New Chinese TLDs

March 1st, 2006 at 23:36 UTC by Steven J. Murdoch

On 28 February, People’s Daily Online published an article entitled “China adds top-level domain names”. This suggested that China was going to take over .com and .net and split off from the conventional domains managed by ICANN and operated by Verisign. This appears to be not the case, rather the result of a mis-translation. As pointed out by Rebecca MacKinnon, the new top level domains (TLDs) are .中国 (meaning “China”) .公司 (meaning “company”), and .网络 (meaning “net”), which do not conflict with any ICANN managed TLDs.

The normal way to create new TLDs without ICANN’s permission is known as “splitting the root” since it involves creating a new root name server and replacing the root zone file distributed by IANA with your own. For some background on the role of the root zone file there is a short introduction and a slightly longer version by Daniel Karrenberg. Alternative roots are not new, but what makes the current situation different is that the new TLDs have a (powerful) government’s backing, and with around 100m Internet users (second only to the US) has the potential to have a far larger user base than any that have come before it.

There is still some uncertainty on how the new TLDs have been implemented. i-DNS produces a plugin for Microsoft Internet Explorer which allows it to access internationalised domain names as until version 7, IE cannot do this natively. In March 2005 they announced a partnership with the Chinese Ministry of Information Industry to develop the new TLDs and add support to their plugin. Some commenters have assumed that this is the only mechanism used to implement the new TLDs, but as mentioned in the press release, it seems that ISPs have also modified their servers, allowing access to these TLDs from within China without the user having to install any additional software. I do not know when this change was made and how complete the implementation is, but James Seng describes the TLDs as being in operation for 3 years.

It appears that technically China has not “split the root” since there seems to be no new root server. Instead, each ISP might have manually added the three new TLDs to their DNS server configuration. When a domain name under the ICANN TLDs (.com, .net, .uk, etc…) is resolved, the server would go to an ICANN root server to find out which organisation is responsible for allocating second level domains. However, when a domain name under one of the new TLDs is requested, the DNS server already knows the nameserver it needs to ask next and can skip the root server lookup. The advantage of this approach for China is that it avoids the cost and difficulty of setting up a new root server, but the disadvantage is that to add another TLD in the future they would have to ask all the ISPs again, rather than adding it to their root.

Despite this technicality, what China appears to have done is externally almost indistinguishable from splitting the root and carries the same consequences. The primary problem is that a link using one of the new TLDs will work in China but not outside (without a user installing the plugin, or their ISP making a configuration change). This breaks the universality of the Internet and while I will not go into further detail here, the Internet Architecture Board discusses the effects of a split root in RFC 2826, which is in addition to problems of the landrush resulting from any new domain.

I am not familiar with the ISP landscape in China, but I have tried to do some tests to better understand how these changes have been implemented. For testing I am using a DNS server (ns4.bta.net.cn) which I understand to be one used by the customers of a Chinese ISP, but which also allows access from outside. As an example, I used “北京大学.中国” which I think means Peking University in the new “.China” TLD. As Unicode cannot be used directly with DNS, it needs to be translated into Punycode. This gives xn--1lq90ic7fzpc.xn--fiqs8s.

When I ask the Chinese DNS server to resolve this domain name, I get this answer:

$ dig xn--1lq90ic7fzpc.xn--fiqs8s @ns4.bta.net.cn A
...
;; ANSWER SECTION:
xn--1lq90ic7fzpc.xn--fiqs8s. 3600 IN CNAME www.pku.edu.cn.
www.pku.edu.cn. 47863 IN CNAME tulip.pku.edu.cn.
tulip.pku.edu.cn. 85892 IN A 162.105.129.12
...

This means that according to ns4.bta.net.cn, the domain 北京大学.中国 is another name for www.pku.edu.cn and its IP address 162.105.129.12.

If this nameserver was configured only with the IANA distributed root zone file, this request would have failed (as it does on my UK DNS server). Instead, it looks like this ISP has somehow added these three new TLDs. To find out more I asked the server for its root zone, i.e. where it will send requests for TLDs it has not encountered before:

$ dig . @ns4.bta.net.cn NS
...
;; ANSWER SECTION:
. 36996 IN NS A.ROOT-SERVERS.NET.
...
. 36996 IN NS M.ROOT-SERVERS.NET.
...

It returned only the 13 IANA root servers ([A-M].root-servers.net). These do not list the new Chinese TLDs but the server still knows about them.

Here I ask the server which nameserver it thinks is authoritative for .中国 (.China and in Punycode — xn--fiqs8s):

$ dig xn--fiqs8s @ns4.bta.net.cn SOA
...
;; ANSWER SECTION:
xn--fiqs8s. 3600 IN SOA hawk2.cnnic.net.cn. root.cnnic.cn. 2006030104 3600 900 604800 3600

This means that when this server wants to resolve a domain under .中国 is will ask hawk2.cnnic.net.cn. I get the same result with .公司 (“company”), and .网络 (“net”). hawk2.cnnic.net.cn will also resolve domains under these TLDs and considers itself to be authoritive.

Several questions still remain. It is possible that the name server I used is not representative of Chinese ISPs. Also, despite it not listing any alternate roots, it is still conceivable that the server is using one. It may also be acting differently because I am outside of its customer network. However, I think it does demonstrate that there is something happening in addition to the i-DNS plugin.

I did briefly try this plugin and examine some aspects of how it works. Internet Explorer 6 and below do not support internationalised domain names (IDNA) at all. Even though Firefox does, as my DNS server in the UK only uses the IANA root servers, only the ICANN defined TLDs will work. So http://北京大学.cn/ (Peking University) will work in Firefox in the UK and China, as the TLD is .cn, but http://北京大学.中国/ will only work in China, as the TLD is one of the new non-ICANN domains.

Installing the i-DNS plugin adds IDNA support to Internet Explorer but also adds support for the new TLDs. I am not aware of all the details, but when I visit domain-name.中国 it redirects the user to domain-name.cn, domain-name.公司 redirects to domain-name.xn--55qx5d.aced.net and domain-name.网络 to domain-name.xn--io0a7i.aced.net. The nameserver for aced.net is controlled by i-DNS and, as with the DNS server in China, uses hawk2.cnnic.net.cn for further lookups.

It seems that these new TLDs are more complicated than it might first have looked, and this post by no means explains everything. I hope that others will be able to find out more. It remains to be seen what the consequences of this move will be. In their advertisement, i-DNS states that 50m users already have access to these TLDs and if the 4 ISPs which provide access to 95% of China’s Internet users add the TLDs then the remaining 5% will inevitably follow.

Also non-Chinese ISPs with a significant number of Chinese-speaking users will be under pressure to add these TLDs, and have very little incentive to not do so. While previous alternate roots have languished in the obscurity of a narrow user-base, the potential of 100m (and growing) users will make this TLD hard to ignore. Perhaps in an attempt to avoid a split Internet, ICANN will adopt the TLDs and so roll them out to the standard root servers. Whatever they choose, I hope the disruption to the Internet from the resulting politics will not be too severe.

Entry filed under: Internet censorship, News coverage

17 comments Add your own

  • 1. Milton Mueller  |  March 2nd, 2006 at 00:54 UTC

    The “mistranslation” comment by MacKinnon is simply wrong, I’m afraid. There is a (semantic) conflict between ascii “.COM” and Chinese “.公司,” and the same goes for .net. If there was ever to be a Chinese .COM, it would be “.公司.”

  • 2. cat  |  March 2nd, 2006 at 01:14 UTC

    Milton -

    Could you clarify what you mean? 公司 does represent ‘company’ or ‘corporate’, which is what MacKinnon says. Where are you finding the conflict between the ascii “.COM” and the Chinese “公司”?

  • 3. zhu hongbing  |  March 2nd, 2006 at 04:50 UTC

    I am i-DNS plugin developer.
    I agree with Milton.
    There is no conflict between .COM and Chinese “公司”. we could consider Chinese “公司” is another TLD like cc, tv, or xx.

  • 4. Florian  |  March 2nd, 2006 at 06:27 UTC

    The implementation among Chinese ISPs doesn’t seem to be universal. My Beijing cable ISP’s ns.fhnet.cn.net will return NXDOMAIN and point to the root servers as authorities. Others won’t do recursive queries and tell me to ask the root servers.

    dns.guangzhou.gd.cn on the other hand seems to be configured just as you describe for ns4.bta.net.cn

    (Discussing DNS, there seems to be a funny thing in China, at least for the two ISPs that I have been using: Some of the name servers advertised via DHCP are down/not responding to pings a lot of the time, making the whole system a little flaky…)

  • 5. Chinese user  |  March 2nd, 2006 at 10:34 UTC

    to i-DNS plugin developer, mr hongbing zhu.
    can u confirm that i-DNS use idn when querying? is there any background about it? thanks

  • 6. zhu hongbing  |  March 2nd, 2006 at 10:42 UTC

    To Chinese User:
    I don’t understand what you are asking. Can you write more details about your question? and you can write it in Chinese Langauge. I am a native Chinese. :)

  • 7. Monkey  |  March 2nd, 2006 at 11:30 UTC

    http://www.i-dns.net/popup_chineseDomainNames.html

    I just checked the above website. It says it is authorized by the Chinese government. Well, this is where the risk comes from. In the U.S., one can register for a domain name and yet be protected by some privacy laws. He/she can even hide most of his/her information from Whois. Does anyone want to risk his/her privacy with the Mainland government? Nada!

  • 8. zhu hongbing  |  March 2nd, 2006 at 12:34 UTC

    In US, US Government/FBI/CIA may also be able to get the information even he/she hide the information from whois.
    so for my opinion, if you do not want to leak your information to China Government, you could just not register Chinese domain names or use an alternative name to register it.

  • 9. Steven J. Murdoch  |  March 3rd, 2006 at 12:12 UTC

    There is further interesting discussion about this issue on CircleID.

  • 10. Joshua Lim  |  March 3rd, 2006 at 16:30 UTC

    Hi guys, i’m not a techie for dns stuff, but i think i’m sure my xiamen isp has manually added the three new TLDs to their DNS server configuration since i am able to access 搜房.中国 via a newly installed Firefox browser – those plugins do not work for Firefox, right?

    That being so, the question is, did this happened on the 1st March, or had this been implemented 3 years ago. I vaguely remembered trying to do the same in early Feb and it didn’t work. Since the implementation is not universal, can we assume that some ISPs are still in the process of adding the 3 TLDs, at the directive from the Chinese government?

  • 11. .$author.  |  March 3rd, 2006 at 22:09 UTC

    [...] Steven Murdoch has done some experiments and written an excellent blog post elucidating the technical details behind the new Chinese top level domains. He makes the argument that, while CCNIC has not technically “split the root” by creating a rival DNS rootserver, they’ve done something almost indistinguishable in practical terms. When you access a Chinese DNS server and ask for a .com or .net domain, you’re directed to the A-M rootservers (A.ROOT-SERVER.NET, etc.) But when you ask for one of the new TLDs (.中国, .公司, .网络), you skip the root servers and move directly to hawk2.cnnic.net.cn, the nameserver which has authority for these new domains. [...]

  • 12. Steven J. Murdoch  |  March 3rd, 2006 at 23:18 UTC

    For completeness, I have installed IE 7 Beta 2 and tested some Chinese URLs. The results are as expected, and almost the same as with Firefox.

    http://北京大学.cn/ causes a DNS request for xn--1lq90ic7fzpc.cn, which is resolved by the normal DNS servers. The webpage is displayed without errors.

    http://北京大学.中国/ causes a DNS request for xn--1lq90ic7fzpc.xn--fiqs8s which is not resolved by normal DNS servers, although will succeed with the modified Chinese ones. The webpage fails to load and the error message “Internet Explorer cannot display the webpage” is shown.

    The only difference appears to be that IE7 will display the internationalised URL in the address bar with a Chinese font, whereas Firefox only displays the ASCII punycode. Firefox does this to mitigate a homograph spoofing, a security issue raised in February 2005. I don’t know how Microsoft deals with this problem.

    The i-DNS plugin appears not to work with IE7, as even when it is enabled, the new TLDs do not function.

  • 13. Joshua Lim  |  March 4th, 2006 at 09:50 UTC

    “The i-DNS plugin appears not to work with IE7, as even when it is enabled, the new TLDs do not function”

    Well, that explains why they are in the rush to “split the root virtually”.

    Btw, with the “virtual root split”, will IE6 and IE7 users with the plugin still be able to access .中国 websites? I think our friend zhu hongbing might be able to answer this. :-)

  • 14. Steven J. Murdoch  |  March 4th, 2006 at 12:08 UTC

    @Joshua Lim

    with the “virtual root split”, will IE6 and IE7 users with the plugin still be able to access .中国 websites?

    The ISPs’ DNS changes have no effect on IE6 users. With the plugin they should still be able to access the new TLDs. Without the plugin, they cannot access any international domain names.

    IE7 users can only access the new TLDs if their ISP’s DNS server is modified. Alternatively, i-DNS may release a plugin which also works with IE7.

  • 15. .$author.  |  March 9th, 2006 at 13:22 UTC

    [...] Since my blog post last week, discussion continues on what has actually happened with the new Chinese TLDs and what the consequences will be. Rebecca MacKinnon’s posting on CircleID triggered an interesting discussion. It has also been mentioned on a few blogs including My Heart’s in Accra, Joho the Blog, China Digital Times, Shanghaiist, Virtual China, the LINX public affairs news and even in a Czech blog which I can’t understand. The ICANN Generic Names Supporting Organization (GNSO) mailing list has a thread discussing the move, as does the DomainState forum. [...]

  • 16. Robert Marceau  |  July 3rd, 2006 at 00:02 UTC

    I don’t understand that I read here? I have only an 8th grade education. I still have no idea what the meaning of .com, .org, .net is.? Could you explain it to me laymen language? I still don’t have a clue. Forgive me of my ignorance. I would like just a very simple answer? Thank you, bob

  • 17. Steven J. Murdoch  |  July 4th, 2006 at 12:37 UTC

    @Robert Marceau

    Have a look at this introduction to the DNS for more information.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

March 2006
M T W T F S S
« Feb   Apr »
 12345
6789101112
13141516171819
20212223242526
2728293031