Inside ICANNWatch  
Submit Story
Lost Password
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)

    Alternate Roots Root Servers
    Where Did the .root TLD Come From?
    posted by michael on Monday March 08 2004, @06:07AM

    Karl Auerbach's Cavebear Blog asks a question I'd like to know the answer to: "Where did the .root TLD Come From?".

    It seems that unbeknownst to us all, VeriSign has created and served up a secret TLD...albeit one with only one entry...

    Try this (one line) unix command to see .root:
    dig vrsn-end-of-zone-marker-dummy-record.root. any @a.root-servers.net

      ICANNWatch Login  


    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

      Related Links  
    · VeriSign/NSI
    · Where did the .root TLD Come From?
    · More Alternate Roots stories
    · Also by michael
    This discussion has been archived. No new comments can be posted.
    Where Did the .root TLD Come From? | Log in/Create an Account | Top | 26 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    I remember seeing this
    by dmehus on Monday March 08 2004, @07:42AM (#13130)
    User #3626 Info | http://doug.mehus.info/
    Funny you mention this, Karl. I remember seeing it a few months ago when I download the root zone file from the InterNIC FTP site. I was a bit perplexed by it, because I was sure ICANN nor the U.S. DoC never gave approval for the new dot-root TLD. Correct?

    Typical VeriSign abuse of power. So much for ICANN doing its real duty of acting as a technical coordinator of the DNS root. :(

    Doug Mehus http://doug.mehus.info/ [mehus.info]
    [ Reply to This | Parent ]
    Checking that the zone is OK
    by bortzmeyer on Monday March 08 2004, @10:18PM (#13135)
    User #3933 Info
    The purpose of this record is obvious: making sure that you do not get a truncated zone file. If, for some reasons, a unsecured (by DNSsec or GnuPG) zone transfer fails partly, it is easy to pinpoint it: nameservers monitor just have to check this record, the last one of the zone.
    [ Reply to This | Parent ]
    dig commands are no longer proof of anything
    by Anonymous on Tuesday March 09 2004, @04:24AM (#13142)
    Using dig does not prove anything. You may be doing a dig on your ISP's imposter root servers.

    You would have to also do trace routes and even those are no longer valid because the U.S. Government could be re-directing your traffic and changing the TTL values on the fly to hide their eaves-dropping. It is in Verisign's best interest to assist the U.S. Government in surveilance activities which Verisign views as counter to their dominance of the DNS industry. ICANN's thugs have of course set themselves up as the security and stability team, ready to assist the U.S. Government with the silencing of anyone that threatens their job security. Misinformation, disinformation and covert operations are funded by the domain name fees that you pay.

    If you are in another country, you may be doing a dig on the local country's imposter root-servers that they have set up to encourage all root-server traffic to remain in their country. This gives them total control of their view of "the root" and also reduces the bandwidth required for DNS traffic in and out of the country.

    For your dig commands to be validated, you would have to prove (via physical access) that you watched each packet traverse each LAN link, router and WAN link. With the 13 legacy root-server addresses being duplicated all over on imposter servers, this would be very difficult.

    The only way an ISP or large organization can ensure that the traffic to and from the 13 root servers is reliable and secure is to deploy servers which answer for those 13 addresses. Those are trivial servers to deploy because all the root servers normally do is hand out referrals to the various TLD server clusters.

    In order for Verisign to lock people into using their servers, they of course can add obscur records directly in the root zone. The various Verisgn plug-ins can then check for those obscur records and shape service based on what they find. An ISP's imposter root servers may not have the proper obscur records and services could fail, sending customers back to Verisign/ICANN for support and more fees. ICANN can then dispatch highly paid DNS consultants from the seven offices they plan to open around the world.

    Since many people are not able to do a dig command and rely only on browser clicks to determine their view of reality, this quick
    check may help. Just type "%ae.com" (percent ae) into your browser's address bar.
    [ Reply to This | Parent ]
    by KarlAuerbach on Monday March 08 2004, @05:57PM (#13133)
    User #3243 Info | http://www.cavebear.com/
    As I explained many times in the past, my inspection of the records was for my use as a Director of ICANN - it would have been inconsistent with my legal obligations as a Directory to simply republish it. A summary of some of what I found is in my final report to the board, a copy of which has been on my website since the middle of last year.

    As for myriad ways that ICANN has demonstrated itself to be a captured regulator more concerned with preserving certain business interests than with net stabilty - I guess you haven't been reading my other postings. Nor have you followed my materials on the larger stage of the ITU and UN, which is where ICANN's fate is likely to be decided and a new regime substituted in its place. If you are interested in the broad principles of internet governance and not minutae, then you may wish to make submissions to the UN ICT meeting that is being held March 25-27 in New York.

    [ Reply to This | Parent ]
    Re:The 13 Root Servers No Longer Exist
    by KarlAuerbach on Monday March 08 2004, @06:03PM (#13134)
    User #3243 Info | http://www.cavebear.com/
    Anycast is a technique of using routing information to have multiple instances of IP addresses (and hence DNS servers) on the net. This is how many of the root servers have cloned themselves.

    What you suggest about marking the zone file in order to know which server is answering would make sense except for the fact that each of the root-servers.org servers uses the *exact* same zone file, including the .root record.
    [ Reply to This | Parent ]
    Re:The 13 Root Servers No Longer Exist
    by bortzmeyer on Monday March 08 2004, @10:33PM (#13137)
    User #3933 Info
    Almost only BS in the anonymous message. Specially, people should note that anycasting the root name servers have been discussed a *lot* in many fora among DNS experts. There is a very wide consensus (among DNS experts, which do not include Jeff Williams and Jim Fleming) that anycast works fine and is a solution to many problems.

    ISC, "Hierarchical Anycast for Global Service Distribution",

    Daniel Karrenberg, "Distributing K-Root Service by Anycast Routing of", http://www.ripe.net/ripe/docs/ripe-268.html

    RFC 3258, "Distributing Authoritative Name Servers via Shared Unicast

    [ Reply to This | Parent ]
  • 6 replies beneath your current threshold.

  • Search ICANNWatch.org:

    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com