1

I’m trying to study how DNS works in depth watching videos and reading. So far, I understood (or I believe I understood) that DNS domain name space is a hierarchical logical structure while zones are the “physical aspect” of it. Each zone maps a portion of the DNS name space, holding the relative info in a text file: I understood that, in practice, each DNS name space portion (the root, the tld, domains etc.) corresponds to a zone file. I understood that there are, among others, two types of zones: primary zones and secondary zones; the difference between them is that the primary zone is a read/write copy of the zone file for a certain zone while secondary zone is just an updated read-only copy of the primary and we can make changes only on the primary zone file. So far, it is all clear. What it is not is the fact that it seems that we can have only one DNS server on which we can have the primary zone file; if I understood it well, this raises the following doubts:

  1. if we can have only one server hosting the primary zone, for example the primary zone for “com”, how it is possible that there are multiple providers that can be able to register domains “.com” i.e. can be able to modify the “com” primary zone ?
  2. How it is possible that there are “13 servers” that holds the same root primary zone?

2 Answers2

2

How it is possible that there are multiple providers that can be able to register domains “.com” i.e. can be able to modify the “com” primary zone ?

Simplified: there is always a single responsible administrative organisation that manages a top level domain (TLD) and which ensures consistency.

That single responsible administrative organisation is said to operate and maintain "the domain name registry". Some registries "sell" domain names directly, others have a system where they only provide wholesale access for accredited resellers (registrars) and others do both.

For the root of the internet domain hierarchy, as well as some generic top level domains the registry is operated by ICANN, but there also many others like for example DENIC which manages the .DE ccTLD and others that are responsible for other TLD's and ccTLD's.

ICANN doesn't sell domain names directly, but works only with accredited registrars.

How the registrars register their domains in the registry is explained here: https://serverfault.com/a/689852/546643

How it is possible that there are “13 servers” that holds the same root primary zone?

Again there is a single organisation
(https://www.iana.org/domains/root which provides the infrastructure, man power and processes) that acts as the "Root Zone Maintainer". They regularly make a new root zone available to the "Root Server Operators".
See also: https://en.wikipedia.org/wiki/DNS_root_zone

All operators of the "root name servers" then do the equivalent of simply regularly downloading the a new version of the "master copy" of the root zone file from it's published location: https://www.iana.org/domains/root/files and distribute and activate that on their root name servers.

See https://root-servers.org for how many more than 13 root servers there are...

Bob
  • 5,335
  • 5
  • 24
  • "the registry is operated by ICANN," Absolutely not. ICANN is not a technical operator and does not run any registry. REgistries are companies like Verisign, Afilias, Donuts, etc. These companies, to be able to serve gTLDs, are under contracts with ICANN but ICANN is the policy/technical coordinator of the domain space and especially gTLDs (it has less if not none at all power over ccTLDs). – Patrick Mevzek Apr 09 '21 at 18:24
  • "ICANN doesn't sell domain names directly, but works only with accredited registrars." So that is wrong too. Registrars, to be able to sell gTLDs, have to be accredited by relevant registry, hence under contract with it, AND at the same time be accredited by ICANN and hence under contract with ICANN. But besides these administrative/legal/financial ties between registrar and ICANN, ICANN does not work with registrars. – Patrick Mevzek Apr 09 '21 at 18:25
2

To complement HermanB answer, and provide another viewpoint touching on other topics:

Each zone maps a portion of the DNS name space, holding the relative info in a text file

No need here to specify how each zone is handled, and in fact many are not in "text file". This is irrelevant to users (clients of the DNS system), they ask an authoritative nameserver and get back a reply. How that reply is computed on the nameserver, and what sources are used for that are mostly hidden and plenty as well.

In short, the content can be as well in a database, or computed dynamically on request, like changing the reply for geo-located load-balancing depending on the IP address of the source or some other data in the DNS packet, like with the EDNS Client Subnet extension.

I understood that there are, among others, two types of zones: primary zones and secondary zones

Again, that is mostly not exactly it or at least not anymore.

When DNS started, things were simple. All setup were like, for a given zone, one nameserver was primary and other nameservers were secondary (you can find as well master/slave terminology but this is currently considered ill-advised to use), which means the data was really only at the primary server and the secondary ones used internal DNS requests (AXFR and IXFR queries, and then also DNS Notify for the primary to trigger faster synchronization) to get the data.

Even then, for clients, it made almost never a difference (if everything was running correctly of course, if some primary -> secondary path was broken, the zone contents served would start to differ). So in that sense there is no "primary" or "secondary" zone. There is a zone, hosted in different nameservers and in the past there were primary and secondary nameservers.

But note again this is an implementation detail. How a "constellation" of nameservers are configured, so that they all have the same data and all reply the same for a given zone is an hidden part of the thing, clients do not have to know that and most often won't know. The above setup is probably now not the one used anymore, where people use off band means to synchronize content, like for example with DB replication, or disk based replication with rsync or equivalent, or even DNS update messages.

You may want to consult the RFC on DNS terminology at https://www.rfc-editor.org/rfc/rfc8499 which lists and defines a lot of terms, after extended work by multiple parties (and a new version is being drafted).

You will see no definition for "primary zone" (because as explained above this is not a real thing in the DNS) but you will find definitions for "primary server".

What it is not is the fact that it seems that we can have only one DNS server on which we can have the primary zone file;

Based on the above paragraph you should see now that this sentence is incorrect. Any zone is served by multiple nameservers and each zone is supposed to have at any time a copy (or a way to get this copy) of the zone. For external clients, DNS users, there are no differences between these nameservers, they all reply the same.

if we can have only one server hosting the primary zone, for example the primary zone for “com”, how it is possible that there are multiple providers that can be able to register domains “.com” i.e. can be able to modify the “com” primary zone ?

Here you are coming to the edge of the DNS: DNS is about publishing data and querying for it. It says (almost) nothing about how this data is created and updated. Anyone is free to run its nameserver authoritative for any given zone (but of course without consequences until some parent specifically delegates things to this nameserver) and as such is free to decide what is in this zone.

When the domain name industry started and begin to grow, in the eighties and nineties, the following was already done:

  • TLDs were planned, either ccTLDs (one per country), or gTLDs for "everyone"
  • when already running, each TLD had a registry, the single owner of it, making it work and also deciding its policies, that is who can register names in it, and how.

At that times, .COM for example was run by Network Solutions and there were no registrars. Anyone was able to go to Network Solutions and pay $70 for a 2 years period of a given domain name.

Later it was decided that it should be broken, hence the registry/registrar model was introduced. The registry remains the runner of the zone, taking care of having authoritative nameservers replying for all domains in the zone. It then works only with some specific companies, called registrars, which are accredited and are able to send commands (register, update, renew, delete, etc.) to the registry on behalf of end clients. This was using at that time a protocol called RRP, and is currently done almost everywhere (but not absolutely everywhere, for example not in .DE) with a protocol called EPP.

The registry decides on the rules, both technical (characters allowed in name, length, reserved names, etc.), financial (prices of domain names, either global or per types like premiums, and/or per operations, including promotions, etc.) and legal (eligibility requirements, if anyone can get any name or not, etc.). So that determines which names can end up being registered and hence published in the DNS (except for names registered without namesevers or with nameservers but on hold for various reaons, in which cases nothing is published in the DNS for that name). And then registrars have to use the appropriate method to send commands conforming to the above rules to the registry, and in turn accept end clients requests, bill them, etc.

Note that, with some exceptions, domains are not free (as in beer) so the registry bills registrars per domain name, and in turn registrars bill end clients per domain name.

In the past, ICANN regulations prohibited a single company to be both registry and registrar for obvious danger of non competitive behavior (which is why after Network Solutions was bought by Verisign, Verisign has to sell of the registrar part of it to be again Network Solutions, and Verisign keeping the role of registry for com/net/org - and after that .ORG TLD was re-assigned to another operator), but this is now lifted. Also in the ccTLD world there are not always registrars (especially in smaller TLDs), and sometimes even if there are, the registry also acts as a registrar (.DE being a canonical example of that).

How it is possible that there are “13 servers” that holds the same root primary zone?

There is nothing special here, considering all the above. Any zone can be served by multiple nameservers. 13 is only a (kind of) magical number due to the way packets are constructed and the desire to fit things in less than 512 bytes. It is only a logical value anyway, because now all of them are using IP anycast, so there are thousands of "POPs", and each one is also not a single box but multiple ones (again each provider doing its own mix there).

And the zone is not special nor hidden in any way, you can download it from IANA website, or even use the DNS AXFR query on some of the 13 logical nameservers that accept it to retrieve the full zone.

You can even run it locally, and there may be even good reasons for that, look at https://www.rfc-editor.org/rfc/rfc8806 "Running a Root Server Local to a Resolver": "[..] resolvers can greatly decrease the round- trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software."

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42