Technical Analysis of the Naming Scheme Used For Individual Root Servers (R3)

Date IssuedDocumentReference IDCurrent Phase

Technical Analysis of the Naming Scheme Used For Individual Root Servers (R3)RSSAC028

Phase 4 | Implementation Pending - Internal



  1. Phase 1 Receive
  2. Phase 2 Understand
  3. Phase 3 Evaluate
  4. Phase 4 | Implementation Pending - Internal
  5. Phase 5 Close
  6. Closed


DESCRIPTION

Conduct a study to understand the feasibility and impact of node re-delegation attacks.


STATUS UPDATES

DatePhaseTypeStatus Updates

 

Phase 4Phase UpdateICANN sent a letter (https://www.icann.org/en/system/files/correspondence/olive-to-osborn-13oct23-en.pdf) to the RSSAC regarding this Advice item.

 

Phase 4Phase UpdateImplementation of this recommendation is dependent on completion of implementation of RSSAC028 Recommendation 2 (completed in September 2023). As a next step ICANN org will develop an implementation plan to include milestones and anticipated timeline for completion and will share this in the coming months.

 

Phase 4Phase ChangeNow in Phase 4: Deferred

 

Phase 4Phase UpdateRSSAC028 Recommendation 3 is pending the completion of Recommendation 2.

 

Phase 4Phase UpdateICANN org hired a contractor in September 2022 to write a study analyzing the questions in Recommendation 2 of RSSAC028. This work is anticipated to be complete in August 2023. Tasks of the contractor include: surveying root server operators (“RSOs”) about which software they use to provide authoritative service for the root zone, performing the study using the open source “Resolver Testbed” software already created by ICANN org, and repeating the analysis that led to Appendix A of RSSAC028 using the current software in use by the RSOs. RSSAC028 Recommendation 3 is pending the completion of Recommendation 2.

 

Phase 4Phase ChangeNow in Phase 4: Implement

 

Phase 3Phase UpdateOn 25 March 2021 the ICANN Board considered 2021.03.25.03 and the Board accepts Recommendation 3, relating to conducting a study to understand the feasibility and impact of node re-delegation attacks, and directs the ICANN President and CEO, or designee(s), to commence such a study. This item is now in Phase 4 | Implement as of 25 March 2021.

 

Phase 3Phase ChangeNow in Phase 3: Evaluate and Consider

 

Phase 2AP FeedbackICANN received confirmation of understanding from the RSSAC.

 

Phase 2Phase UpdateThe ICANN org understands RSSAC028 Recommendation 3 to mean that a study should be conducted to understand how the current infrastructure is susceptible to various cache poisoning attack scenarios, specifically node re-delegation attacks, and that proof-of-concept code for testing these scenarios should be made available to others in the DNS community for further studies. ICANN sent this updated understanding to the RSSAC for review.

 

Phase 2Phase UpdateUpdated Understanding sent to RSSAC for review.

 

Phase 2Phase ChangeAdvice Item returned to Phase 2: Understand to request further clarification of recommendation.

 

Phase 3Phase ChangeNow in Phase 3: Evaluate and Consider

 

Phase 2AP FeedbackICANN received confirmation of understanding from the RSSAC. RSSAC states: The RSSAC / RSSAC Caucus will scope the study. After that collaboration may be needed between the RSSAC / RSSAC Caucus and ICANN org to perform the studies.

 

Phase 2Phase Update

The ICANN org understands that the RSSAC has also provided an additional, speculative recommendation, which states that if node re-delegation attacks pose a serious risk that needs to be mitigated, the following should also be considered:

  • The root server addresses should be signed with DNSSEC to enable a resolver to authenticate resource records within the priming response.
  • Because the root server IP address information and the root zone are closely correlated, both sets of information should continue to be hosted on the same servers.
  • Among the various options considered in this document, moving the root server names to the root zone (5.3), or adding a new TLD under the root zone (5.4) are both viable options that would result in signing the root server addresses. Additional studies are needed to determine which of these options, if any, would be more favorable than the other in practice.

This understanding was sent to the sent to the RSSAC for review.

 

Phase 2Phase UpdateUnderstanding sent to RSSAC for review.

 

Phase 2Phase ChangeNow in Phase 2: Understand

 

Phase 1Phase UpdateICANN acknowledged receipt of Advice.

 

Phase 1Phase UpdateRSSAC published RSSAC028: Technical Analysis of the Naming Scheme Used For Individual Root Servers Link: https://www.icann.org/en/system/files/files/rssac-028-03aug17-en.pdf.