(theregister)Russia is intending to set up its “own internet” according to a number of Russian news sources citing a document signed by President Vladimir Putin earlier this month.
At a meeting at the end of the October, the Russian Security Council ordered its telecoms ministry to look at a “system of backup DNS root name servers, independent of the control of ICANN, IANA and VeriSign, and capable of servicing the requests of users from the listed countries in the case of faults or targeted intervention,” according to the policy document, which RBC authenticated this week.
The “backup” servers would be placed in BRICS countries – Brazil, Russia, India, China, South Africa – and be exclusively for their use. The rationale for setting up such a system is, according to the document, “the increased capabilities of western countries to carry out offensive operations in information space, and their willingness to use them.”
The document also points to the “dominance of the US and several EU countries in matters of internet control,” as justification for setting up the alternative platform.
Its stated goal is to ensure that, from Moscow’s point of view, Russian .ru websites remain accessible even if the .ru top-level domain is removed or hijacked in the main root zone file; the implication being that the United States could use the web as a weapon, and force changes onto the internet’s main address book to effectively knock Russian websites and services offline. The world’s domain name system is run by ICANN, a non-profit based in California, USA, and could be leaned on by Uncle Sam, it’s feared.
Several Russian news outlets referenced a 2016 interview with Alexey Platonov, the director general of the Technical Center of Internet (TCI) – .ru’s technical body – to explain why such a system is necessary.
In that chat, Platonov said that in 2014 the Russian Ministry of Communications tested the stability of the global domain name system, and found that “the DNS network worked inadequately” if “information about the .ru [top-level] domain was removed from the ICANN database.” In other words, the .ru domain space was at the mercy of someone modifying IANA’s root zone file, the central address book of the internet.
As a result of that exercise, Platonov said, “TCI, [Russian internet exchange] MSK-IX and other telecommunications companies had to maintain the performance of the national segment of the Internet,” and noted that MSK-IX has its own backup server with a mirror of the planet’s DNS root zone file.
Russian internet engineers had to, essentially, set up machines to keep .ru domains online regardless of whatever changes ICANN and its IANAdepartment implemented, allowing the nation to use its native websites even if the top-level domain .ru was somehow blocked globally.
Platonov explained: “With such a backup server, you can make the system continue to work – that is, ICANN ‘removes’ domain information from the root servers, but it is stored on our server.”
So, that’s the background context. This Putin-signed policy document has been widely reported as a sign that Russia is setting up its own version of the internet, however, you can start to see it’s not quite that.
Setting aside the question of whether the United States would ever use the domain name system as a weapon – especially having handed full control of the DNS platform to ICANN in 2016 – the reality is that there are already numerous “backups” of the root zone file.
First up, it is important to understand how the world’s domain-name system works. There is a single root zone file – a rudimentary text document – that lists all the top-level domains (TLDs) on the public internet, such as .com and .uk, and each entry points to the authoritative name servers for that TLD.
Those next-level name servers are each under the control of whatever outfit runs each TLD, and those servers provide the addresses of other name servers that can resolve the domain names underneath the top-level domain into an IPv4 or IPv6 network address to connect to.
For example, when a browser tries to connect to theregister.com, the software goes to a .com TLD name server, owned and run by Verisign, based in Virginia, United States, for further information on how to connect to the site.
The vast majority of internet users’ requests for a specific domain name never actually go to either the TLD server nor to one of the 13 official root zone servers, because their ISP – or their DNS lookup provider, such as OpenDNS – will have cached the details of common domain names in order to speed things up.
So type in theregister.co.uk and the chances are that your ISP’s DNS resolver already knows the server’s IPv4 address of where our website resides. What the ISP will typically do is check back with the various TLD servers around the globe at least twice a day for any changes. And those TLD servers will themselves typically check back with one of the 13 official root servers twice a day to make sure there are no changes.
This is how DNS works, and it’s why, if you make a big change to your website – its server location for example – you are warned that it may take a day for everyone on the internet to reach it (in reality most internet users will do so within an hour or so).
So back to “backups” of the DNS. There are already “backups” for the 13 official root servers that form the top level of the internet. There are mirrors of these systems, and they are all over the world. In fact, the organizations that maintain the root zone file – ICANN and its IANA department – actively encourage the provisioning of such mirrors because these machines will provide greater global redundancy and stability in the event of an electronic or physical attack or something like a natural disaster.
You can see a map of where all these hundreds of instances are across the globe. According to that dataset, Russia already has, er, 10 root server mirrors. It already has skin in the mirror game. If Uncle Sam or ICANN went bananas and maliciously edited the root zone file to boot, say, .ru off the internet, there are already mirrors in place within Russia to cope with the meddling.
It is a virtual certainty that there are lots of organizations and governments who have their own DNS failsafe systems in place right now as well as these mirrors in case the root servers are compromised. If Russia wants to deploy more mirrors and connect them up, be our guest. But quite why it has to kick up such a fuss over it is a little baffling.
Back to your roots
Going deeper, the lead ‘A’ official root server – from which the other roots (they are labeled B through M) typically accept changes – is run by .com operator Verisign which has close ties to the US government. Not only that but Verisign also runs the J root and the US government runs another three (E, G and H). That leaves eight root servers outside the grasp of the US government. And if you want to be paranoid, only two (I and M) are based outside the United States.
So, for those taking Russia’s line of impending US interference the worst case scenario is:
- President Trump gets upset because he thinks someone insulted him and orders a country’s top-level domain to be pointed elsewhere.
- The military descend on all the main root server locations based in the United States and force the engineers to use their version of the root zone file (it would likely require a gun in the face because the operators are very unlikely to make such a change under just a legal threat; their lawyers would be all over it).
- So 11 of the 13 root server servers have removed the country in question. The remaining official servers and the mirrors dotted across the globe might simply copy the updated file but chances are they would object wildly to an unauthorized change. So the root servers would have to start cutting off their mirrors to maintain a common response.
- At this point, alarm bells would have gone off in every ISP headquarters on the planet. Even if the US government served every single ISP in the US with an injunction, there would almost certainly be an informal uprising as internet engineers shifted operations outside the country. And that would be only be within the US – the rest of the world would be free to do what they wanted.
- As a result, after an enormous amount of effort and the complete destruction of trust at the top level of the internet, the best that could be achieved would be for most US citizens to not be able to access a foreign country’s top-level domain. Everyone else would likely still have full access.
- By the time the changes have fully propagated, internet engineers and governments across the globe would either have maintained their own version of the root zone file without the tampering, or disconnected from the system altogether. The internet would fragment and it would take years to be put it back together again.
All of which is a long way of saying: the US kicking a nation like Russia off the internet? Never gonna happen.
So, on the one hand, you’ve got Russia claiming to be worried about being thrown off the information superhighway and preparing for it. And on the other hand, it’s incredibly unlikely America – even considering its bizarro political situation at the moment – would actually go that far. The policy document instead leaves people assuming Russia et al are forming a breakaway internet. In reality, it’s basically calling for yet more root mirrors.
Those tests again
We were intrigued about the reference in the news reports to “exercises on the Russian Internet resilience to external threats,” which appeared to describe Kremlin techies removing .ru from the global root zone file as an experiment, to see what would be the effects of ICANN, under orders from Uncle Sam, stripping the Russian TLD from the world’s DNS.
We dug into the root zone file, and found no sign of any recent changes made to the .ru top-level domain, particular not the suggestion that it had been temporarily removed from the root as a test. We also spoke separately to three root zone experts, none of whom wanted to speak publicly but all of whom said that there is no way that the Russian government has done a live test on the root zone. It would have been noticed immediately, and would have been the subject of countless conference presentations since.
Which means that the tests must have been carried out by the Russian government in a virtual lab where they removed the .ru entries from a cloned root zone files, and then observed they were then unable to reach .ru domains. Not exactly earth shattering, which suggests someone’s trying to make a lot of noise over nothing.
Getting back to the Russian government’s “system of backup DNS root name servers, independent of the control of ICANN, IANA and VeriSign, and capable of servicing the requests of users from the listed countries in the case of faults or targeted intervention.”
There is nothing to stop a government, or a gang of governments, from doing something like this. Some groups already do. If you have the resources, and fear that the US government would actually do something as reckless and self-defeating as booting a nation off the web, then, OK, go forth and configure your BIND boxes. But you’re just doing what so many others have already done.
What this policy document boils down to is a pure political play by Putin and Russian officials who for more than a decade now have tried to gain greater influence over how the internet is governed.
The Russian and Chinese governments have tried very hard – and failed – to shift oversight of the DNS under the auspices of the United Nations, in particular the UN’s International Telecommunications Union (ITU), where they have significant influence.
Those efforts have been beaten back largely by Western governments. And, crucially, the final leverage that the Russian and Chinese governments had over other world governments – that the US government retained overall control of ICANN and IANA – was annihilated when ICANN was granted autonomy this time last year.
It was a smart move on the US government’s part even though some elements of Congress and some states fought it, and even though the internet community failed miserably in implementing adequate controlsover the newly independent ICANN.
It left the Kremlin stranded in its efforts to impose its will, and so it is now trying different tactics, including: passing new restrictive internal laws on internet usage; the development of a parallel set of internet governance conferences in an effort to shift policy discussions to a more restrictive, government-led approach to the internet; and phony fear mongering efforts like this one over root servers in an effort to band together other powerful countries and create an alternate center of power to the one led by the United States and Europe.
Will Russia separate itself from the global internet? No, as Russia officials have repeatedly admitted even when expounding on the problems of today’s internet governance. It has too much to lose and too little to gain.
Will it go the Chinese route of a controlled internet within its borders and closely monitored connections to the outside? Possibly, although Russia doesn’t face the same kind of existential threat that China’s one-party system does – at least not right now – so the expense and hassle is probably not worth it.
What will it do? More of this, most likely: paint the US and Europe as controlling bogeymen; push for greater governmental control over internet management; and harp on about the darker sides of society that the internet helps foster, such as terrorism, or activities it deems morally or ethically wrong like pornography, drug taking and so on. China will do the same.
But a parallel domain name system with a separate set of root zone servers? There’s virtually no point. ®
This article was posted in its entirety as received by www.onecaribbeannetwork.com. One Caribbean Network does not correct any spelling or grammatical error within press releases and commentaries. The views expressed are not necessarily those of One Caribbean Network, its sponsors or advertisers.