Domain name system fragmentation? Risk and reality (WS75)

9 Dec 2016 13:00h - 14:30h

Event report

[Read more session reports and live updates from the 11th Internet Governance Forum]

This session was lead by Dr Milton Mueller, Professor, Georgia Institute of Technology, and was divided around three segments related to a possible future disturbance in the DNS: fragmentations caused by geopolitical decisions, alternative technical solutions, and innovations.

Mr Oleg Demidov, Consultant, PIR Center, Russia, opened the session saying that the probability of a major split in the existing system is very low. He talked about recent concerns from the Russian government about the possible instability of the national segment of the DNS. This began in 2014, and pushed for cyber training conducted to test the resilience and stability of the Russian segment of the Internet. All critical scenarios were included in the study, from deleting the TLDs to another failure or modification related to the Russia ccTLD in the global root zone file. Of all models, a major failure in the global DNS had the lowest probability of occurrence. Nevertheless even with the extremely low possibility, this scenario might have critical consequence,  he added. With that in mind, Russian regulatory bodies set in motion a set of policies in order to duplicate and provide the backup of information related to all of the domains and names in the Russian domain name system. This will give them ability to replicate them on local servers in the case of a major failure or disruption in the global DNS. This is not the case of a fragmentation of the DNS but rather a redundancy issue, he added.

Ms Farzaneh Badiei, Associate Researcher, Humboldt Institute for Internet and Society, explained the court case concerning the TLD .ir dedicated to the Islamic Republic of Iran. Group of victims of terrorists gained a monetary judgment against the state of Iran. Since Iran does not have assets in the USA, they argued that .ir is in fact a property and that should be attached to them. ICANN refuse the request, stating that a ccTLD is not a property. In the subsequent court battle the domain was characterised as a property, but the one that cannot be seized. In a final court argument, it stated that this attachment would impair ICANN’s interest in protecting the stability and interoperability of the Internet, which in certain ways explaines the geopolitical reasoning behind this decision, she added.

Discussion on alternative technical solutions started with a presentation by Mr Paul Vixie, Internet pioneer and innovator, involved in the creation of the current DNS. He presented the Yeti program, which is a ‘parallel experimental live IPv6 DNS root system to discover the limits of the DNS root name service’. He stated that Yeti is not intended to bifurcate or amend the global root and existing IANA namespace. He stated that whatever you’re going to do on the Internet, in order to be relevant and successful, it has to be in cooperation with the other people on the Internet. Project Yeti is showing that the DNS can be fragmented, and goes in the direction of national or even regional splitting of the DNS. Anyone could create a parallel system that was powered completely by the optimal cooperation of the people who were publishing and subscribing, he noted. Vixie added that reason why other alternative domain name systems have failed can be found in IANA’s ability to cooperate. ICANN has always been open to the community. As long as it continues this way, IANA is not in danger. 

Mr Kaveh Ranjbar, Chief Information Officer, RIPE NCC, indicated that a project like Yeti should not be considered to be like the Internet, but rather Internet technology. The Internet Engineering Task Force (IETF) is the glue that keeps the Internet together, he added. If it does not come from the IETF, we should not consider it to be a fragmentation, but rather an experiment within the Internet infrastructure. If the IETF were voting on a new RFC stating that a resolver can use more than one address for routing, that’s what he would consider to be Internet fragmentation, he added.

Mr Andrew Sullivan, Director of DNS Engineering, Dyn, pointed out that the magic of the Internet is that it’s a collaborative effort, shown by the fact that all individual networks share some common pathways, so that they work together. No authority is in the middle. This allows arbitrary connections between people without anybody’s permission, in addition to other forms of permissionless innovation. He mentioned .local or .onion which are parts of the hierarchical name space, but not in DNS. There is technical resistance to fragmentation, as well as a practical resistance to fragmentation. It is in everybody’s self-interest to have a unique name space.

Mr Brenden Kuerbis, Postdoctoral Researcher, Internet Governance Project, Georgia Institute of Technology, pointed out that a good path would be to focus on the security and stability of the DNS, while continuing to foster innovation of the core infrastructure. The institutionalization of a networked governance structure that involves all the communities leads to a mutually beneficial outcome, he added. Anyone can innovate in a field of a complementary or competing naming system, and be assured that a request for globally compatibility identifiers will be satisfied by the Public Technical Identifiers (PTI). In this sense PTI serves as a non-discriminatory way of coordinating the namespace.

Mr Ryan Shea, Co-founder of Blockstack Labs, gave an overview of the idea behind Blockstack, that provides a DNS on a blockchain technology. It runs on top of Bitcoin’s blockchain, and it offers a decentralised way of running an individual namespace. Users can create their own namespace, and set their configuration and parameters. He added that this is a flat name space, so there are no servers. Therefore it can be considered to be an alternate root where the security and the integrity of the data is backed up by blockchain. It is operational and there around 70.000 names registered. All names own public keys, so it is not necessary to acquire security certificates separately, he added. This could replace a hierarchical root service with a decentralized virtual hierarchy with no single place to attack to undermine the system.

In the closing discussion, Sullivan again pointed out that there is a special registry maintained as part of the IANA protocol registries so these alternative naming systems can exist in the core of the DNS without fragmenting it.

The audience was interested in an Digital Objects Architecture (DOA) (A Corporation for National Research Initiatives (CNRI) proposal adopted by the ITU) which provides persistent locators for digital objects, as opposed to domain names that blend locations and resources. Panelists noted that DOA is actually complementary to what the DNS is doing. Nevertheless if in the future DOA attracts a critical mass of millions or even billions of IoT devices, and decides to run the whole thing outside the IETF (in a way competing with them in standardisation) it might have serious affects on the current DNS, with possible fragmentation.

In conclusion, Vixie remind us about the long tail of the DNS (many devices will never be updated and will only be able to communicate using the old protocol) and it will most likely continue to be a permanent feature of the Internet.

by Arvin Kamberi