March 1st, 2006 at 23:36 UTC by Steven J. Murdoch
On 28 February, People’s Daily Online published an article entitled “China adds top-level domain names”. This suggested that China was going to take over .com and .net and split off from the conventional domains managed by ICANN and operated by Verisign. This appears to be not the case, rather the result of a mis-translation. As pointed out by Rebecca MacKinnon, the new top level domains (TLDs) are .中国 (meaning “China”) .公司 (meaning “company”), and .网络 (meaning “net”), which do not conflict with any ICANN managed TLDs.
The normal way to create new TLDs without ICANN’s permission is known as “splitting the root” since it involves creating a new root name server and replacing the root zone file distributed by IANA with your own. For some background on the role of the root zone file there is a short introduction and a slightly longer version by Daniel Karrenberg. Alternative roots are not new, but what makes the current situation different is that the new TLDs have a (powerful) government’s backing, and with around 100m Internet users (second only to the US) has the potential to have a far larger user base than any that have come before it.
There is still some uncertainty on how the new TLDs have been implemented. i-DNS produces a plugin for Microsoft Internet Explorer which allows it to access internationalised domain names as until version 7, IE cannot do this natively. In March 2005 they announced a partnership with the Chinese Ministry of Information Industry to develop the new TLDs and add support to their plugin. Some commenters have assumed that this is the only mechanism used to implement the new TLDs, but as mentioned in the press release, it seems that ISPs have also modified their servers, allowing access to these TLDs from within China without the user having to install any additional software. I do not know when this change was made and how complete the implementation is, but James Seng describes the TLDs as being in operation for 3 years.
It appears that technically China has not “split the root” since there seems to be no new root server. Instead, each ISP might have manually added the three new TLDs to their DNS server configuration. When a domain name under the ICANN TLDs (.com, .net, .uk, etc…) is resolved, the server would go to an ICANN root server to find out which organisation is responsible for allocating second level domains. However, when a domain name under one of the new TLDs is requested, the DNS server already knows the nameserver it needs to ask next and can skip the root server lookup. The advantage of this approach for China is that it avoids the cost and difficulty of setting up a new root server, but the disadvantage is that to add another TLD in the future they would have to ask all the ISPs again, rather than adding it to their root.
Despite this technicality, what China appears to have done is externally almost indistinguishable from splitting the root and carries the same consequences. The primary problem is that a link using one of the new TLDs will work in China but not outside (without a user installing the plugin, or their ISP making a configuration change). This breaks the universality of the Internet and while I will not go into further detail here, the Internet Architecture Board discusses the effects of a split root in RFC 2826, which is in addition to problems of the landrush resulting from any new domain.
I am not familiar with the ISP landscape in China, but I have tried to do some tests to better understand how these changes have been implemented. For testing I am using a DNS server (ns4.bta.net.cn) which I understand to be one used by the customers of a Chinese ISP, but which also allows access from outside. As an example, I used “北京大学.中国” which I think means Peking University in the new “.China” TLD. As Unicode cannot be used directly with DNS, it needs to be translated into Punycode. This gives xn--1lq90ic7fzpc.xn--fiqs8s.
When I ask the Chinese DNS server to resolve this domain name, I get this answer:
$ dig xn--1lq90ic7fzpc.xn--fiqs8s @ns4.bta.net.cn A
;; ANSWER SECTION:
xn--1lq90ic7fzpc.xn--fiqs8s. 3600 IN CNAME www.pku.edu.cn.
www.pku.edu.cn. 47863 IN CNAME tulip.pku.edu.cn.
tulip.pku.edu.cn. 85892 IN A 220.127.116.11
This means that according to ns4.bta.net.cn, the domain 北京大学.中国 is another name for www.pku.edu.cn and its IP address 18.104.22.168.
If this nameserver was configured only with the IANA distributed root zone file, this request would have failed (as it does on my UK DNS server). Instead, it looks like this ISP has somehow added these three new TLDs. To find out more I asked the server for its root zone, i.e. where it will send requests for TLDs it has not encountered before:
$ dig . @ns4.bta.net.cn NS
;; ANSWER SECTION:
. 36996 IN NS A.ROOT-SERVERS.NET.
. 36996 IN NS M.ROOT-SERVERS.NET.
It returned only the 13 IANA root servers ([A-M].root-servers.net). These do not list the new Chinese TLDs but the server still knows about them.
Here I ask the server which nameserver it thinks is authoritative for .中国 (.China and in Punycode — xn--fiqs8s):
$ dig xn--fiqs8s @ns4.bta.net.cn SOA
;; ANSWER SECTION:
xn--fiqs8s. 3600 IN SOA hawk2.cnnic.net.cn. root.cnnic.cn. 2006030104 3600 900 604800 3600
This means that when this server wants to resolve a domain under .中国 is will ask hawk2.cnnic.net.cn. I get the same result with .公司 (“company”), and .网络 (“net”). hawk2.cnnic.net.cn will also resolve domains under these TLDs and considers itself to be authoritive.
Several questions still remain. It is possible that the name server I used is not representative of Chinese ISPs. Also, despite it not listing any alternate roots, it is still conceivable that the server is using one. It may also be acting differently because I am outside of its customer network. However, I think it does demonstrate that there is something happening in addition to the i-DNS plugin.
I did briefly try this plugin and examine some aspects of how it works. Internet Explorer 6 and below do not support internationalised domain names (IDNA) at all. Even though Firefox does, as my DNS server in the UK only uses the IANA root servers, only the ICANN defined TLDs will work. So http://北京大学.cn/ (Peking University) will work in Firefox in the UK and China, as the TLD is .cn, but http://北京大学.中国/ will only work in China, as the TLD is one of the new non-ICANN domains.
Installing the i-DNS plugin adds IDNA support to Internet Explorer but also adds support for the new TLDs. I am not aware of all the details, but when I visit domain-name.中国 it redirects the user to domain-name.cn, domain-name.公司 redirects to domain-name.xn--55qx5d.aced.net and domain-name.网络 to domain-name.xn--io0a7i.aced.net. The nameserver for aced.net is controlled by i-DNS and, as with the DNS server in China, uses hawk2.cnnic.net.cn for further lookups.
It seems that these new TLDs are more complicated than it might first have looked, and this post by no means explains everything. I hope that others will be able to find out more. It remains to be seen what the consequences of this move will be. In their advertisement, i-DNS states that 50m users already have access to these TLDs and if the 4 ISPs which provide access to 95% of China’s Internet users add the TLDs then the remaining 5% will inevitably follow.
Also non-Chinese ISPs with a significant number of Chinese-speaking users will be under pressure to add these TLDs, and have very little incentive to not do so. While previous alternate roots have languished in the obscurity of a narrow user-base, the potential of 100m (and growing) users will make this TLD hard to ignore. Perhaps in an attempt to avoid a split Internet, ICANN will adopt the TLDs and so roll them out to the standard root servers. Whatever they choose, I hope the disruption to the Internet from the resulting politics will not be too severe.