DNS root zone

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet.

Since 2016, the root zone has been overseen by the Internet Corporation for Assigned Names and Numbers (ICANN) which delegate the management to a subsidiary acting as the Internet Assigned Numbers Authority (IANA).[1] Distribution services are provided by Verisign. Prior to this, ICANN performed management responsibility under oversight of the National Telecommunications and Information Administration (NTIA), an agency of the United States Department of Commerce.[2]

A combination of limits in the DNS definition and in certain protocols, namely the practical size of unfragmented User Datagram Protocol (UDP) packets, resulted in a practical maximum of 13 root name server addresses that can be accommodated in DNS name query responses. However the root zone is serviced by several hundred servers at over 130 locations in many countries[3][4].

Initialization of DNS service

The DNS root zone is served by thirteen root server clusters which are authoritative for queries to the top-level domains of the Internet.[5][6] Thus, every name resolution either starts with a query to a root server or uses information that was once obtained from a root server.

The root servers clusters have the official names a.root-servers.net to m.root-servers.net.[6] To resolve these names into addresses, a DNS resolver must first find an authoritative server for the net zone. To avoid this circular dependency, the address of at least one root server must be known for bootstrapping access to the DNS. For this purpose operating systems or DNS server or resolver software packages typically include a file with all addresses of the DNS root servers. Even if the IP addresses of some root servers change, at least one is needed to retrieve the current list of all name servers. This address file is called named.cache in the BIND name server reference implementation. The current official version is distributed by ICANN's InterNIC.[7]

With the address of a single functioning root server, all other DNS information may be discovered recursively, and information about any domain name may be found.

Redundancy and diversity

The root DNS servers are essential to the function of the Internet, as most Internet services, such as the World Wide Web and electronic-mail, are based on domain names. The DNS servers are potential points of failure for the entire Internet. For this reason, multiple root servers are distributed worldwide.[8] The DNS packet size of 512 octets limits a DNS response to thirteen addresses, until protocol extensions (EDNS) lifted this restriction.[9] While it is possible to fit more entries into a packet of this size when using label compression, thirteen was chosen as a reliable limit. Since the introduction of IPv6, the successor Internet Protocol to IPv4, previous practices are being modified and extra space is filled with IPv6 name servers.

The root name servers are hosted in multiple secure sites with high-bandwidth access to accommodate the traffic load. At first, all of these installations were located in the United States; however, the distribution has shifted and this is no longer the case.[10] Usually each DNS server installation at a given site is a cluster of computers with load-balancing routers.[9] A comprehensive list of servers, their locations and properties is available at http://root-servers.org. As of February 20th, 2019, there were 938 root servers worldwide.[11]

The modern trend is to use anycast addressing and routing to provide resilience and load balancing across a wide geographic area. For example, the j.root-servers.net server, maintained by Verisign, is represented by 104 (as of January 2016) individual server systems located around the world, which can be queried using anycast addressing.[12]


The content of the Internet root zone file is coordinated by a subsidiary of ICANN which performs the Internet Assigned Numbers Authority (IANA) functions. Verisign generates and distributes the zone file to the various root server operators.

In 1997, when the Internet was transferred from U.S. government control to private hands, NTIA has exercised stewardship over the root zone. A 1998 Commerce Department document stated the agency was "committed to a transition that will allow the private sector to take leadership for DNS management" by the year 2000, however, no steps to make the transition happen were taken. In March 2014, NTIA announced it will transition its stewardship to a "global stakeholder community".[5]

According to Assistant Secretary of Commerce for Communications and Information, Lawrence E. Strickling, March 2014 was the right time to start a transition of the role to the global Internet community. The move came after pressure in the fallout of revelations that the United States and its allies had engaged in surveillance. The chairman of the board of ICANN denied the two were connected, however, and said the transition process had been ongoing for a long time. ICANN president Fadi Chehadé called the move historic and said that ICANN will move toward multi-stakesholder control. Various prominent figures in Internet history, not affiliated with ICANN, also applauded the move.[5]

NTIA's announcement did not immediately affect how ICANN performs its role.[5][13] On March 11, 2016 NTIA announced that it had received a proposed plan to transition its stewardship role over the root zone, and would review it in the next 90 days.[14].

The proposal was adopted, and ICANN's renewed contract to perform the IANA function lapsed on September 30, 2016, resulting in the transition of oversight responsibility to the global stakeholder community represented within ICANN's governance structures. As a component of the transition plan,[15] it created a new subsidiary called Public Technical Identifiers (PTI) to perform the IANA functions which include managing the DNS root zone.

Signing of the root zone

Since July 2010, the root zone has been signed with a DNSSEC signature,[16] providing a single trust anchor for the Domain Name System that can in turn be used to provide a trust anchor for other public key infrastructure (PKI). The root zone is re-signed periodically with the root zone key signing key performed in a verifiable manner in front of witnesses in a key signing ceremony.[17][18]

See also


  1. ^ "Stewardship of IANA Functions Transitions to Global Internet Community as Contract with U.S. Government Ends". 2016-10-01. Retrieved 2017-12-25.
  2. ^ Jerry Brito (2011-03-05). "ICANN vs. the World". TIME. Archived from the original on December 30, 2010. Retrieved 2011-12-17.
  3. ^ "There are not 13 root servers". www.icann.org. Retrieved 2018-01-18.
  4. ^ "DNS root servers in the world « stupid.domain.name". stupid.domain.name. Retrieved 2018-01-18.
  5. ^ a b c d Farivar, Cyrus (14 March 2014). "In sudden announcement, US to give up control of DNS root zone". Ars Technica. Retrieved 15 March 2014.
  6. ^ a b "Root Servers". IANA. Retrieved March 16, 2014.
  7. ^ "named.cache". InterNIC. 2015-11-17. Retrieved 2015-11-17.
  8. ^ "SANS Institute InfoSec Reading Room". SANS. Retrieved March 17, 2014.
  9. ^ a b Bradley Mitchell (November 19, 2008). "Why There Are Only 13 DNS Root Name Servers". About.com. Retrieved March 17, 2014.
  10. ^ "DNS Root Servers: The most critical infrastructure on the internet". Slash Root. November 15, 2013.
  11. ^ "Root Servers Technical Operations Assn".
  12. ^ "Root Server Technical Operations Assn".
  13. ^ "An Update on the IANA Transition". National Telecommunications and Information Administration. 2015-08-17. Retrieved 2015-11-17.
  14. ^ Strickling, Lawrence. "Reviewing the IANA Transition Proposal". National Telecommunications and Information Administration. United States Department of Congress. Retrieved 26 May 2016.
  15. ^ "Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community" (PDF). March 2016.
  16. ^ "Root DNSSEC: Information about DNSSEC for the Root Zone". Internet Corporation For Assigned Names and Numbers. Retrieved 2014-03-19.
  17. ^ "First KSK Ceremony". Internet Corporation For Assigned Names and Numbers. 2010-04-18. Archived from the original on 2015-04-14. Retrieved 2014-10-19.
  18. ^ "Root KSK Ceremonies". Internet Assigned Numbers Authority. 2015-11-12. Retrieved 2015-11-17.
  • RFC 2870 – Root Name Server Operational Requirements
  • RFC 2826 – IAB Technical Comment on the Unique DNS Root

Further reading

External links


.cloud is a generic top-level domain (gTLD) delegated by ICANN. It is managed by the Italian company Aruba PEC SpA, a wholly owned subsidiary of the same Aruba S.p.A., one of the largest distributors of Hostings and Providers in Europe.The back-end services are provided by ARI Registry Services. The proposed application succeeded and was delegated to the DNS root zone on 26 Jun 2015.

The .cloud domain doesn't have any restriction.


.global is a generic top-level domain (gTLD) and was delegated to the DNS root zone on June 6, 2014. The application for the new top-level domain, was approved on April 17, 2014, and .global was made available to the general public on September 9, 2014.


.nyc is a top level domain (TLD) for New York City. It was delegated to the root zone by ICANN on March 20, 2014.


.ovh is an active generic top-level domain (gTLD) delegated to the DNS root zone on June 20, 2014. The domain is sponsored by OVH, a major French telecommunications and hosting business. This top-level domain is run by the AFNIC and registrations are open to all via OVH, the sole registrar of .ovh domains.


.ss is the designated country code top-level domain (ccTLD) for South Sudan in the Domain Name System of the Internet. It is derived from the ISO 3166-1 alpha-2 code for South Sudan, which is SS. According to CIO East Africa, the TLD was allocated on 10 August 2011 following the country's declaration of independence from Sudan. The TLD was registered on 31 August 2011, but not added to the DNS root zone and thus not operational. It was approved at the ICANN Board meeting on 27 January 2019 and was added to the DNS root zone on 2 February 2019.Before .ss was successfully registered, the country's Undersecretary for Telecommunications had initially been concerned about the ccTLD request's possible rejection due to SS also being an abbreviation for Schutzstaffel, the paramilitary force of Nazi Germany.Before the independence of South Sudan, the applicable domain was .sd, Sudan's top-level Internet domain.


.wiki is a top-level domain name. It was proposed in ICANN's New generic top-level domain (gTLD) Program, and became available to the general public on May 26, 2014. Top Level Design (TLD) is the domain name registry for the string.

Alternative DNS root

The Internet uses the Domain Name System (DNS) to associate numeric computer IP addresses with human readable names. The top level of the domain name hierarchy, the DNS root, contains the top-level domains that appear as the suffixes of all Internet domain names. The most widely used (and first) DNS root is administered by the Internet Corporation for Assigned Names and Numbers (ICANN). In addition, several organizations operate alternative DNS roots, often referred to as alt roots. These alternative domain name systems operate their own root nameservers and commonly administer their own specific name spaces consisting of custom top-level domains.

The Internet Architecture Board (IAB) has spoken out strongly against alternate roots in RFC 2826.

Dig (command)

dig (domain information groper) is a Unix-like network administration command-line tool for querying Domain Name System (DNS) servers.

dig is useful for network troubleshooting and for educational purposes. dig can operate in interactive command line mode or in batch mode by reading requests from an operating system file. When a specific name server is not specified in the command invocation, it will use the operating system's default resolver, usually configured via the resolv.conf file. Without any arguments it queries the DNS root zone.

dig supports Internationalized Domain Name (IDN) queries.

dig is part of the BIND domain name server software suite. dig was initially planned to supersede older tools such as nslookup and the host program; however, it has instead become a complementary tool.

Distributed denial-of-service attacks on root nameservers

Distributed denial-of-service attacks on root nameservers are Internet events in which distributed denial-of-service attacks target one or more of the thirteen Domain Name System root nameserver clusters. The root nameservers are critical infrastructure components of the Internet, mapping domain names to IP addresses and other resource record (RR) data.

Attacks against the root nameservers could, in theory, impact operation of the entire global Domain Name System, and thus all Internet services that use the global DNS, rather than just specific websites. However, in practice, the root nameserver infrastructure is highly resilient and distributed, using both the inherent features of DNS (result caching, retries, and multiple servers for the same zone with fallback if one or more fail), and, in recent years, a combination of anycast and load balancer techniques used to implement most of the thirteen nominal individual root servers as globally distributed clusters of servers in multiple data centers.

In particular, the caching and redundancy features of DNS mean that it would require a sustained outage of all the major root servers for many days before any serious problems were created for most Internet users, and even then there are still numerous ways in which ISPs could set their systems up during that period to mitigate even a total loss of all root servers for an extended period of time: for example by installing their own copies of the global DNS root zone data on nameservers within their network, and redirecting traffic to the root server IP addresses to those servers. Nevertheless, DDoS attacks on the root zone are taken seriously as a risk by the operators of the root nameservers, and they continue to upgrade the capacity and DDoS mitigation capabilities of their infrastructure to resist any future attacks.

An effective attack against DNS might involve targeting top-level domain servers (such as those servicing the .com domain) instead of root name servers. Alternatively, a man-in-the-middle attack or DNS poisoning attack could be used, though they would be more difficult to carry out.

Domain name

A domain name is a label that identifies a network domain: a distinct group of computers under a central administration or authority.

Within the Internet, domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in the DNS is a domain name. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. In 2017, 330.6 million domain names had been registered.Domain names are organized in subordinate levels (subdomains) of the DNS root domain, which is nameless. The first-level set of domain names are the top-level domains (TLDs), including the generic top-level domains (gTLDs), such as the prominent domains com, info, net, edu, and org, and the country code top-level domains (ccTLDs). Below these top-level domains in the DNS hierarchy are the second-level and third-level domain names that are typically open for reservation by end-users who wish to connect local area networks to the Internet, create other publicly accessible Internet resources or run web sites.

The registration of these domain names is usually administered by domain name registrars who sell their services to the public.

A fully qualified domain name (FQDN) is a domain name that is completely specified with all labels in the hierarchy of the DNS, having no parts omitted. Labels in the Domain Name System are case-insensitive, and may therefore be written in any desired capitalization method, but most commonly domain names are written in lowercase in technical contexts.


The Internet Corporation for Assigned Names and Numbers (ICANN EYE-kan) is a nonprofit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the network's stable and secure operation. ICANN performs the actual technical maintenance work of the Central Internet Address pools and DNS root zone registries pursuant to the Internet Assigned Numbers Authority (IANA) function contract. The contract regarding the IANA stewardship functions between ICANN and the National Telecommunications and Information Administration (NTIA) of the United States Department of Commerce ended on October 1, 2016, formally transitioning the functions to the global multistakeholder community.Much of its work has concerned the Internet's global Domain Name System (DNS), including policy development for internationalization of the DNS system, introduction of new generic top-level domains (TLDs), and the operation of root name servers. The numbering facilities ICANN manages include the Internet Protocol address spaces for IPv4 and IPv6, and assignment of address blocks to regional Internet registries. ICANN also maintains registries of Internet Protocol identifiers.

ICANN's primary principles of operation have been described as helping preserve the operational stability of the Internet; to promote competition; to achieve broad representation of the global Internet community; and to develop policies appropriate to its mission through bottom-up, consensus-based processes.ICANN's creation was announced publicly on September 17, 1998, and it formally came into being on September 30, 1998, incorporated in the U.S. state of California. Originally headquartered in Marina del Rey in the same building as the University of Southern California's Information Sciences Institute (ISI), its offices are now in the Playa Vista neighborhood of Los Angeles.

Internationalized domain name

An internationalized domain name (IDN) is an Internet domain name that contains at least one label that is displayed in software applications, in whole or in part, in a language-specific script or alphabet, such as Arabic, Chinese, Cyrillic, Tamil, Hebrew or the Latin alphabet-based characters with diacritics or ligatures, such as French. These writing systems are encoded by computers in multi-byte Unicode. Internationalized domain names are stored in the Domain Name System as ASCII strings using Punycode transcription.

The Domain Name System, which performs a lookup service to translate user-friendly names into network addresses for locating Internet resources, is restricted in practice to the use of ASCII characters, a practical limitation that initially set the standard for acceptable domain names. The internationalization of domain names is a technical solution to translate names written in language-native scripts into an ASCII text representation that is compatible with the Domain Name System. Internationalized domain names can only be used with applications that are specifically designed for such use; they require no changes in the infrastructure of the Internet.

IDN was originally proposed in December 1996 by Martin Dürst and implemented in 1998 by Tan Juay Kwang and Leong Kok Yong under the guidance of Tan Tin Wee. After much debate and many competing proposals, a system called Internationalizing Domain Names in Applications (IDNA) was adopted as a standard, and has been implemented in several top-level domains.

In IDNA, the term internationalized domain name means specifically any domain name consisting only of labels to which the IDNA ToASCII algorithm (see below) can be successfully applied. In March 2008, the IETF formed a new IDN working group to update the current IDNA protocol.

In October 2009, the Internet Corporation for Assigned Names and Numbers (ICANN) approved the creation of internationalized country code top-level domains (IDN ccTLDs) in the Internet that use the IDNA standard for native language scripts. In May 2010 the first IDN ccTLD were installed in the DNS root zone.

List of Internet top-level domains

This list of Internet top-level domain (TLD) extensions contains top-level domains, which are those domains in the DNS root zone of the Domain Name System of the Internet. The official list of all top-level domains is maintained by the Internet Assigned Numbers Authority (IANA) at the Root Zone Database. IANA also oversees the approval process for new proposed top-level domains. As of April 2018, the root domain contains 1534 top-level domains, while a few have been retired and are no longer functional.

Open Root Server Network

Open Root Server Network (ORSN) is a network of Domain Name System root nameservers for the Internet.

ORSN DNS root zone information is normally kept in synchronization with the "official" Domain Name System root nameservers coordinated by ICANN. The networks are thus 100% compatible, though ORSN is operated independently. The ORSN servers are primarily placed in Europe. ORSN is also used by public name servers, providing Domain Name System access freely for everyone, without any limitation.

ORSN was primarily started to reduce the over-dependence of Internet users on the United States and Department of Commerce/IANA/ICANN/VeriSign, limit the control over the Internet that this gives, while ensuring that domain names remain unambiguous. And to avoid the technical possibility of global "Internet shutdown" by one party.

They also expect their network to make domain name resolutions faster for everyone.

Markus Grundmann, Germany is the founder of ORSN, and author of ORSN distributed system management and monitoring software solution.

Paul Vixie, the main designer of BIND, the UNIX de facto standard DNS server, is a high-profile proponent of the ORSN.

Paul Vixie is member of Security and Stability Advisory Committee of ICANN, he served on the Board of Trustees of the American Registry for Internet Numbers (ARIN) from 2005 to 2013, also as ARIN chairman in 2009 and 2010.ORSN has 2 operating modes:

ICANN BASED (default) operating mode involves daily synchronization, except that removed TLDs are not removed from the ORSN root.

INDEPENDENT mode has no automatic synchronization and is activated "whenever the political situation of the world - in our opinion - makes this step necessary because the possibility of a modification and/or a downtime of the ICANN root zone exists or we do not want that our root zone will rebuild automatically."ORSN operated from February 2002 until the end of 2008. ORSN operates again since June 2013.

Several Internet service providers in Europe used ORSN as a root for their name servers.

Public recursive name server

A public recursive name server (also called public DNS resolver) is a name server service that networked computers may use for query to DNS, the decentralized Internet naming system, in place of or in addition to name servers operated by the Internet service provider to which the devices are connected. Reasons for using these services include:

speed, compared to using ISP DNS services

filtering (security, ad-blocking, porn-blocking, etc.)


avoiding censorship

redundancy (smart caching)

access to unofficial alternative top level domains not found in the official DNS root zonePublic DNS resolver operators often cite increased privacy as an advantage of their services; critics of public DNS services have cited the possibility of mass data collection targeted at the public resolvers as a potential risk of using these services. Several services now support secure DNS lookup transport services such as DNS over HTTPS and DNS over TLS.

Public DNS resolvers are operated either by commercial companies, offering their service for free use to the public, or by private enthusiasts to help spread new technologies and support non-profit communities.

Root zone

Root zone may refer to:

roots, of plants

rhizosphere, of plants

DNS root zone, the start of the Domain Name System

Top-level domain

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is com. Responsibility for management of most top-level domains is delegated to specific organizations by the Internet Corporation for Assigned Names and Numbers (ICANN), which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

IANA currently distinguishes the following groups of top-level domains:

country-code top-level domains (ccTLD)generic top-level domains (gTLD)

sponsored top-level domains (sTLD)

unsponsored top-level domainsinfrastructure top-level

domain (.arpa)

Zone file

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR). A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache.

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.