What are root servers and why are there only 13 of them?
Root servers are the base on which the Internet's naming system runs. Each server contains a copy of the same file. The file itself is actually very small but it acts as the Net's
definitive directory and without it, the single Internet that we enjoy now would be put at risk.
There are 13 servers dotted across the world that store this file (and they are named "A" through to "M").
The reason why there are 13 is due to the decision back in the very early days of the Internet to give
a certain type of data packet (called UDP) a maximum size of 512 bytes. This 512-byte size provides just enough room to name 13 different places on the network (although they are represented by servers in more than 100 different places geographically).
Although it has since become possible to send much larger UDP packets, the speed, simplicity
and universal acceptance of the 512-byte UDP packet has meant that retaining 13 root servers has
been agreed on as the most secure way to underpin the Internet.
Where are those root servers?
In terms of Internet topology the servers tend to be either in very well connected places so that they can serve a maximum number of clients; others are in relatively isolated places to provide reliable service to the local community while reducing non-local DNS traffic.The exact locations of many servers are often not published for fear of physical attacks.
Why Anycast?
Having sufficient network capacity to reach the servers is a big concern under high load. One way to address this is to shorten the distance between clients and servers by distributing the servers in the network. This way queries and responses have to travel shorter distances and thus use less network resources. Potential congestion near relatively few busy servers is spread out and more servers can be effectively deployed.
The number of addresses at which root name service is provided is limited to 13 by the current DNS protocol. In order to deploy servers at additional locations one has to re-use the addresses. This is done by announcing network routes, note different spelling and meaning from roots, towards the same address from all places where servers are deployed; the routing system then takes care of selecting which server receives the traffic; generally this is the one closest to the client in the network topology.
Using anycast the number of operational server locations has grown from 13 in 4 countries (2002) to more than 80 in 34 countries (December 2004) and more than 130 in 53 countries in September 2007. This has made the root name server system much more resilient to denial of service attacks and has also improved service quality in many regions.
Who is in charge of co-ordinating the root servers?
No one person or group is in charge of the servers or of co-ordinating their operators, although there
are two committees that exist within the Internet Corporation for Assigned Names and Numbers (ICANN)
that often review the situation and provide advice and occasional recommendations about the
operational requirements of root name servers and their security. They are the Root Server System
Advisory Committee (RSSAC) and the Security and Stability Advisory Committee (SSAC).
Are "anycast" servers different from the "real" servers?
No. When anycast distribution of an existing server is implemented, all servers become "anycast servers", including the "original" server. All anycast instances behave identically, and have the same status within the DNS.
What can be done to reduce the risk of root server attacks in future?
There are various measures aside from strengthening the root servers that will aid in defeating future attacks on the DNS.
In a March 2006 report on the DNS attack of the previous month, the SSAC made three recommendations for counteracting
such attacks:
- That those running networks adopt "source IP address verification" -
i.e., that they improve and tighten existing systems.
- That root server operators and those running country code top-level domains draw up
their countermeasure policies, respond quickly to queries, and act quickly to add servers back
into the system if the owner shows they have improved their security.
- ISPs should only accept DNS queries from trusted sources (i.e., their own customers) rather
than allow anyone to use their servers.
|
