ID: Alternative Roots and the Virtual Inclusive Root

Internet Engineering Task Force                                S. Higgs
Internet-Draft                                                 May 2001
Category: Informational
Expires: November 2001
Document: draft-higgs-virtual-root-00.txt

             Alternative Roots and the Virtual Inclusive Root


Status of this Memo

   This document is an Internet-Draft and is subject to all provisions 
   of Section 10 of RFC2026 except that the right to produce 
   derivative works is not granted.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Abstract

   This Internet Draft discusses the "alternate roots" and the "virtual
   inclusive root", in an attempt to help clear up misunderstandings on
   their use in the Internet. This document solves the problem of 
   duplicate colliding top level domains by identifying the "virtual 
   inclusive root", in compliance with the IAB's RFC 2826, "IAB 
   Statement on the Unique DNS Root"[1].   
   

Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC2119[2].


Background

   For the past 6 years or so various organizations and individuals have
   implemented "alternate roots" to support their own Top Level Domains
   (TLD)s[3].  The origin of these alternative roots can be found in the 
   rough consensus and running code behind Draft Postel[4] (which was 
   subverted by the gTLD-MOU, which itself was terminated upon 
   intervention by the U.S. Government). That ICANN (the replacement
   process set in place by the U.S. Government) has since failed to run
   with the ball has only caused more alternative roots to spring up.

   I define the term "alternate root" to mean "a DNS root zone connected
   to the Internet, but with contents that differ from the ICANN roots".
   An alternate root by definition includes "alternate top level domains
   (TLDs)". This is perfectly acceptable, and one example is RFC 2606
   / BCP32[5] which shows how to create localized TLDs from the reserved
   TLD pool.


Impact Of Alternative Roots In DNS
    
   The following examples show the impact to the DNS from a multiple
   root zone environment. It should be noted that each root zone, as a
   singular entity, is fully compliant with RFC2826. The problems
   described in RFC2826 surface when the user has no ability to 
   determine which root zone is being used for a particular transaction.
   
   Each example also is marked as "STABILIZING" or "DESTABILIZING". This
   is an important concept to grasp. The primary fallacy that must be 
   overcome is contained in the following set of statements:
   
       "If a non-ICANN root service mounts a new TLD without ICANN 
       permission, this is defined to be destablizing."
   
   and
   
       "If ICANN corrects this situation by adding a conflicting TLD to
       the ICANN ROOT, this is defined to be stabilizing."
       
   There's no other way to say this: THE ABOVE STATEMENTS ARE WRONG!
   
   The fact is that there is no conflict and no harm to the internet
   until the 2nd version of a given TLD (the duplicate) is created.
   
   In order to remedy this, the correct statements are as follows:
   
   1.  If any root service mounts a new TLD which does not conflict
       with a pre-existing TLD, this SHOULD be defined as stabilizing.
      
   2.  If any root service mounts a new TLD which conflicts with a 
       pre-exisitng TLD, this SHOULD be defined as destabilizing.

   Therefore, any new TLD which conflicts with a pre-existing TLD is 
   destabilizing, no matter where it comes from. The following examples
   illustrate which is correct, and which is not correct:

   
   Example 1 (STABILIZING):
   
        ICANN                 Alt
         root                root
          /|\                 /|\
         / | \               / | \
        /  |  \             /  |  \
       /   |   \           /   |   \
      /    |    \         /    |    \
    .com............    .com.......  .biz
    
   Example 1 does not create any TLD conflicts. The Alternate Root,
   has been enhanced by the inclusion of the .biz TLD. Both roots
   use the legacy root, now maintained by the US Government (ICANN
   root), as the baseline.
   
   Example 2 (STABILIZING):
   
        ICANN                 Alt                     Alt
         root                root(A)                 root(B)
          /|\                 /|\                     /|\
         / | \               / | \                   / | \
        /  |  \             /  |  \                 /  |  \
       /   |   \           /   |   \               /   |   \
      /    |    \         /    |    \             /    |    \
    .com............    .com.......  .biz(A)    .com.......  .biz(A)
    
   Example 2 does not create any TLD conflicts. Both Alternate Root A
   and Alternative Root B have been enhanced by the inclusion of the
   .biz(A) TLD. The important thing to note is that the same .biz TLD
   is supported by both Alternative Roots. All roots use the legacy 
   root, now maintained by the US Government (ICANN root), as the 
   baseline.
   
   Example 3 (DESTABILIZING):    

        ICANN                 Alt                     Alt
         root                root(A)                 root(B)
          /|\                 /|\                     /|\
         / | \               / | \                   / | \
        /  |  \             /  |  \                 /  |  \
       /   |   \           /   |   \               /   |   \
      /    |    \         /    |    \             /    |    \
    .com............    .com.......  .biz(A)    .com.......  .biz(B)
    
   Example 3 creates a TLD conflict. Both Alternate Root A and 
   Alternative Root B have .biz TLDs, but these TLDs are not 
   coordinated, or peered, and therefore duplicate zones may exist. 
   Note that all roots use the legacy root, now maintained
   by the US Government (ICANN root), as the baseline.
   
   Example 4 (DESTABILIZING):


        ICANN                 Alt                     Alt
         root                root(A)                 root(B)
          /|\                 /|\                     /|\
         / | \               / | \                   / | \
        /  |  \             /  |  \                 /  |  \
       /   |   \           /   |   \               /   |   \
      /    |    \         /    |    \             /    |    \
    .com........biz(C) .com.......  .biz(A)    .com.......  .biz(A)
    
   Example 4 creates a TLD conflict. Both Alternate Root A and 
   Alternative Root B have been enhanced by the inclusion of the
   .biz(A) TLD. These .biz TLDs are coordinated (or peered) and are 
   conflict free. Adding a different .biz(C) TLD to the ICANN root 
   causes a conflict, and therefore duplicate zones may exist. Note
   that all roots use the legacy root, now maintained by the US 
   Government (ICANN root), as the baseline. As you can see, this
   example causes a bigger (META) problem, in that it changes the 
   supported baseline of TLDs that all the other roots are supposed 
   to recognize. 
   
   Alternate Roots do in fact exist. No one can prevent them from 
   existing, because the selection of a root zone to point to is a
   voluntary act by DNS name server administrators and end-user client 
   software. 
   

Name Conflicts

   Name conflicts are generally considered a bad thing.  If company "A"
   uses the ICANN Root, and company "B" uses an Alternative Root, then
   "A" and "B" will see identical versions of all the TLDs that both
   roots support (such as .COM). Company "B" will also benefit from the 
   additional TLDs visible from the Alternative Root. So far, so good.
   
   The problems arise when two roots do not support the same TLD manager
   for a given TLD. As identified in RFC1591:
   
      The designated manager must be equitable to all groups in the
      domain that request domain names.
      
   and
   
      Significantly interested parties in the domain should agree that
      the designated manager is the appropriate party.
   
   Obviously, if there is a disagreement, it is possible to create a 
   duplicate TLD, in a different root, and managed by a different party.
   This will lead to the inevitable delegation of duplicate domain names
   (and thus create the name conflicts).
   
   Disagreements are caused by a number of factors. Lack of entry into
   a particular root zone is currently the primary cause of new root 
   zones (the Alternative Roots) being created.
   
   So what happens when a duplicate domain name is created? Quite simply,
   a number of things in the DNS break. These breakages happen in all
   the root systems, including those roots that don't support either 
   version of the conflicting TLD.

   The first visible sign will simply be the domain names resolving to
   different IP addresses depending on which root zone is being 
   supported. Company "A" may put its web page in .biz(A), and Company 
   "B" may put its web page in .biz(C). Internet users will only be able
   to reach Company "A" by using root zones supporting the .biz(A) TLD, 
   and Company "B" by using root zones supporting the .biz(C) TLD.
   
   The second visible sign will be email failures. Internet users can 
   send a message to a user@example.biz, but there can be two separate
   sets of recipient mail servers for example.biz depending on which 
   root zone is used (.biz(A) or .biz(C)). To complicate this further,
   each intermediary mail server that the message is routed through, 
   will only pass the message on to the .biz mail server from the root
   that it resolves. It's quite possible that a message sent within a 
   particular root zone could "leak out" of that root zone via an 
   intermediary server that supports a different root zone. Lastly, as
   soon as the email path finds a non-supporting mail server, the 
   message is bounced.
   
   The third visible sign (see Example 5) is the most deadly. DNS 
   nameserver (NS) record pollution. This is where the NS name records
   for a domain name are identical, but resolve to different IP 
   addresses depending upon which root zone is queried. With the 
   caching effect of the DNS, an NS record from one root zone may 
   become cached in a nameserver from a different root zone. Any 
   subsequent queries will point to the server for the domain name in 
   the other root zone. 
   
   Example 5:
   
       .biz(A)         .biz(B)          in-addr.arpa
        /|\             /|\                 /|\
       / | \           / | \               / | \
     ..  | ..        ..  | ..             /  |  \
         |               |               /  ..   1.2.3.4->sex.biz
    sex->1.2.3.4    sex->4.3.2.1        /
        /|\             /|\             4.3.2.1->sex.biz
       / | \           / | \
     ..  |  ..       ..  |  ..
         |               |
    ns1->1.2.3.5     ns1->4.3.2.2

   
   Eventually, these problems will become magnified as more duplicate 
   domain names are created. To solve this, we create a meta level
   solution, called the "virtual inclusive root".


Virtual Inclusive Root

   The above discussion of name conflicts underscores a fundamental
   point: DNS wasn't designed to deal with name conflicts.

   The fundamental design goal of the DNS is to provide unique
   and stable names for certain resources on the Internet.  A "resource"
   may be, for example, an IP address (or, in some cases, a group of IP
   addresses), an email server, or a portion of the Domain Name Space
   itself.  The resources are represented by objects in DNS; the
   fundamental service provided by the DNS is retrieval of an object,
   given the name for the object.

   The names provided by the DNS are structured in a hierarchical
   manner, which allows the management of the names to be distributed.
   Instead of a single gigantic name registry, the registration of names
   can be spread across many registries.

   The visible DNS hierarchy starts with what are called "Top Level
   Domains" (TLDs).  The next level of the hierarchy is made up of
   "Second Level Domains" (SLDs), the level are "Third Level Domains"
   (3LDs), and so on.  The familiar ".com" is a TLD, "example.com" is a
   SLD, "an.example.com" is a 3LD.  "this.is.an.example.com" would be a
   domain name with 5 levels.

   So how do we do that if there is more that one root zone? The answer
   is the Virtual Inclusive Root. It's nothing more than applying 
   RFC2826 to create a larger, virtual, root zone comprised of the sum
   of all the variations of local root zones.
   
   Example 6:
   
        ICANN                 Alt                     Alt
         root                root(A)                 root(B)
          /|\                 /|\                     /|\
         / | \               / | \                   / | \
        /  |  \             /  |  \                 /  |  \
       /   |   \           /   |   \               /   |   \
      /    |    \         /    |    \             /    |    \
    .com(A)...  .net   .com(A)....  .biz       .com(A)....  .web

   From the above example (Example 6), the Virtual Inclusive Root would
   consist of the .COM, .NET, .BIZ, and .WEB TLDs (all roots support 
   the same .COM TLD).

   The Virtual Inclusive Root can be considered the best view of 
   consensus and co-operation for the DNS name space.
   

Co-ordinating The Virtual Inclusive Root
   
   Obviously, conflicting TLDs cannot be supported in the Virtual 
   Inclusive Root. 
   
   The first basic rule of domain name registration is that the first 
   eligible applicant to register a domain name receives the exclusive 
   delegation of that domain name. This is traditionally known as 
   "first come, first served" (FCFS).
      
   The second basic rule, as identified in the examples above, is that
   there is no harm done to internet until a duplicate top level 
   domain is created. Users may not be able to resolve a domain name 
   that exists in a top level domain from a different root zone. But
   this is no different to today, and does not break the DNS overall.
   Adding the TLD to the Virtual Inclusive Root solves this problem.
   
   The third basic rule is that there is no limit to the number of top 
   level domains that can be put in the DNS. The DNS is recursive and
   the recent examples of several million domain names registered in
   .COM shows that this is possible. The reality is that the demand
   for TLDs is not that high.
   
   The main objection to the virtual inclusive root is that it really
   only raises the root zone up a level and that someone, somewhere,
   has the job of managing it. This is not true, as the ICANN root 
   zone being a "single point of failure" on the Internet is the 
   problem that the Alternative Roots have already solved.
   
   The Virtual Inclusive Root is the sum of the consensus between all
   root zones on the public internet. The methods for allowing
   DNS clients and resolvers to resolve Virtual Inclusive Root will 
   be described in a different document.
   

Other Considerations
   
   The United States Patent and Trademark Office has determined that 
   top level domains are not trademarkable. This removes any 
   possibility of "sunrise" claims or other trademark claims to top 
   level domains.

   If ICANN "endorses" other roots, then it would of course coordinate 
   its TLD selections with them, and there would be fewer, if any, name 
   collisions. This is by far the most pain-free solution.
   
   If ICANN doesn't "endorse" other roots, then it will most likely
   create TLDs that conflict with ones publicly in use by Alternate Root
   servers (see Example 4 above). This sets precedents directly opposed
   to the IETF tradition of "rough consensus and running code". It 
   allows the pioneer work of developers and entrepreneurs to be taken 
   away at the whim of others.
   
   ICANN could also try to make it illegal to run an alternate root. 
   This would involve regulating the configuration of every computer 
   connected to the Internet, and defining what technology and service
   provider everyone had to use. It would be like a law dictating that 
   everyone had to use the same government approved computer operating
   system to avoid "instability."
   
   The FCFS method of registration has recently been co-opted by ICANN
   for financial gain, by the registry/registrar community (there is a
   major kick-back in fees paid to ICANN by the registries and
   registrars) for the benefit of the intellectual property community
   (who are paid to secure domain names). The internet user community
   is the loser, paying several times over just to secure a single 
   domain name. The Alternative Roots exist, at the behest of the 
   internet user community, to bypass this kind of profiteering.
   

Security Considerations

   This memo does not introduce any new security issues. 
   
   This memo does not address DNSSec issues.

Acknowledgments

   The author would like to thank Karl Auerbach, Scott Bradner,
   Milton Mueller, Brian Reid, Richard Sexton, and Einar
   Stefferud for their constructive comments.


References

   1  Internet Architecture Board, "IAB Technical Comment on the Unique
      DNS Root", RFC 2826, May 2000
   2  Bradner, S., "Key words for use in RFCs to Indicate Requirement
      Levels", BCP 14, RFC 2119, March 1997
   3  Postel, J., "The IANA's File of iTLD Requests",
      http://www.gtld-mou.org/gtld-discuss/mail-archive/00990.html
   4  Postel, J., "New Registries and the Delegation of International 
      Top Level Domains"
      http://www.newdom.com/archive/draft-postel-iana-itld-admin-02.txt
   5  D. Eastlake, A. Panitz, "Reserved Top Level DNS Names", BCP32,
      RFC 2606, June 1999
 

Author's Address

      Simon Higgs
      Higgs Communications
      P.O. Box XXXX
      XXXXXXXX, XX  XXXXX-XXXX

      Phone: XXX-XXX-XXXX
      Email: XXXXX@XXXXX.XXX

###