| 导语 中午没睡贼困。看到一篇文章,蛮有意思的,写篇文章翻译一下,也是自己之前在搞DNS的时候想完成的一个事情,没想到,时隔一年,已经转岗了,不搞域名解析了。本文算是对以往遗憾的一个弥补吧。 本文是对权威解析数据的简单分析,通过分析域名所在实体,以及域名背后的IP所在实体,可得结论:Verisign跪掉,世界互联网将接近瘫痪,GoDaddy、Cloudflare也控制这互联网大块的基础设施。
在介绍本篇文章之前,需要复习一下域名注册流程以及简单的域名解析流程,见下图一图二;整篇文章的数据发生在下图的②和③步骤;
This is a blog post version of a talk I gave at the 5th ICANN DNS Symposium.
这是我在第五届ICANN DNS 座谈会的文字版本。
Why yes, the internet is resting on a foundation of duct tape and WD40 - it is known. And the DNS is the mother of all corner stones that, if knocked out, would quickly lead to the fall of western civilization. (And yes, it is a hard requirement to use this XKCD cartoon to illustrate this.) But at least it's not quite as fragile as, say, whois, so yay!
众所周知的是,整个互联网坐落在杂乱无序的缝合之上,DNS算是互联网的基石,这块石头被干掉后,将很快带来西方文明的陨落。就像下图;
But while the DNS root servers are known to be distributed, I thought it might be interesting to take a closer look at the immediate levels up from the root, and so I went to analyze the diversity or centralization of the authoritative nameservers for the generic top-level domains (gTLDs) and the second-level domains in those gTLDs.
但是,即便DNS根服务器是以去中心化、分布式为人所熟知,我觉得再进一步,从根服务器继续向上看看各级DNS 服务器的情况会是一件很有趣的事情,因此,我分析了通用顶级域(gTLD)和这些gTLD中的二级域来试图说明这里的去中心化或者是中心化。
To perform this analysis, I started out with the root zone, which (as of November 2022) contains 1485 TLDs. As I discussed previously, just what exactly you find in there is already utterly fascinating, but for our purposes here, let's note that you can then request access to all of the gTLD zone files via ICANN's Centralized Zone Data Service, which got me access to 1,165 zones in total. In addition, you can obtain the .gov zone from CISA's GitHub repository, as well as .arpa from most of the root servers:
为了这次分析,我从包含了1485个TLD的根区文件(截至2022年11月)开始,正如之前讨论过的,根分区文件可以得到很多信息,但是为了我们中心化与去中心化的探讨,我们可以通过向ICANN的集中区域数据服务去申请访问得到gTLD 的zone文件,我获取到了1165个zone file,此外,通过CISA的GitHub仓库,我获取到了.gov zone 数据,以及从根服务器里得到的.arpa zone数据;
$ dig +noall +answer +onesoa @f.root-servers.net arpa. AXFR | more
arpa. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022111501 1800 900 604800 86400
arpa. 518400 IN NS m.ns.arpa.
arpa. 518400 IN NS c.ns.arpa.
arpa. 518400 IN NS f.ns.arpa.
[...]
This leaves us missing the .edu, .int, .mil and .post TLDs, which are not generally available. (If you know how to get acces mail to me jschauma@netmeister.org.)
.edu, .int, .mil and .post 这些后缀文件我并没有得到,(如果你知道怎么获取这些文件,请告知我。)
For the country-code specific top-level domains (ccTLDs), it's a lot more difficult to gain access: most operators do not provide public access, although some do: you can AXFR some of them or gather some published data from others. Commercial services exist that sell you zone data, but it seems to me that this data ought to be public, so I excluded ccTLDs from my analysis for the time being.
对于国家顶级域名(ccTLDs),获取这些数据要困难的多,大多数ccTLD的运营者并没有提供公共访问的方式,但是有些提供了,可以通过AXFR一些公开过的数据,当然也存在收费的商业服务,在我看来这些数据应当是公开的,所以我在这次分析中先排除了国家顶级域名;
Anyway, so with 1,168 total zone files adding up to around 7GB of data (of which the .com zone accounts for 4.8 GB alone!), I went ahead and used a variety of shell scripts and some perl glue to parse out the NS records to then see just what domains those are in, i.e., who controls them.
总之,我们得到了1168个zone的数据,加起来大概有7GB(这里光.com 后缀就占了4.8G!),我用各种的shell脚本和perl去处理这些NS记录,去看看这些记录在哪些域里,也就是谁在控制它们。
根
The DNS root zone itself is served by 13 root authorities, and as such is obviously and trivially diverse. The 13 authorities are managed by twelve root operators: 9 US organizations (including three US government entities), of which one (Verisign) operates two roots, one Swedish company (Netnod), one organization in Japan (WIDE), and one headquartered in the Netherlands (RIPE NCC). Obviously, all are in the same domain (i.e., root-servers.net):
DNS根区本身是由13个根服务管理机构提供服务的,看起来很明显的是一个去中心化的事情。这13个权威服务管理机构被12个运营机构管理:9个美国组织(包括3个美国政府实体),其中美国公司Verisign维护了两个根域,其他的三个分别在瑞典公司(Netnod),日本(WIDE),总部在荷兰的(RIPE NCC)。显然,所有这些根域都在同一个域中(即root-servers.net)
图四:根分区的NS记录; 图五: 一个域包含了所有的根域名;
Now for the root itself, this illustration is of course a bit silly, but it gives you an idea of what I'm looking for in this analysis. And things do get a bit more interesting once we process all the NS records from the root zone itself, where we find 7,507 total NS records across 5,612 unique name servers, which looks reasonably diverse:
现在对于根本身,这个插图看起来有点蠢,但是它代表的是我这次分析这次数据的一个逻辑,统计这些域名所在的域;当我们统计根文件里的这些NS记录的时候,事情就会开始变的有趣了,我们发现,所有的tld被NS到了7507个域名上,去重后有5625个,这看起来是非常去中心化的,排序后如下:
$ awk '/IN[ ]*NS[ ]/ { print $NF }' root.zone | wc -l
7507
$ awk '/IN[ ]*NS[ ]/ { print $NF }' root.zone | sort | uniq -c | wc -l
5625
$ awk '/IN[ ]*NS[ ]/ { print $NF }' root.zone | sort | uniq -c | sort -rn | head -20
119 ac4.nstld.com.
119 ac3.nstld.com.
118 ac2.nstld.com.
118 ac1.nstld.com.
47 l.gmoregistry.net.
47 k.gmoregistry.net.
47 b.gmoregistry.net.
47 a.gmoregistry.net.
46 ns-tld5.charlestonroadregistry.com.
46 ns-tld4.charlestonroadregistry.com.
46 ns-tld3.charlestonroadregistry.com.
46 ns-tld2.charlestonroadregistry.com.
46 ns-tld1.charlestonroadregistry.com.
27 anycast9.irondns.net.
27 anycast24.irondns.net.
27 anycast23.irondns.net.
27 anycast10.irondns.net.
21 j.zdnscloud.com.
21 i.zdnscloud.com.
21 g.zdnscloud.com.
译者注,root zone file大概长这样, 点击查看
But if you look closer, you'll notice that many of the nameservers are in the same domain, so if we then flatten the whole thing, we see a bit more of a centralization. For example, 6.3% of the NS records being under nstld.com, which is operated by Verisign:
但是,如果你仔细观察,你会注意到许多名称服务器都在同一域下,因此,如果我们展开了来看,我们会看到更多的中心化的东西。比如,有6.3%的NS记录在nstld.com下,这是由Verisign运营的。
But thinking about this distribution a bit more quickly makes you realize that there isn't really an even distribution in the gTLD, since not all domains have the same footprint. As you may guess, the .com zone has more records than some of the other zones. More specifically, .com has over 164 million NS records, making up 73% of all the NS records in all the gTLDs.
但是,在思考一下这种分布你会发现,在gTLD中不同域名后缀的权重也有所不同, .com 后缀要比其他后缀有更多的域名,在具体一点,在1166个TLD里面有223893594条NS记录,其中 .com 后缀就有1.64亿条NS记录,占了整个gTLD里包含NS域名的73%。
The NS records for .com are in the gtld-servers.net domain, but so are e.g., .net's; similarly, the NS records for .org and .info are in the same domain, so we can flatten this data a little bit more:
.com 本身的NS在gtld-servers.net下, .net的也是,同样的,.org 和 .info 的授权NS也是在同一域名下,所以,我们可以把数据继续展开看下;
In other words, almost 80% of all NS records across all gTLDs are under the gtld-servers.net domain, and thus the control of Verisign -- the same Verisign that also operates two roots.
换句话说,所有通用顶级域名中几乎80%的NS记录都在gtld-servers.net 域名下,因此由Verisign控制,这个Verisign还运营着两个根。
Ok, so this is the representation of the NS records for the gTLDs within the root zone, but what about the NS records for all the second-level domains within the gTLDs? Parsing all 1,168 zone files, we end up with 2,699,827 unique name servers that we can group under 1,063,092 domains:
Ok,这就是根区域内通用顶级域名NS的记录展示,那么,通用顶级域内所有二级域名的NS记录呢?分析所有1,168个Zone文件,我们得到了2,699,827个去重后的域名服务器,我们可以将其归纳到1,063,092个域名里,如下:
This shows a notable centralization of the NS records found in all gTLD zones, with domaincontrol.com accounting for roughly 20% alone.
这表明,在所有通用顶级域名发现的NS记录有明显的中心化特性,仅domaincontrol.com 就占了大概20%;译者按:这个图的意思就是domaincontrol.com 这个域名下的171个NS记录,被100,864,743个二级域名授权;占了所有二级域名的20%左右;
Another thing that seems interesting here is that some of the cloud companies offering DNS services are choosing to use a larger number of NS records even across, in the case of AWS, thousands of second-level domains in several TLDs:
还有一件很有意思是事情是,那些提供DNS服务的云计算公司选择使用更多的NS记录,以AWS举例,使用了近千的二级域名去做授权;
$ grep awsdns- domain-counts.full | head
52221 awsdns-02.org.
49614 awsdns-23.net.
49264 awsdns-49.com.
48276 awsdns-05.co.uk.
46392 awsdns-35.org.
45955 awsdns-53.com.
45593 awsdns-19.net.
44409 awsdns-25.com.
44176 awsdns-22.co.uk.
44140 awsdns-45.org.
$ grep -c awsdns- domain-counts.full
978
The data now show that out of the over 534 million NS records across a little over 1 million domains:
43% of all NS records (roughly 230 million) are served by only 165 name servers found in just 10 domains 52% (~ 278 million) are served by 255 name servers in just 20 domains 75% (~ 401 million) are served by 1,580 name servers in just 100 domains 99% (~ 529 million) are served by 345,000 name servers in 6,000 domains
现在的数据显示,约5.34亿的域名NS到了大概100多万个域名上。
43% 的域名NS记录(大概2.3亿个二级域名)由10个域名中的165个权威服务器提供服务;
52%的域名NS记录(约2.78亿个二级域名)由20个域名中的255个权威服务器提供服务;
75%的域名NS记录(约4.01亿个二级域名)由100个域名中的1580个权威服务器提供服务;
99%的域名NS记录(约5.29亿个二级域名)由6000个域名中的345,000个权威服务器提供服务;
Let's look at these 20 domains and see who controls them, and thus over half of all the domains in all the gTLDs. They are:
让我们看看控制了52%的域名NS记录的20个域名都由谁来控制。