<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Parminder,<div><br><div><div>On Aug 5, 2012, at 5:40 AM, parminder <<a href="mailto:parminder@itforchange.net">parminder@itforchange.net</a>> wrote:</div><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Now, we know that there are three kinds of root servers, the
authoritative root server (in which changes are made to the root
file vide the IANA process), 13 root servers and then the any number
of mirrors that can allegedly be created by making an investment of
3k usd .<br></div></blockquote><div><br></div><div>No.</div><div><br></div><div><div>There is a "distribution master". This is a machine that allows for zone transfer of the root zone data maintained by the "root management partners" (ICANN, Verisign, U.S. Dept. of Commerce NTIA) by anyone that holds the private root zone TSIG key (password). It is not publicly accessible and does not (I believe) respond to any DNS query other that "AXFR" (zone transfer), "IXFR" (incremental zone transfer), and "SOA" (start of authority, used to figure out if a server needs to do a zone transfer). As such, it is not a "root server".</div><div><br></div></div><div>There are "root servers". These are devices that are numbered with one of 13 IP(v4) addresses listed in <a href="http://www.internic.net/domain/named.root">http://www.internic.net/domain/named.root</a> to which the root zone is transferred and which respond to all DNS queries with referrals to top-level domains (exceptions being for queries for data in the <a href="http://root-servers.net">root-servers.net</a> and arpa zones which are co-resident with the root zone on 12 of the root servers).</div><div><br></div><div>That's all. There are no special "13" machines that are the "true root servers" from which other lesser machines mirror the root zone. The devices that make up the root servers vary from single machines in one geographical location (this describes "B" and "D") to clusters of machines either localized or spread out geographically using "anycast" (this describes all the other root servers). Within the latter, there are different distribution models primarily to limit the load on the "distribution master". In many cases (particularly for the root servers that have many machines), there is an "internal distribution master" that fetches the zone from the "real" distribution master and makes it available to all the other machines for that root server. In other cases, each individual machine that makes up the root server fetches the root zone from the "real" distribution master directly.</div></div><div><br></div><div>I should probably note that any resolver operator can (assuming their resolver is capable of it which most are) mirror the root zone into their resolver, but this doesn't make that resolver a root server since it doesn't have one of the 13 IP(v4) addresses.</div><div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">What I see is that, while there are of course clearly very
significant differences between these three layers or kinds of root
servers, much of the 'technical input' on this list that I have come
across seem to focus on the non-difference and greatly underplay the
difference. </div></blockquote><div><br></div><div>As discussed above, the distinction you are making doesn't exist.</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">This I think is politically motivated, though disguised
as factual neutral/ technical information.</div></blockquote><div><br></div><div>Conspiracy theories are tricky things as it makes it difficult to communicate.</div><div><br></div><div>As you have assumed conspiracy, I suspect trying to explain further is pointless since presumably I and anyone else who tries to disabuse you of your beliefs would obviously be part of the conspiracy. I will, however, continue trying since <a href="http://www.xkcd.com/386/">http://www.xkcd.com/386/</a>.</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">We read in the discussions that the limit of 13 no longer is
meaningful. </div></blockquote><div><br></div>You misread. The 13 IP(v4) address limitation due to the default maximum DNS message size still exists. While there are now ways around this limitation (specifically, the EDNS0 extension to the DNS specification), these ways are not universally supported and as such, cannot be relied upon, particularly for root service.</div><div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">So if indeed it is not, why not breach it and make
people of the world happy. </div></blockquote><div><br></div><div>Even if it were possible, I sincerely doubt everyone having their own root server would make the people of the world happy.</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Even within the limit of 13, why not
allocate root servers in a geo-graphically equitable manner, as
Sivasubramanian has suggested, especially when it seems to make no
difference at all to anyone. Why not make all these ill-informed
ministers happy. </div></blockquote><div><br></div><div>As mentioned in a previous note, the operators of the root servers are independent (modulo "A" and "J" (through the Verisign contract with the USG) and "E", "G", and "H" (operated by USG Departments), albeit each of these operators deal with their root servers differently). How root server operators distribute their instances is entirely their decision. To date, there has apparently been insufficient justification for those root server operators to decide to distribute their machines in a "geo-graphically equitable manner".</div><div><br></div><div>With that said, there are at least two root server operators ("L" (ICANN) and "F" (ISC)) who have publicly stated they are willing to give a root server instance to anyone that asks. Perhaps the ill-informed ministers could be informed of this so they could be happy?</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">I read that there is no central control over the 13 or at least 9 of
these root servers. Is it really true? </div></blockquote><div><br></div>Yes. The diversity of architecture and lack of centralized control is seen as a feature as it reduces the opportunities for "capture".</div><div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Is the 13 root server
architecture not something that is aligned to what goes in and from
the authoritative root server. </div></blockquote><div><br></div>Root server architecture is independent of how the root zone is distributed.</div><div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">If it is, why can these root servers
not be reallocated in the way tlds have been reallocated. Can they
be reallocated or cant they? </div></blockquote><div><br></div><div>In practical terms, the "reallocation of a root server" boils down to transferring the root server's IP address and telling the new owner the zone transfer password.</div><div><br></div><div>Before the DNS became a political battleground, root server "reallocation" occurred (extremely infrequently) when (a) the person to whom Jon Postel "gave" the root server changed employers or (b) the assets of the organization running the root server were acquired by another company. Today, "reallocation" of a root server would either require the existing root server operator voluntarily giving the root server IP address to a different organization or that IP address would have to be "taken" by eminent domain or somesuch.</div><div><br></div></div><div><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">I also read that the it is not about 13 physical root servers, but
13 root server operators, </div></blockquote><div><br></div><div>Well, 12 operators (since Verisign operates two root servers).</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">so the number 13 is about the root server
ownership points, and not physical location points. </div></blockquote><div><br></div>In the sense that there are 13 IP(v4) addresses that are "owned" by 12 organizations. Geography is largely irrelevant.</div><div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Therefore what
is needed is to reallocate the ownership points in a geo-politically
equitious manner. As Siva suggests, probably one to an Indian
Institute of Technology. </div></blockquote><div><br></div><div>Somewhat as an aside, my understanding is that efforts to provide infrastructure (not root server infrastructure specifically albeit the same folks do provide anycast instances for a root server operator) in India were blocked by demands for bribes greater than the value of hardware being shipped into the country (see <a href="http://permalink.gmane.org/gmane.org.operators.nanog/100786">http://permalink.gmane.org/gmane.org.operators.nanog/100786</a>).</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Why this is not done, or cant be done are
the real questions in the present debate. Any answers?<br></div></blockquote><div><br></div><div>Sure. You are assuming a top-down model that does not exist. There is no single entity that can dictate to the root server operators "you will give your root server to IIT". You and others that care about this are free to make the case to (say) Verisign that it would be in their corporate best interests for them to relocate administrative control of one of their root servers to India, but it would be up to Verisign (or perhaps more accurately, its shareholders) to make that decision.</div><br><blockquote type="cite"><div bgcolor="#FFFFFF" text="#000000">Is the real problem here that if root server allocation issue is
opened up, countries would like to go country-wise on root servers
(as the recent China's proposal for 'Autonomous Internet') which
will skew the present non-nation wise Internet topology (other than
its US centricity), which is an important feature of the Internet.<br></div></blockquote></div><br></div><div>No. Placement of root servers has no impact on Internet topology. Really. Distributing root server instances can be helpful in reducing root query latency and improving resiliency in the event of network disruption. That's pretty much it. Opening up the "root server allocation issue" is a red herring, particularly given pretty much anyone can get a root server instance if they care and are willing to abide by the restrictions inherent in operating a root server. </div><div><br></div><div>Merging a subsequent note:</div><div><br></div><div><div class="moz-cite-prefix">On Sunday 05 August 2012 06:10 PM, parminder wrote:</div></div><div><blockquote type="cite"><span style="background-color: rgb(255, 255, 255); ">' administrative access will not be available' to the anycast operator to his own anycast server. </span></blockquote><div><br></div><div>Yes. However, if you ask anyone familiar with computer systems, you will be told that if you have physical access to a machine, you can gain control of that machine. Obtaining such control would violate the terms by which the machine was granted, but that's irrelevant.</div><br><blockquote type="cite"><span style="background-color: rgb(255, 255, 255); ">This is a pretty centralised control, </span><span style="background-color: rgb(255, 255, 255); ">not at all the picture one got from all the technically well informed insiders who seem to suggest on this list that everything is open, uncontrolled and hunky-dory and kind of anyone can set up and operate root servers.</span></blockquote><div><br></div><div>I'm getting the impression that you read what you prefer to read, not what is actually written. No one (to my knowledge) has suggested "everything is open, uncontrolled and hunky-dory". Root service is considered critical infrastructure and is treated as such, so anyone asserting it is "open and uncontrolled" would be confused at best. Can you provide a reference to anyone making this suggestion?</div><div><br></div><div>As for "hunky-dory", I suppose some folks would say the way the root servers are operated is "hunky-dory". I am not among them.</div><div><br></div><blockquote type="cite"><span style="background-color: rgb(255, 255, 255); ">Was the African minister really so wrong, or even the Indian minister? </span></blockquote><br></div><div>Yes. Really. </div><div><br></div><div>Regards,</div><div>-drc</div><div><br></div></body></html>