are a few disputes within the organization, but in general, it is doing ok. UNIDT is the driving force behind the Public-Root concept and it has been the mover and shaker with the greatest chance of success.

Please tone down your comments. They do not represent the opinions of the majority of Public-Root/UNIDT supporters and do a dis-service to the cause.

Also, be careful about supporting certain other players who have a bona-fide bad reputation, such as ROKSO records (Spamhaus) for spamming and generally peeing all over the internet. I cannot support someone with such a record. You know who I am talking about.

Paul Vixie  –  Oct 3, 2005 6:17 PM

In no particular order, here’s my reaction to the various notes so far.

Mr. Baptista is not my spokesman, and if I have inadvertently left out some of the piratical and foolish alternate namespaces such as UNIDT and New.Net then I apologize for the oversight. There can be only one namespace, even if there can apparently be more than one nameserver system for that namespace, as in the ORSN case.

Mr. Parente misattributed ORSN’s position to me. I don’t think that ORSN will make DNS more reliable—I am perfectly satisfied with the IANA root name server system and I do not think that a more reliable system is possible. However, I also know that the ORSN web site claims reliability as one of their goals. I do not have to share that goal in order to be willing to help them. As to Mr. Parente’s question, ORSN is not really comparable to the “secondary protection” offered by UltraDNS and VeriSign to enterprises—it really is just an alternative way to get the same data that IANA self-publishes. As to whether ORSN could handle the entire Internet load, I think that before ORSN’s subscriber population could grow to the size of the Internet, a lot more servers would have to be deployed. As most of you know, my employer operates an IANA root name server and we have more than 30 locations world wide. What most of you don’t know is that I wish we had 300 rather than 30, and that I hope every other IANA root server operator will also take global aim.

Watching John Palmer and Joe Baptista argue about “corruption” and “the cause”, while using words like “bona-fide”, has been nothing short of amusing. Thanks.

Christopher Parente  –  Oct 3, 2005 6:36 PM

Mr. Parente misattributed ORSN’s position to me. I don’t think that ORSN will make DNS more reliable—I am perfectly satisfied with the IANA root name server system and I do not think that a more reliable system is possible.

Thank you for the answer, and apologies for mistakenly attributing ORSN’s goal to being your goal as well.

Jothan Frakes  –  Oct 3, 2005 7:23 PM

Paul, I am grateful to see the newfound support that you are showing for the efforts that alternative root expansion groups have made in the past decade.  I have been very impressed with many ORSN operators integrity and desire to work with the current IANA / ICANN root namespace over the past years.

The Public Root and the work that John Palmer has put forth deserves some credit and praise for being both technically elegant and very advanced in foresight.

I have heard the argument (by non-technical folks) that subscribing to ORSN is like adding cable or satellite channels to existing broadcast tv.  Though that is a blatent oversimplification, there is some merit to it.  By subscribing to alternative namespace, one gets more resolvable space.

I think we’re still missing the piece of the puzzle that sorts out the coordination component that weeds out namespace collision and the headaches associated with it, but these are not necessarily technical problems in nature.

I hope that there are good things that come from this turnabout in your point of view, and I admire your wisdom in being open to the benefits that can come from this.

Paul Vixie  –  Oct 3, 2005 8:15 PM

Jothan Frakes’ comments show the same inability to distinguish between name spaces and server sets that Joe Baptista and others have shown. ORSN is not merely “working with the current IANA”, they are committed to it. According to their FAQ:

Furthermore, no additional alternative top level domains will be added to the ORSN root-servers like ORSC, NEW.NET, public-root and other networks did it.

ORSN is an serious network and we supports ICANN’s TLD-politics.

This is a completely different effort—a completely different kind of effort—than public-root, UNIDT, New.Net, and other namespace piracy attempts. As for Jothan’s claim that John Palmer’s public-root effort is elegant or shows advanced foresight, I respectfully, and completely, disagree. As a some-time author of both Internet standards and open source software, I know that DNS does not support “alternate namespaces”, and that none of these namespace piracy attempts have even recognized, let alone solved, the problems that come from trying to add functionality at this level. These attempts at namespace piracy are at best naive, and are in no sense advanced or elegant.

Lest Jothan continue in his misunderstanding of my point of view, there has been no change. ORSN shows complete respect and support for the universal IANA namespace, and as such, my willingness to help them was inevitable.

I’d take it as a personal favour if further followups properly distinguished between “alternate name spaces” and “alternate server sets”. In other words, if you think there is no difference, please keep quiet until you’ve done your homework.

John Palmer  –  Oct 3, 2005 8:51 PM

[NOTE: My postings are my own opinions. Although I operate a Public-Root server, I do not speak for Public-Root, INAIC or UNIDT]

Paul, Joe and I disagree about how a minor internal dispute within the Public-Root community should be resolved. Joe preferes to be loud and antagonistic, airing internal disputes in public to get certain parties to do what he wants. I think this is wrong. Joe has the best intentions in mind and I admire him for being a strong advocate for a free and open namespace. We just disagree on tactics in this case.

The whole dispute is between an entity and several people. The entity will not pay certain monies to these people because it beleives that there were material misrepresentation of facts made by the persons in question, prior to the contract being signed. This dispute will probably be resolved by the parties involved very soon. In any event, its not a matter to be fought out in public and is of no great cause for concern, regardless of Joe’s insistence that it is.

Two of the most fundamental beliefs that most Inclusive Namespace supports hold are:

1. Preserving the Freedom of the Internet: There are only a few “control points” on the internet, the root zone is one of them. When a corrupt organization, captured by a handful of monopolists and special interests gets control of these resources, bad things can happen. At best, the will of the internet community is shut out, at worst, privacy and freedom to speak can be curtailed. ICANN’s keepers, almost from the time the ink was dry on the MoU, did everything they could to shut out the public voice. The result, only a handful of new TLDs have been added and when you look at the registries that operate them, you see that the same people, more or less, are involved in all of them. Additionally, WIPO now has the power, with the UDRP to use the namespace as a bludgeon to enforce their narrow agenda, which is to protect its rich intellectual property owners. (See for instance the BARCELONA.COM case).

2. Supporting Competition in the Marketplace: The only valid TLD allocation policy should be First Come, First Serve (FCFS). Much like the homestead days in early US history, if you are first to stake a claim on a piece of land and develop it, you are rewarded for your labor. Hundreds of thosands of dollars have been spent by businesses developing their TLD properties. If ICANN/DoC will not list them in its root network, these entrepeneurs will build institutions that will support them, in other words Inclusive Roots. Refering to those that create wealth and economic opportunities as “pirates” is a suprsingly socialist attitude. If you are a socialist, Paul, just say so. I wonder, though, how much money you have made from your “capitalist employer(s)” over your career? Should we call you a “pirate” and demand that you “give it back”?

3. Supporting the Stability of the DNS: The biggest thing that one can do to create instability is to create collisions in the namespace. There may be more than one root server network, but there can be ONLY ONE NAMESPACE in the public internet. Inclusive Namespace supporters recognize that collisions are bad. ICANN created the biggest collision in internet history when it stole the .BIZ TLD from AtlanticRoot, duplicating an existing TLD that already had thousands of registrants. Although there have been some minor threats of collisions in the Inclusive Namespace, we try to work them out because we recognize how bad this is.

[continued in next post]

JFC Morfin  –  Oct 3, 2005 9:01 PM

Folks, please let keep things clear. There is a name space. There may be several descriptions of that name space. There may be several server systems proposing access to these descriptions. These are three different layers.

I started with the unique name space in 1977 and I have known four kinds of descriptions of it. The initial one (left to right) where were created the root name concept and the hierarchy. The X.121 one using numeric names. The Internet one we plugged in the two others. The “alt-roots”.

Then I known several server systems. The Tymnet Sups. The lack of servers (OSI). The Internet RSSAC and alt-roots. We are now working on a new concept getting experience from them all. All of them have merits as long as people understand what they do, are honnest and do not despise others.

What we all want is surety, stability, security and scalability. Scalability kills all the pretentions anyone can have for any system, because a described system will never be universal. Only a concept can be universal, not an application. Todate there are only a few concepts which are universal in this area.

1. what Paul says: there is only one single name space. But that single name space may be much more complex than the mono-Internet presupposes it is.

2. the “root name” principle. “a root name is the name of a network, of its gateway, of its user class, of his host group, of its registries system, of its governance, in an other network or in its one self”.

3. the “forest” principle. The forest is the addition of all the root names in a network.

The Internet legacy system is a root name linking (gatewaying) its own forest. This is the maximum constraint: making multiple (forest) unique (the dot). Good or bad, I do not know. But obviously since RFC 920 (oct 84) it works. The alt-roots want to expand the Internet forest. There is no architectural problem in this, and I documented and supported that. But there is no proof of stability. The problem is that it locks everything in status quo for ever. ICANN called for testing the evolution (ICP-3, 2001). We were alone in doing it (ORSN gave some hand). This only shown things we known before, and confirmed how to improve stability, surety in improving the forest procedures and mutual control, where it is better than a centralised (root) approach.

What I find important today, is that people from both sides of the alt-root controversy talk together, now that controversy is outdated by the market. This may say that the next generation system may be thought and experimented with all of them and their various experiences.

This new system will obviously be a forest and must be tested. This cannot be done with the current network approach without polluting it. This means that it must be carried on a new network approach. I am biased from my own experience in saying it should use a user-centric approach vs. the single legacy network centric current approach. But there may be others. This is in talking together that we can find them. Thank you, Paul.

John Palmer  –  Oct 3, 2005 9:07 PM

[continued from last post]

4. Providing the Internet Community with Choice: By allowing as many TLDs as there TLD operators, internet consumers have a choice. This choice is not only between TLDs, but also business and pricing models. Maintenance of a root zone should be a book-keeping task, not a policy task. The only work should be a) Adding new TLDs when someone makes a claim, b) Updating nameserver records for TLDs at the request of TLD owners and c) Deleting un-used TLDs. As for other rules, let the marketplace dictate this. If a TLD owner has unreasonable rules, registrants can go elsewhere. The market will weed out the dictators very quickly. The ICANN model with its domain-theft-enabling WIPO would be out of business in a month if it had to face this kind of competition.

You might say that the UNIDT model actually “sells” entries in the root zone - how is that FCFS? UNIDT sells “corporate TLDs” - that is, TLDs that are trademarks or the names of companies. Anyone else trying to use these marks would face legal action in courts of law (Not forced UDRP at the behest of the root operator). This provides a funding source to support the operation of the root network. Any generic TLDs should be allocated FCFS with the requirement that the TLD owner provide gTLD servers for them.

So Paul, Joe and I may disagree about this one issue, but chortle as you may, we agree that the ICANN model is broken and that we need alternatives. Public-Root/UNIDT have the support of at least one government (Turkey) and one major ISP (Tiscali) and many more votes of support from governments and corporations as well as concerned internet citizens will be voiced in the near future. You once said that it would be a nightmare if any one of these “pirate efforts” got any traction. Too late, it already has and there is no stopping the movement. Money is pouring into these ventures. Unlike you, Paul, I do not view this as a nightmare, but a breath of fresh air for the global internet community

John Palmer

Jothan Frakes  –  Oct 4, 2005 8:31 AM

ORSN is alternative root expansion, just not expansion namespace.  I think I said ‘alternative root expansion’  in my opening line.

Perhaps root ‘supplimentary’ is a better term.  Still, with my mention of alt root namespace and a compliment to public-root, I can see where a reader could come to a conclusion pretty easily that I am misstating your position or blurring what ORSN by associating it with alt.namespaces.  You get enough of this from others (like Joe Babtista), and it was not my intention. 

I don’t own enough asbestos suits to remain standing after an alt.namespace dance with you (although we agree on most points), and it wasn’t my desire to raise your ire or mistate you on the matter.

Back to the topic at hand, and the point of your article here, it is clear that by supporting ORSN and operating the L root for them you will really help the cause.  ORSN looks like a legion of cluefull European operators who have created a good root nameservice compliment.  They even clean up and organize the IANA root zone file by TLD with comments.  Quite elegant.

Great move, and much success with it.

Michael Dillon  –  Oct 4, 2005 5:39 PM

There is really a lot of confusion about this whole issue.

Technically, the DNS protocol has limts on the number of root nameservers that can be given in a single response to a query. Even under the tightest constraints, this number (13 nameservers) is sufficient to provide resiliency to an installation, i.e. company office. However, a single set of 13 nameservers is not sufficient to support all the current users of the Internet or the future larger number of users.

As a result, the root nameserver operators are deploying copies of their root nameservers so that the same 13 nameservers are not answering responses. As Paul said, he operates a root nameserver that has 30 copies answering responses.

You will note that Paul wishes that there could be a lot more copies of his nameserver, and presumably even more root nameserver copies worldwide. However, there has been some qeustion on the NANOG mailing list as to whether the technique currently used by root nameserver operators is sufficiently robust.

Now, we come to ORSN. What they are doing is establishing an entirely separate set of *COPIES* of the root nameservers. Because this is a different and distinct set, the dependencies within the set of servers are different, and this technical fact makes the combined system of existing root nameserver plus ORSN nameservers, more robust than just the existing ones. Of course, in real world terms, there is only increased robustness if ORSN deploys root nameservers at least as widely as the existing operators and ORSN maintains similar or higher standards of operational excellence.

This remains to be seen, however Paul is to be applauded for maintaining the principles of a unified Internet and at the same time, supporting ORSN in increasing the absolute number of servers providing access to the DNS. The root of the DNS is the gateway to nameservice and is therefore the gateway to any services, such as email and the web, which depend on nameservice. We must protect and preserve this as a universal public resource that is forever free of gate tolls.

In my opinion, any non-IANA ( and therefore non-consultative) attempt to add new TLDs is a form of gate toll.

Simon Waters  –  Oct 4, 2005 6:55 PM

How is it anything more than a political weapon with which to beat ICANN, with the threat of a fork?

The ORSN has less root servers in Europe than IANA, they only have a few more European server than the ISC (f.root-servers.net).

Say tomorrow ICANN decides for “security” reasons to redelegate “.ir” to the Pentagon, with no public explanation. If ORSN forks the root at this point, will Paul still support it, even those his daughter now gets two different websites? What if they choose only to override only one domain?

Paul Vixie  –  Oct 4, 2005 9:22 PM

JFCM says “1. what Paul says: there is only one single name space. But that single name space may be much more complex than the mono-Internet presupposes it is.”

What we’ve got here is a failure to communicate.  JFCM can create whatever new naming system he’s got in mind, and give it away or sell it or whatever, and report back later as to how well it works.

But in the mean time, we’ve got the Internet Domain Name System, with a single root of a single namespace.  No forest, just one tree.  That is “what Paul says”.  In JFCM’s terminology that means, I guess, that I’m part of the “mono-Internet”.  Just like everybody else, because that’s what Internet’s DNS is, and what it will remain unless someone creates new technology that’s a lot more fundamental than what UNIDT, public-root, New.Net, and ORSC have been doing.

Paul Vixie  –  Oct 4, 2005 9:31 PM

Simon Waters asks: ``Say tomorrow ICANN decides for “security” reasons to redelegate “.ir” to the Pentagon, with no public explanation. If ORSN forks the root at this point, will Paul still support it, even those his daughter now gets two different websites? What if they choose only to override only one domain?’‘

If ORSN ever publishes data that did not come originally from IANA, beyond the minor change to the “. NS” RRset needed to make ORSN’s project viable at all, then that will probably end my involvement with them.  From what I’ve learned of the other operators, that would probably be the end of the project.  From their FAQ:

ORSN is an serious network and we supports ICANN’s TLD-politics.

I can imagine ORSN publishing stale copies of IANA’s data, deliberately stale due to political concerns.  That doesn’t matter to me.  But I don’t think your “.IR” scenario is very likely, either.

JFC Morfin  –  Oct 4, 2005 11:13 PM

Hi! Paul. Please let us try not to introduce unnecessary confusion in simple things.

I will therefore repeat:

there is only one single name space”: this means that a domain name is an alias, obeying a certain ABNF, for an address. Who ever creates the name or who ever decides of the address.

But that single name space may be much more complex”: this means that users may choce to use the same name several unrelated addresses.

than the mono-Internet presupposes”: means that the current usage thinks a given name must alias only one address (or only one set of related addresses), or there is conflict and confusion.

In reality there are many different possibilities for a same name to aliase multiple independent addresses. This is the case today in private networks which have their legitimate alt-roots (cf. ICANN ICP-3). There is also a big technical confusion maintained between such alt-roots (for example GSMA)wich do not care to conflict since they cannot pollute one another, and open-roots which strive not to conflict. But alt-roots are NOT well supported by the “mono-Internet”. This is why ICANN called in 2001 for experimentation (our dot-root project responded that call).

There can however be sure, secure, stable and scalable multi-orthogonal-addresses names in a “multi-Internet”. This means that the Internet architecture will have been taylored for additional parameters to resolve the conclict. This is already the case in “mono-Internet” through the gateway of an Intranet.. ICANN proposed to investigate CLASSes, what was the original solution (whith Host Groups). OSI used CUGs (closed user groups). This means that in an identified context a name may have a different meaning, or that doubt is clarified by a secondary parameter. “Con” in English and in French has the same letters and different meaning. “Paris” in France and the USA has the same letters and different locations. Two persons of the same name are differentiated by their birth date. Etc.

When RobertTr?hin started the international namespace no one said “there is a single divine root”. We identified an existing mechanism (ISO 3166 3 alpha and Corporate logos) to acknowledge “root names”. This was for a very simple reason: billing and operation statistics. Seven years later, in 1984, we had many such root names implemented, and welcame the “ARPA” root name. We had a need for quick difference between the names and the IP addresses we could receive at the gateway: a techie suggested a final “.” for names. We nicknamed ARPA the “dot-root”). Our consensus of the time is translated in RFC 920, ICANN claims its legitimacy from. You will see there the mechanism we asked to build “multiorganisation TLDs” (to pay for the cost of entering new “root names”).

“jefsey.com”, “vixie.gprs” and “cicleid” belong to the same 1 to 256 hexatridecimal grid (including “.” and “-”) used as the international networks name space since 1977. There is no religion about it, nor theorem. This is a simple definition by consensus. Anyone can change it. We changed it in 1982 in accepting any other character set (but that did not took off yet :-)), and made a partition of it to reserve 14 numeric names to support ISO X.121 (this worked well). Internet made another partition: in its part of the name space you need two “.” and consecutive “.” are forbidden. Real Names or other did it too, supporting keywords like Netpia or the CNNIC in forbiding “.”. etc. Then came the “xn—” prefix, etc. The total is still the same unique universal grid.

It is like the globe: you can change the map of the mountains if you want, that does not change the mountains.

The stewardship and the use of that namespace is another story where we may have different technical and commercial (pro)positions.

Joe Baptista  –  Oct 6, 2005 1:46 AM

I just want to make a brief note with respect to the continued evolution of the Public-Root system.  I am glad to see root alternatives being supported by the mainstream technical communities.  We should spend more time thanking Paul for his initiative.  Instead I fear he is being roasted.  I myself am very proud of Paul for supporting any alternative to the IANA root zone.

The Public-Root initiative is providing the Internet community with it’s first forward moving debate on the deployment of root services and namespace expansion.  People are acting.  Not together, which is unfortunate as it wastes time, but they are acting.

There is also some good news from the Public-Root reorganization.  We are making progress in contract negotiations and the technical department may soon be back to work.  UNIDT is still breaking their contract with respect to payments - but at least the employees finally have contracts.  Which moves us forward toward being accountable to each other internally.

As far as I can see, the Public-Root system has pushed the namespace envelope to a place it?s never been before.  This has caused incredible political fallout across nations.  There is pressure everywhere.

I expect we shall be seeing some interesting developments by the end of November 2005.  And I take pride in the fact the Public-Root is a leader in pushing the namespace envelope in the right direction.  At least people will have something to talk about.  It is clear that we must all work together to accomplish the task of namespace expansion.

I want to thank Mr. Morfin for his comments and support.  And I acknowledge what Mr. Palmer said here.  Indeed the Public-Root has many supporters.  These are leaders in Industry desperate to find a solution to the namespace dilemma - which clearly Public-Root has found.  The Public-Root is the answer towards the operation of an open, transparent and honest process.  I just wish our supporters would be more public about their support.  Maybe I scared them away.  I certainly have made a difference to the direction the Public-Root has taken.

As for questions concerning the methods I have deployed to move us forward towards the open, transparent and accountability process we stand for is as it?s first and only whistleblower.  As the recognized Public-Root founder it is critical that the organization clean up it?s act to meet my high standards.  Because our cards are in the open and on the table through disclosure, we can move forward to providing the community with the structure promised to them in the first place.  Until then I shall continue to blow my whistle - it’s my JOB.  I have a fiduciary responsibility under contract to do my Job as a representative of the Internet community and the founder of the Public-Root system.


Milton Mueller  –  Oct 9, 2005 10:18 PM

What makes this interesting is that the justification for this “additional” root is explicitly political. As ORSN says on its web site:

“The U.S.A (under the current or any future administration) are theoretically and practically able to control “our” accesses to contents of the Internet and are also able to limit them. A manipulation of the Root zone could cause that the whole name space .DE is not attainable any more for the remaining world - outside from Germany.”

So in other words, ORSN sees this as a “backup” in case the US govt. tries to use its “oversight” authority to manipulate the Internet in some way. And Vixie, who administers one of the official root servers of the US Commerce Dept-centered system, is siding with them. Good!

Vixie goes to great lengths to assure us that this raises none of the compatibility issues of an alternate root. But in fact, this is not quite true. True, they are not trying to sell new TLDs. But if the USG abuses its oversight authority and does something to the root zone that makes it different, such as throwing Iran’s ccTLD out of the root zone, will ORSN follow suit? I suspect (and hope) not. Then you will have a split root.

In essence, Paul Vixie is saying is that he is willing to risk splitting the root for defensive, political reasons, and not for profit-motivated, economic reasons. Which is fine, those priorities are defensible and reasonable. But it’s an interesting and welcome departure from the “one true root” orthodoxy that used to prevail in IETF.

JFC Morfin  –  Oct 9, 2005 11:27 PM

Milton, you may also recall what some root servers operators did with PathFinder. They entered into illegal resistance. The TLD Manager is supposed to be the boss of his zone, yet they coalized against the .com TLD Manager.

Another interesting case was the KPN-Quest ccTLD secondary servers: when KPN-Quest closed overnight every ccTLD having a secondary server with them (66 ccTLDs if I am right, mostly European) quickly replaced them and submitted their new IP addresses. It took a longer time for the NTIA root file to be updated for some countries (including .DE). ORSN was for more than three months the only way to use a root reflecting the ccTLDs reality.

Obviously, ORSN is interesting. But GSMA/NeuStar is more, because of its established users base including and extending the Internet users base. Let consider that HSMA/NeuStar starts a PathFinder II service. Users were quite happy with PathFinder I. A leak from NeuStar (they already added .gprs) would be a pollution. But a pollution the users like becomes a service. Verisign could not go too far and be accused of running an alt/open-root due to the terms of their cooperation agreement with the USG. NeuStar has no cooperation agreement. Would ICANN redelegate “.us”? We could have two “.us”, one on mobiles, one on the Internet? Some advertising for “.usa”!!!

Markus Grundmann  –  Oct 10, 2005 9:20 PM

I founded ORSN back in 2002, even if i could hardly imagine that a TLD will ever be removed from the root zone by the DoC. However, there is still a chance that this may happen and therefore ORSN is absolutely right to continue offering its services to the internet. To put it politely: ORSN is protest against the ICANN.

It?s not bearable that a government can make modifications without others supervising it. Don?t forget that today?s internet is a ?child? of the USA and you always want to keep control of your children, don?t you? But children grow up and one day, the DoC has to let this child go.

Personally, i haven?t been in USA yet and got my (limited) knowledge of the people and the country solely from internet and TV. But seeing the arbitrariness of the US government?s decisions, i?m getting angry. What i mean is that i?m more pro USA than i?m against it. But i can?t accept it when such an important media like the internet is controlled by a single government, who classifies everyone else as a part of an ?axis of evil? only because opinions or interests differ.

If at one day the ICANN (or its successor) will become an international organization, then i?ll say: ?No one needs ORSN anymore and i?ll gladly cease the project - given that all the other operators agree.?

We never had the a doubt that the technical infrastructure of ICANN/IANA is sufficient. ANYCAST also improved the root system technically. But it?s still a collective whose roots are in the DoC. Even an ANYCAST with thousands of instances thoughout the world doesn?t help here. A tree with a rotten root can?t have green leafs (however, no one seems to have noticed that yet).

I welcome the activities of Paul Vixie and i hope that ORSN will work out many ideas and solutions together with Paul. Therefore, i regard his membership as non political.


Paul Vixie  –  Oct 10, 2005 10:33 PM

I’m afraid that Milton Mueller likewise did not make the list of agents or spokesman for me, and so when he claims that “In essence, Paul Vixie is saying is that he is willing to risk splitting the root for defensive, political reasons, ...,” it really is Mr. Mueller talking about his own mistaken impressions about what I’m doing and why.  I won’t mention this again on this thread, but I wanted to be sure to get it on the record.

JFCM spake thusly: “Milton, you may also recall what some root servers operators did with PathFinder. They entered into illegal resistance. The TLD Manager is supposed to be the boss of his zone, yet they coalized against the .com TLD Manager.”, and I think he means “SiteFinder” but it’s hard to be sure, since the it had nothing to do with the root zone, and no actions I’m aware of were illegal.  I do know that “boss of his zone” is too course grained, and that in the SiteFinder debate a distinction was raised between zone stewardship and zone ownership.

JFC Morfin  –  Oct 11, 2005 8:09 AM

Paul, I keep using “PathFinder” from a pun made at that time I found interesting. Someone I read said the disute over SiteFinder rose the issue to first find the proper path. But it seems that it did not get proper recognition.

My Franglish does not permit me to be sure what “JFCM spake thusly” may imply? Nor “too course grained”? What I mean is that the zone manager is the boss of his zone - the one who sovereignly decides, plugs and unplugs. This could be a basic definition of the subsidiarity principle. Ownership or stewardship are interesting issues but are secondary to the question at hand: they qualify the right, not the architectural exercise of the right. As one says “the Judge will tell if the killer had or not the right to kill, but the dead will stay dead”.

There is a confusion in the DNS inherited from the ARPA Internet days. When the Internet had gateways into other nets and in the public international network, a hierarchy made sense, retaining some centralisation. Once the Internet became global, that “root” hierarchy does not make sense anymore. We are in an “inter pares” “forest” decentralised situation. I accept this took time to build and will still take time and experimentation to be accepted. And this is what ORSN does, because in a decentralised system “It?s not bearable that a government can make modifications without others supervising it.”

But in reality the Catenet system of Louis Pouzin Vint partly used for the Internet, is distributed. Distibuted means that every zone manager is his boss. Again stewardship and ownership are different issues. Distributed also means that hierarchy is no more. This is replaced by URIs and soon by a DRS (distributed registry system) along with ISO 11179 network adapted rules (and IMHO the DNS [as a piece of architecture and code] might survive it well). I find fun all these people fighting UN because of the States involvement and wanting to protect the USG involvement, when the very distributed nature of the network is that everyone is his own boss. And NO State is involved at that level.

I accept that making it work is complex. But we had 20 years to do it. Now people not only want it but have the capacity to do it. Not only as “States” as the Chinese names, what leads to balkanisation. But as individuals, what leads to a mess if we do not organise quick to jointly deliver what they will take by themselves. The time is no more to “alt/open-roots”. The time is to personal roots. And if the USA continue saying “no way”, in 80% of the world it will not only be considered as fun, but as patriotic!

I submit we have a real problem.

Christopher Parente  –  Jan 25, 2006 11:23 PM


Congratulations on all the coverage (and your picture!)in the 1/19 WSJ article. Thought the piece laid out the issues very coherently.

“The Internet is no longer the kind of thing where only six guys in the world can build it,” says Paul Vixie, 42 years old, a key architect of the U.S.-supported Internet. “Now, you can write a couple of checks and get one of your own.” To bring attention to the deepening fault lines, Mr. Vixie recently joined the German group’s effort.

Mr. Vixie says he joined ORSN to make clear his view that such efforts will continue unless Icann becomes more inclusive. “I realize that this could help unleash the hordes of hell,” he says. “But I hope it will make people wonder: ‘What if there are more of these?’ “

Stephane Bortzmeyer  –  Feb 28, 2007 4:00 PM

After the great failure of February 8th (where all the name servers of ORSN stopped responding, even A replied SERVFAIL), I notice that, today, half of the name servers still say SERVFAIL.

The Web page does not mention it.

Moral: setting up an alternative root and a Web page is easy. Maintaining it in the long term is more work.

A former ORSN user

JFC Morfin  –  Feb 28, 2007 9:50 PM

I am happy to learn that Stephane used ORSN. ORSN has a very interesting feature: loggers are not copied to the NSA.

This is an interesting issue. IANAL and I have not the money to call on lawyers for that. But my intent, after the end of the presidential campaign, is to ask the French Justice if the Root Server System is legal in France and Europe or not.

The recent decree published to apply the law on trust in the digital ecosystem simplifies such an action.

The AOL’s logger example, permitting to deduce many private and economical intelligence information from a logger leads me to think that the leak of private, economical, and political information to interests located outside of the French jurisdiction, either makes the root system illegal in France (and in Europe), or calls for a mandatory information of the users, and the support of alternatives. These alternatives can be a decentralisation of the unique point of control/failure, like ORSN or like permitted by AFRAC, or a distributed approach of the DNS operations as ICANN suggested the experimentation in its ICP-3 document.

A simple move would permit everyone to make its mind and test this possibility in respecting the ICANN ICP-3 recommendations. It would simply be that Paul Vixie would support a Bind Windows XP Family version which would be easy to install and manage. This would permit once for all to make the market to transparently decide, instead of forcing it to accept one single US oriented solution. Before Microsoft decides to publish one to its own advantage, as its habit to move the DNS information around to prevent an easy development of a personal resolver shows they have the idea in mind.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC