There are not 13 root servers

by Kim Davies on November 15, 2007

I am at the UN Internet Governance Forum, being held this week in Rio de Janeiro, Brazil. A recurring theme you can hear here is one that has vexed the technical community many times before — “Why are there 13 root servers?” This question is usually followed by questions like “Why are most of the root servers in the US?”

So let’s dispel these myths.

There are not 13 root servers.

What there are is there are many hundreds of root servers at over 130 physical locations in many different countries. There are twelve organisations responsible for the overall coordination of the management of these servers.

So where does the 13 number come from?

There is a technical design limitation that means thirteen is a practical maximum to the number of named authorities in the delegation data for the root zone. These named authorities are listed alphabetically, from a.root-servers.net through m.root-servers.net. Each has associated with it an IP address (and shortly some will have more than one as IPv6 is further rolled out).

But when we think of servers, we probably think of physical machines that sit on a desk, or perhaps lined up in racks in a specialised computing facility. By any measure, there are not 13 servers as there is not a correlation between the number of named authorities, and the number of servers.

The majority of named authorities are spread across multiple cities, often multiple countries. The “I” root, for example, is located in 25 different countries. But ignoring the physical diversity, even those authorities that are just in one physical location — the reality is they are comprised of networks of multiple servers that handle the millions of DNS queries the root servers receive every hour.

Another thing you may hear is that some of these root servers are just copies, whilst others are the “real” name servers. The reality is that every single root server is a copy, and none of them are more special than the others. In fact, the true master server from which the copies are made is not one of the public root servers.

So next time you hear there are 13 root servers, or that they are mostly in the US, just remember this map, courtesy of Patrik Fältström:

Map of Root Servers

{ 27 comments }

Nthalk 11.15.07 at 9:46 am

Notice how there is only one in Russia and two in China? Without any evidence, it just smells like regulation and monitoring.

paul vixie 11.15.07 at 11:08 am

re: only one in Russia and two in China?

we (ISC) are grateful to our worldwide sponsors who have made it possible to put F.ROOT-SERVERS.NET in forty or so cities, and especially to those in china and russia.

if more sponsors step forward, then F.ROOT-SERVERS.NET will appear in more places. contact joao@isc.org if you’re interested.

Diane Boling 11.17.07 at 11:44 am

This technical limitation has existed for well over a decade. Why do we still have to deal with this limitation?

Is it not true that there may be 130 root servers but the same old 13 are the only ones listed in the bind distribution, and if the root servers aren’t listed in the 13 authoritive root servers they really don’t exist to the whole world ?

David Conrad 11.17.07 at 3:19 pm

This technical limitation has existed for well over a decade. Why do we still have to deal with this limitation?

It is often difficult to change an airplane’s engine in flight. A technical solution exists (it’s part of something called EDNS0), but getting universal deployment in a backwards compatible way has proven to be somewhat challenging. With EDNS0 it may be possible to add a few more root servers, but the technical justification has been lacking.

Is it not true that there may be 130 root servers but the same old 13 are the only ones listed in the bind distribution, and if the root servers aren’t listed in the 13 authoritive root servers they really don’t exist to the whole world ?

Yes and no. There are 13 root server addresses found in (caching) name server implementations (BIND is an example of one). However, with the appropriate use of “anycast” (also known as “shared unicast”) routing techniques, each of the 13 IP addresses can be assigned to more than one machine. Thus, the 130+ root servers around the world.

Veni Markovski 11.17.07 at 3:28 pm

Actually there are two in Russia – and you can see them on the map. There’s one in Bulgaria, too.

David Conrad 11.17.07 at 7:13 pm

Regulation and monitoring by whom?

Joseph Friedman 11.17.07 at 8:52 pm

Another thing you may hear is that some of these root servers are just copies, whilst others are the “real” name servers. The reality is that every single root server is a copy, and none of them are more special than the others. In fact, the true master server from which the copies are made is not one of the public root servers.

Is it not the case that the “A” root server (administered by Verisign) distributes the data to the other root servers? If not, has there been a change in practice in this regard at some point?

Press reports, both within the industry as well as the mass media, have frequently made a distinction of the “A” root server as being the originator of any changes to the system.

David Conrad 11.17.07 at 10:49 pm

Is it not the case that the “A” root server (administered by Verisign) distributes the data to the other root servers?

No. All the root servers get their data from a “hidden master” name server (a name server that isn’t published as a name server for the zone). The hidden master is run by VeriSign.

Nomi 11.18.07 at 12:32 am

This article doesn’t explain things very well, read this for more info: http://en.wikipedia.org/wiki/Root_nameserver

John Crain 11.19.07 at 2:59 pm

for more clarity a.root-servers.net used to be the distribution server long ago. This is where that myth comes from.

This has not been the case for a long time.

Currently there are multiple “hidden master” servers that are used for distributing the zone to the root-servers.

Also the zone is available to the general public via ftp from:

ftp://ftp.internic.net/domain

Joseph Friedman 11.19.07 at 6:29 pm

John,

David mentioned above that these “hidden master” servers are still administered by VeriSign (who administers the “A” root as well.)

So other than this change of distribution from the “A” root to the hidden master servers being of a technical nature, VeriSign still physically “controls” (for lack of a better word) the distribution of this master data, although in theory I assume IANA determines its contents.

Is this a fair analysis?

Joseph Friedman 11.19.07 at 7:21 pm

One other point worth understanding is why is VeriSign administering (as per David above) these hidden master servers as opposed to them being administered by IANA directly?

Is this service included in VeriSign’s .com/.net registry contract with ICANN? And if so, why.

Kim Davies 11.20.07 at 9:56 am

VeriSign’s role in the root publication process is dictated by a cooperative agreement between VeriSign and the US Department of Commerce. It is documented at http://www.ntia.doc.gov/ntiahome/domainname/nsi.htm

Joseph Friedman 11.20.07 at 10:37 am

Thanks Kim. And what is the logic behind this “cooperative agreement” between VeriSign and the US Department of Commerce? Is it a no-bid? Does VeriSign continue this role indefinitely? Or is it perhaps somehow tied to the .com/.net registry contract?

David Conrad 11.20.07 at 5:30 pm

And what is the logic behind this “cooperative agreement” between VeriSign and the US Department of Commerce?

You should probably ask the Dept. of Commerce about that since ICANN isn’t a party to that agreement.

Joseph Friedman 11.20.07 at 6:33 pm

David,

I’m not familiar with who at DOC/NTIA would be the point person to respond to such an inquiry. Do you have a contact?

Although this agreement is between DOC and VeriSign, obviously IANA/ICANN have a major role in this issue. Does IANA provide VeriSign the instructions on what should be included in the master data, or does the DOC/VeriSign agreement assign VeriSign to determine what data is published?

And is IANA/ICANN sufficiently familiar with the arrangement to know if this “cooperative agreement” that Kim referred to above is indefinite or for a period of time?

David Conrad 11.21.07 at 10:38 am

Do you have a contact?

I’m actually not certain who at NTIA is responsible for the DoC/VeriSign relationship. Given you’re interested in the contractual relationship, I imagine going through the Office of the Chief Counsel (contact info at http://www.ntia.doc.gov/ntiahome/phones.htm#OIA) would be your best bet.

Does IANA provide VeriSign the instructions on what should be included in the master data, or does the DOC/VeriSign agreement assign VeriSign to determine what data is published?

The former. IANA’s role is to accept add/modify/delete requests from people authorized to make such requests, verify the requests are sound, and submit those requests for their implementation in the root zone file. To my knowledge, VeriSign does not make changes unless directed to do so.

And is IANA/ICANN sufficiently familiar with the arrangement to know if this “cooperative agreement” that Kim referred to above is indefinite or for a period of time?

I believe it is a limited time agreement and has been amended several times to (among other things) extend the term.

Joseph Friedman 11.21.07 at 11:11 am

Thank you!

Matthew, SF, CA 11.21.07 at 11:20 am

David, you’re perhaps not entirely correct when you say: “To my knowledge, VeriSign does not make changes unless directed to do so.” It depends on the context. Verisign does make significant changes under its own direction, such as when it chose to add (and under widespread pressure and purported orders from ICANN, remove) a wildcard entry for .com. How much ability it still has to do so is not clear. But technically, these were changes to .com, not to the root zone, and the context of your comment WAS discussion of the root zone, so you are correct.

OT: How long has there been a file at
ftp://ftp.internic.net/domain/INTERNIC_ROOT_ZONE.signatures ?

David Conrad 11.21.07 at 9:47 pm

As you note, I was speaking of changes to the root zone, not to .COM — this isn’t a technicality, these two zones are very different, both in terms of their content and in terms of how they are administered. To my knowledge, VeriSign does not make changes to the root zone unless directed to do so.

I believe the contents of ftp://ftp.internic.net/domain/ have been there since the registration services portion of InterNIC was created, but don’t know for sure.

Ritva Siren 11.22.07 at 4:49 am

Obviously, this “myth” is an indication of the nature of computing and of Internet. When something is posted, it stays regardless of the later changes in facts. Even search engines do not do a very good job in selecting the latest information instead of the old stuff.

In human metrics, it’s not so long, when having 13 server sites was still a truth. It may be eons if evaluated in Internet years, though.

Regardless, it’s still important to continue discussions about this, because the international traffic is so expensive especially in many developing countries. Serious improvements often only happen, when the discussion gets tough.

Ivan Ivanich 11.25.07 at 3:10 am

The problem is that you, ICANN/IANA are trying to explain with technical terms something to the Russian authorities. However, they, the Russian government, think that you, ICANN, are a tool of the evil american imperialists, who dismantled the USSR, and are now after Mother Russia.
How can you fight with this?

Jose Pina Coelho 11.29.07 at 1:56 am

The ’13 myth’ keeps coming from ICANN itself.

On http://l.root-servers.org/ the page starts with:

“ICANN operates l.root-servers.net, one of the thirteen root DNS servers, as a service to the community.”

Phil Regnauld 11.29.07 at 2:31 am

“So next time you hear there are 13 root servers, or that they are mostly in the US”.

10 of the 13 organizations that control the root servers are in the US.
Doesn’t really matter where they’re located.

Phil

Kim Davies 11.29.07 at 2:42 am

Thanks Phil. It is true that the majority of the root server operators are US-based organisations. That said, I disagree that it doesn’t matter where the root servers themselves are located. The greatly increased diversity of the physical root servers provides improved performance and resiliency in the network.

kim

Phil Regnauld 11.29.07 at 2:45 am

Agreed, the geographical diversity is a good thing from a strincly technical point of view.

Stéphane Bortzmeyer 12.03.07 at 12:53 am

Actually, most of the root name servers are in Virginia (USA). That’s certainly true, I’ve read it on the Internet :

http://www.cpatechnologyadvisor.com/print/The-CPA-Technology-Advisor/How-Fragile-Is-Our-Backbone/1$1852

Today, 50 percent of world traffic travels via one U.S. state — Virginia — where most maritime terminals arrive and where most of the main root servers are located, which use DNS (Domain Name System) to transform an alphanumeric address (like cpata.com) into an IP address. These root servers are particularly sensitive, so if a successful hacker attack or a power outage occurred, they could be out of service and the Internet user would have no access to websites. And there are, in fact, only a few in the whole world — mainly in the United States, Britain and Sweden.

Comments on this entry are closed.