基于区块链的联盟式国家根域名体系建设

United National root DNS system

A Blockchain based solution

⽅方滨兴 Dr. Binxing FANG

中国云安全与新兴技术安全创新联盟 理理事⻓长
中国电⼦子信息产业集团 ⾸首席科学家
Chairman, China Cloud Security and Emerging Technologies Security Innovation Alliance
Chief Scientist, China Electronics Corporation (CEC)
2018年年6⽉月6⽇日 June 6, 2018
1
互联⽹网域名解析体系的根区管理理现状
Current Situation of Root Zone Administration of Internet
任何对根区的修改需要在美国注册
新的独⽴立法律律实体PTI承担IANA职能，
的国际⺠民间组织ICANN批准
与ICANN签约，成为ICANN下属⼦子机构
Any modification to the root zone requires
The new independent legal entity, PTI,
the approval of ICANN, an international
undertakes the IANA’s function and contracts
NGO registered in US
with ICANN. It becomes an affiliate of ICANN.
root
顶级域名运营商 zone
TLD Operator PTI
file
公共技术标识符机构
Public Technical Identifiers 互联⽹网名称与数字地址分配机构 威瑞信 根区数据库
The Internet Corporation for Assigned VeriSign Root Zone file
Names and Numbers

12家根运营商(美国9家、欧洲2家、⽇日本1家)
12 TLD Operators (9 in US, 2 in Europe, 1 in Japan)
13个逻辑根服务器器和数百个镜像
13 Root Servers and Hundreds of Mirrors
 全球根域名解析体系结构
Universal root DNS architecture
根服务器器负责根区(root zone)，对顶级域
(TLD)进⾏行行解析，是解析的起点，结构的中⼼心。 . （root)
Root Servers manages the root zone, which translates
the top-level domain(TLD) names. DNS starts with
root servers, which can be regarded as the center of the cn kr com
global architecture

1
foo
2

3
www

递归解析器器
Iterative resolver 3
中⼼心化的弊端：可分析某国的⽹网络流
Disadvantages of Centralization: Data Traffic of specific country could be audited

情报泄露露：根域名解析服务器器可以记录所有的解析请
求，使得掌控根域名解析服务器器的管理理者有条件获得
⼀一国的采样访问流，通过⼤大数据分析，可以掌握该国
的信息活动规律律。
The leakage of Intelligence Information: Root DNS
could keep all requests of query and answering. That
makes the administrator of root DNS have some privilege
to monitor the internet traffic via sampling approaches.
Thus, by analyzing the such big data, the pattern of
Internet activities of the specific countries could be known.

递归解析器器
Iterative resolver
中⼼心化的弊端：可让某个域名消失
Disadvantages of Centralization: Specific Domain name can be removed
消失性⻛风险：顶级的ccTLD被从根区数据库中删除或
篡改，这意味着⼀一个该顶级域名所承载的域名集合被
从名字空间中‘抹去’，导致该ccTLD下的域名⽆无法得到
解析。
Risk of Disappearance: If some top-level ccTLDs are
removed or modified with from the root zone database, which
means that a set of domain names hosted by root zone is erased
from the namespace, which causes domain names under the
ccTLD cannot be resolved.
只需要修改根服务器器中
根区数据库
消失性⻛风险 Only the modification to the
Risk of Disappear root zone database of root
servers is needed
我 你
根
Yo
Me Root
u 最容易易
递归解析器器 Easiest
Iterative resolver
中⼼心化的弊端：可让特定IP集被根拒绝服务
Disadvantages of Centralization: Specific IP Sets can be denied by Root
致盲性⻛风险：指定的IP集合中的递归解析器器可能会被
根服务器器拒绝提供解析服务，从⽽而切断了了该IP集合对
原根域名解析服务器器的访问，使得该IP集合中的递归
服务器器所服务的⽤用户群⽆无法访问互联⽹网。
Risk of Blindness: The iterative resolvers in the specified IP set
may be rejected by the root server to provide the resolution
service, it causes the access to the original root server is cut off.
Thus, users served by these iterative resolvers cannot access the
Internet.

很容易易
致盲性⻛风险
Easy
Risk of Blindness
我 你
根 Yo 只需要修改根服务器器
Me Root
u 中ACL
递归解析器器 Modification of ACL
Iterative resolver in Root Servers
中⼼心化的弊端：特定IP集被阻断时⽆无法运⾏行行
Disadvantages of Centralization: Cannot run when a specific IP set is blocked
孤⽴立性⻛风险：特定的IP集合所形成的⽹网络空间可能会
被彻底封锁，使得通过根域名进⾏行行解析请求的⼯工作模
式被中断，导致IP集合内的域名服务体系也⽆无法运⾏行行。

Risk of
Risk ofIsolation:
Isolation:Specific
Specific
IP IP
setset
andand the cyberspace
the cyberspace based on
based
it can beonblocked
it can thoroughly.
be blockedResolving
thoroughly. Resolving
service base onservice
root
base onhas
servers root servers
been has
stopped, been
thus, thestopped, thus,
DNS system in the DNS
the IP set
systemrun.
cannot in the IP set cannot run.

困难
孤⽴立性⻛风险 Hard
Risk of Isolation

本国的递归解析器器
Domestic Iterative resolver
我 你
根 Yo 需要封堵该国
Me Root
u 互联⽹网
外国递归解析器器 Need to block the
Foreign Iterative resolver country’s internet
中⼼心制源于Zooko三⻆角猜想
Centralized ideas is from Zooko's triangle
Zooko三⻆角猜想 Zooko's triangle
任何命名体制在唯⼀一性、⾮非中⼼心化和⽤用户可理理解中，只能三选⼆二
Only 2 of 3 properties, Human-meaningful, Decentralized, and Uniqueness, are generally considered
desirable for any naming systems

⽐比特币地址：牺牲⽤用户可理理解 DNS: 牺牲⾮非中⼼心化，即只能中⼼心化

唯⼀一 DNS: No Decentralized solution
Bitcoin Address: No Human-meaningful Uniqueness

⽤用户可理理解 随意命名
⾮非中⼼心化 Human-
Decentralized
Choose any desirable name
meaningful

QQ昵称: 牺牲唯⼀一性
QQ Nicknames: No Uniqueness

若猜想成⽴立，则DNS必须中⼼心化，这就是当前域名解析系统中⼼心化的原因
If zooko’s triangle has been proved, that means DNS has to be centralized.
 DNS根中⼼心化：结构、权⼒力力与机制
Centralized Root-DNS: Structure, Responsibility, and Mechanism
名字空间：⼀一棵单根标签树
结构 • 
•  Namespace: A labeled tree with unique root
Structure
•  解析系统：根服务器器是解析起点
•  Resolving system: root server is the starting
point for resolving

•  ICANN管理理根区，负责顶级域名(TLD)的分配

权⼒力力 •  ICANN manages the root zone, who is

Responsibility responsible for the allocation of TLDs
•  VeriSign负责根区⽂文件和主根服务器器的运维
•  VeriSign is responsible for the running and
maintenance of root zone files and primary
root servers

•  递归服务器器软件中root hint为13个根服务器器的IP
机制 地址
Mechanism •  Root hint in the software of resolvers is the
IP address of 13 root servers
•  在DNSSEC中，以根区的公钥(KSK)为信任锚
•  In DNSSEC, the root zone's public key
(KSK) is used as trust anchor
 消失性⻛风险与DNS中⼼心化
Risk of Disappearance and Decentralized DNS
•  名字空间是⼀一棵单根标签树 Namespace is a labeled tree with unique root
结构⻛风险
结构⻛风险 •  切断根与TLD间的边，删除TLD⼦子树 Cut off the edge between the root and TLD, and delete the TLD subtree
Risk on
Risk on
Structure
Structure •  根服务器器是解析的起点 Root server is the starting point for resolving
•  根服务器器拒绝提供对TLD的解析服务 Root server refuses to provide resolution service for TLD

•  ICANN管理理根区，负责顶级域名(TLD)的分配 ICANN manages the root zone, who is responsible for the
权⼒力力⻛风险
权⼒力力⻛风险 allocation of TLDs
Risk on
on •  ICANN撤销对TLD的授权 ICANN withdraws Delegation of TLD
Responsi- •  VeriSign负责根区⽂文件和主根服务器器的运维 VeriSign is responsible for the running and maintenance of root
bility zone files and primary root servers
•  从根区⽂文件中删除TLD的资源记录 Remove TLD resource records from the root zone file
•  递归服务器器软件中root hint为13个根服务器器IP地址 Root hint in the software of resolvers is the IP address of 13
root servers
机制⻛风险
•  ⽆无法从13个根服务器器之外获得TLD信息 Unable to get TLD information except 13 root servers
Risk on
•  在DNSSEC中，以根区的密钥签名公钥(KSK)为信任锚 In DNSSEC, the root zone's public key (KSK) is used
Mechanism
as trust anchor
•  密码学保证被删除的TLD记录不不能通过验证 Assure the deletion of TLD records won’t be verified via cryptographic
 中⼼心化根域名弊端的五种应对⽅方法
Five solutions against the security issues of centralized root-DNS
开放根：⼀一组独⽴立运作的根服务器器，与IANA根区数
据库同步，尽管可以选择不不做删除操作，但也可能⽆无 .root root
法直接获得最新的根区数据。 root
Open Roots: A group of independent root servers that
synchronizes with the IANA Root Zone database.
Although deletion can be prevented, latest root zone data
still could not be obtained directly. .cn .com .ru 另类根：完全独⽴立于当前IANA体系，相当于建⽴立了了
[Open Root Server Network] （雪⼈人计划 Yeti DNS 另⼀一个名字空间
Project） Alternative roots: Independent from the current IANA
system completely, It is equivalent to establishing
another namespace
除了了另类根（另类与现有空间⽆无关，不不予讨论），所有 [Public-Root/ORSC/UnifiedRoot]
⽅方法都是依赖于根服务器器的根区数据，因此只是在寻址 foo
上分布获取信息，但在信任体系上还是中⼼心制，所以都 全球根：在当前IANA体系内，加⼊入Universal任播根服
⽆无法应对消失性⻛风险。 务器器，任何⼈人可以建⽴立⾃自⼰己的根服务器器镜像为本地⽹网
Except for the alternative roots, all solutions rely on the root root 络服务
zone data of the root servers. Therefore, it is only distributed
Universal roots: Within the current IANA system, adding
on the addressing, but still centralized on the trust system, so
Universal Anycast Server. Anyone can create their own
it cannot cope with the risk of disappearance. www root server mirror for local network services

伪装根：伪装为根镜像，劫持到根的查询直接给出应答，相
递归根：在递归解析器器上直接做根区解析，相当于事先缓 当于劫持了了根服务器器。[据说国内⼀一些ISP为提⾼高性能采⽤用过
存了了根区，⽤用于提⾼高解析性能。 该⽅方法，也类似于基于客户端的⽅方法劫持⽤用户的递归查询]
Disguise root: Playing as a root mirror, hijacking the access
Iterative Roots: Conducting root zone parsing on the iterative 递归解析器器
resolvers directly. It is equivalent to caching the root zone data linking to the roots and answering directly, which is equivalent
Iterative Resolver to hijacking the root server. [It is said that some domestic ISPs
in advance to improve performance.
[Google 8.8.8.8] have adopted this method for improving performance. Similar
root with client-based hijacking towards users' iterative queries]
 引⼊入⽐比特币与区块链的概念
Introducing the concept of bitcoin and blockchain
在不不可信且⽆无中⼼心环境下，实现⼀一个分布式账簿/达成共识
Implement a distributed ledger and go to consensus in an untrusted and non-
central environment

结构 •  数据：多复本+哈希链=公开计账簿 •  Data: Multiple Copies + Hash Chain = Public ledger

•  ⽹网络：⽆无中⼼心的对等(P2P)结构 •  Network: Decentralized P2P architecture
Structure
•  Property: Obtain by competition of computing power
•  财产：凭算⼒力力竞争获得（激励）
权⼒力力 •  记账：凭算⼒力力竞争（若>50%，则垄
(incentives)
Responsibility •  Transactions: competition of computing power (if
断） >50%, monopoly)

机制 •  共识：⼯工作量量证明 •  Consensus: Proof-of-Work, PoW

Mechanism •  发布：P2P⼴广播 •  Creating: P2P broadcasting

如何将区块链思想(技术)应⽤用于DNS的解析？
How to apply blockchain idea (technology) to DNS resolution?
 Record transactions by all members
区块链相关项⽬目 in a public blockchain, ensuring data
consistency through PoW-based
Bitcoin
公开区块链中所有节点共同
Some blockchain Projects consensus;
namecoins replace transactions
记账，通过基于PoW的共识
保证数据⼀一致性；namecoin
recorded in blocks with name 将区块中记录的⽐比特币交易易
registration data 数据替换为名字注册数据
Corda
•  ⽤用于⾦金金融机构间结算
•  ⽆无全局数据共享/区块链, ⽆无原始货币, 以单个交易易上达成
共识, ⽀支持多种共识⽅方案, 提供“监管观察员节点”, 记录绑 私有(需授权) 公开(⽆无需授权)
public
定了了法律律⽂文件与智能合约代码 Private (authorization
(No authorization
required)
For settlement between financial institutions required)
•  No global data sharing/blockchain, No original currency,
Consensus based on a single transaction, Support multiple 专⽤用(定制)
consensus solutions, Provide "regulatory observer node“, Special Corda Bitcoin
Records bind legal documents and smart contract codes (Customized)

Fabric ( HyperLedger ) 通⽤用(平台)

•  将区块链中核⼼心模块，包括成员管理理、共识⽅方 General Fabric Ethereum
(Platform)
案、数据存储、P2P⽹网络协议、智能合约等插
件化
•  Make plug-ins with core modules of Extend blockchain functionality Ethereum
blockchain, including membership from supporting digital currencies to 将区块链功能从⽀支持数
management, consensus solutions, data
smart contracts that support Turing's 字货币扩展到⽀支持图灵
completeness script 完备脚本的智能合约
storage, P2P protocols, smart contracts, etc.
 名字币带来的启发
Some ideas Inspired by namecoin
•  注册：名字先占先得，凭算⼒力力竞争 Registration: Obtain name via first-come &
权⼒力力 first served (FCFS), by competition of computing power
Responsibility •  记账：凭算⼒力力竞争（若>50%，则垄断）Transactions: competition of
computing power (if >50%, monopoly)

Namecoin 将区块
中记录的⽐比特币交
易易数据替换为名字
注册数据
Namecoin replaces
Namecoin并未打破Zooko三⻆角猜想，先占先得导致‘抢注’，不不适⽤用于ccTLD
transactions recorded
in blocks with name
具有天然归属的特性
Namecoin does not break the Zooko’s triangle. FCFS could lead to squatting.
registration data A ccTLD is reserved for some domains. Namecoin cannot meet the requirement of ccTLD
根DNS去中⼼心化思路路
Decentralized Root-DNS

原理理：保持单根树逻辑结构，构建多根树解析结构
Principle: Maintain a single root logical structure and build
multiple tree resolution structures

•  保持安全（名字唯⼀一）和⽤用户可理理解（⽤用户注册）

Secure (uniqueness) and Human-meaningful (user registration)

•  关键基础设施（根服务器器）治理理与运营去中⼼心化
Governance and decentralized operations for critical infrastructure
(root servers)
 构建国家级⾃自主根域名解析体系
Build national autonomous root-DNS system
⼀一、建⽴立国家⾃自主根域名解析系统 I. Build national autonomous root-DNS
(国家根) system(National Root)
•  National Root: Open Root System owned by Sovereign
•  国家根：主权国家所拥有的公共开放根服务
States
器器系统
•  The national root is independent of the existing TLD
•  国家根独⽴立于现有根运营商，承担本国根区
operators, and afford the root name resolution service of
域名解析服务
their own country
•  互连根模式下，保障根区解析安全；常态下，
•  if in the Inter-Root mode, the root zone security can be
采⽤用IANA数据库；
guaranteed；Normally, the IANA database is used;
II. Establish United Root for
⼆二、建⽴立 根联盟 实现解析系统互联互通 DNS interconnection
•  United Roots: A system consist of a group of interconnected
•  根联盟：⼀一组国家根之间彼此互联互通所构 national roots
成的系统 •  Establishing open united roots among countries to achieve P2P
•  国家间建⽴立开放国家根联盟，实现各⾃自主权 exchange of domain name data within their respective
内域名信息对等交换 sovereignty
•  互连根模式下，联盟国间提供域名解析服务， •  On the Inter-Root mode, the countries running united roots
保障盟友域名解析安全 provides DNS services to each other, ensure the security of
allies’ DNS security.
服从Zooko三⻆角猜想且三统⼀一的互连根模式
Meet the requirement of Zooko’s 3 properties with a unified Interconneted Root

互连根保持DNS单根树命名结构，构建多根树解析结构
Naming like a single root tree, resolving like multiple trees
命名(逻辑)结构 解析(系统)结构 总体结构
Naming Resolving Total
互连根（Inter-Root）模式的可⾏行行性
Feasibility of the Inter-Root
1.  Separate root zone name assignment from DNS
1.  将根区名字分配与域名解析相分离
2.  IANA for TLD allocation, and the inter-root for DNS
2.  IANA负责TLD分配，互连根负责域名解析
3.  Establishing trust in alliance to resolve the risk of
3.  通过建⽴立联盟信任来化解中⼼心化⻛风险 centralization
当前DNS
Current DNS
TLD权威
TLD域名 IP地址
TLD name
IANA TLD IANA IP Addr
Authorities

互连根
Inter-Root
TLD权威
TLD域名 互连根 IP地址
TLD name
IANA TLD
Inter-Root IP Addr
Authorities
 互连根（Inter-Root）设计思路路
Inter-Root Design
⼀一、建⽴立‘国家根’,国家⾃自主根域名解析系统 ⼆二、建⽴立‘根联盟’,实现解析系统互联互通
I. Build national root – national autonomous root-DNS system II. Establish United Root, to achieve DNS interconnection
解析时优先选择 •  根联盟：国家根之间互联互通所构成的根区交换
•  国家根：主权国家建⽴立的开放根服务器器系统
跟联盟中的根区 系统
National Root: Open Root System owned by
United Roots: A system consist of a group of
数据，当根联盟 Sovereign States
interconnected national roots
•  有数据时，采⽤用互连根数据；⽆无数据时，采⽤用
中没有相应的数 •  交换数据来⾃自于本国ccTLD及主权内其他TLD
IANA数据库； if have the data, use Inter-Root; if
Exchange data from domestic ccTLDs and other
据时再选⽤用IANA no data in Inter-Root, use IANA database
TLDs within sovereignty
数据库中的数据。
国家根 National Root 根联盟 Inter-Root
When resolving, cn ru tj
data in root zone CN KZ
of united root
1
will be adopted, foo
KG PK
2
if no such data,
IANA data will 3
R
www
be used UZ
U

递归解析器器
递归解析器器
Iterative resolver
互连根的全连接对等结构
Fully connected peer structure of Inter-Roots
国家根没有数据时采⽤用 .cn 线下交换公钥和服务器器信息
IANA根区数据 线上交换带签名数据
If no data in Inter-Root, National CN root Exchange public key and server info offline
roots use IANA’s root zone data Exchange of signed data online
.net

.com IANA PK root .pk

.gov 盟友间点对点交
换各⾃自TLD数据
Allies exchange TLD
data p2p
.ru RU root BR root .br

KZ root

.kz
互连根系统总体设计⽅方案
Total Design of Inter-Root
IANA TLD 联盟互联
Interconnected Union

根区采集点
TLD报备点 根区交换点 根区交换点
数据采集 Root Zone
TLD Filing Root Zone Exchange Root Zone Exchange
Data Allocation Allocation
对等解析
对等解析 服务器器
客户端 p2p resolution server
数据管理理 根区数据库 对等解析数据库 p2p resolution client
Data Management Root Zone DB p2p resolution DB 对等解析
客户端
p2p resolution client
监控平台 Monitoring System

解析服务 根区权威服务器器 互连根响应接⼝口 对等解析服务器器

Resolving Root ZoneAuthorities Inter-Root Interface p2p resolution server

递归解析器器 国内已有 权威服务器器

Iterative resolver 互连根系统 Authorities
Existing Inter-Root
System
根区数据流图
Data flow of root zone 2
本国ccTLD在国家根报备信息
1 Domestic ccTLDs report their
采⽤用IANA的根区
数据为缺省数据
information to the national root
IANA TLD
Use IANA’s root 联盟互联
zone data by default Interconnected Union
根区采集点 根区交换点 根区交换点
数据采集 TLD报备点
Data Allocation Root Zone Root Zone Root Zone
TLD Filing
Allocation Exchange Exchange

3
4 联盟内国家间通过“根区交换协
根据根区管理理策略略导⼊入
数据管理理 根区数据库 议”交换各⾃自授权的TLD注册信息
根区数据库
Data Management Root Zone DB Exchange of authorized TLD registration
Import info to root zone DB
information among countries within the
according to the root zone
监控平台 Monitoring System Union via Root Zone Exchange
management policy
Agreement
根区权威服务器器
解析服务 Root Zone 5 核准后，导⼊入服务器器
Resolving Authorities After approval, import info
to server
6
递归解析器器 为递归解析器器提供根区解析服务
Iterative Provide a root zone resolution service
resolver for iterative resolvers
联盟内“根区交换协议”
Root Zone Exchange Agreement in Union
联盟建⽴立
联盟国家间签署《国家根互联协议》，交换根区交换点信息和根区公钥
Countries in Union sign the Root Zone Exchange Agreement, and exchange the site info and public keys for root zone
根区交换点 根区交换点
Root Zone Root Zone
Exchange Exchange

根区交换点 根区交换点
根区数据库 根区数据库
Root Zone Root Zone
Root Zone DB Exchange Exchange Root Zone DB

发布区⽂文件 zone
1 file
Publish zone file
拉取(Pull)区⽂文件 zone
2 Pull zone file file 验证后存⼊入数据库 zone
3 Store in DB after file
verification
 联盟内对等解析数据流图
Data flow of p2p resolving in Union
5 国外对等服务器器获取国外
4 本国通过“对等解析协议”从超级盟友获得对等解析服
务 的权威服务器器信息
The country obtains a p2p resolution service from a Foreign peer server obtains
super ally via "peer-to-peer resolution protocol" info of foreign authorities
联盟互联
Interconnected
从对等解析数据 数据采集 Union
3 库中查询解析结果 数据管理理 Data Allocation 对等解析
对等解析数据库 对等解析客户端
Data Management 服务器器
Query answering from p2p resolving DB p2p resolution p2p resolution
client
p2p resolving DB server

监控平台 Monitoring System

根区权威服务器器 互连根响应接⼝口 国外
解析服务
Root Zone Inter-Root 权威服务器器
Resolving
Authorities Interface 当互连根系统中的缓存数据过期或缓存未
1 2
(可选)根服务器器可将查询 命中时，可以通过应急响应接⼝口获得解析结
定向到国内已有互连根系统 果
递归解析器器 国内已有
(Optional) The root server can If the cache in the Inter-Root system expires or
redirect queries to existing Iterative 互连根系统
misses, the resolving result can be obtained via
Existing Inter-Root
domestic Inter-Root systems resolver System the emergency response interface.
互连根模式与现⾏行行体系兼容
Inter-Root is compatible with the current system
.com .info DNS Resolver
.net
.org Root Name Server Mirror Root DNS

Exchange
Data Data
Country Code TLD ccTLD
.ru=211.3.1.1 Domain Name Domain Name
.cn=128.5.6.1 RU Country Root Name Data Base China Country Root
Data Base
.jp=12.3.4.1 Service Name Service
.kr=113.8.8.1
National TLD Union
gTLD
.com =1.112.8.1 .ru DNS Resolver .cn DNS Resolver
.net =1.112.8.1
.info=2.21.9.1
.org =112.8.8.1

xxx.ru DNS Resolver xxx.cn DNS Resolver

DNS Recursor DNS Recursor

New DNS Recursor New DNS Recursor

Russia China
新体系在原体系上的增量量
Newly added components compared to the original
名字空间 Name Space
•  对在IANA注册的本国ccTLD报备 Domestic ccTLDs report their information to IANA

权威服务器器 Authorities
•  新加⼊入国家根服务器器，与其他根服务器器并存 National Root coexists with other roots
•  为当前互连根系统提供了了⼀一种新的信息来源 New info source for current Inter-Root system

递归解析器器 Iterative resolver

•  采⽤用根联盟的递归解析器器在root hint中增加国家根服务器器信息
Add national root server info in root hint for iterative resolver with Inter-Root

解析协议 resolution protocol

•  ⽆无 No
 新体系具有以下性质
Features of New System
独⽴性 Independence
•  由国家根承担的根区解析服务完全⾃自主 •  Resolving service on root zone by the national root is completely autonomous
•  ⽹网络主权范围内域名解析系统⾃自主 •  Autonomous domain name resolution within the scope of cyber sovereignty

开放性 Openness
•  根联盟的加⼊入/退出是开放的 •  Join/Exit of Root Union is open
•  国家根解析服务向所有递归解析器器开放 •  The national root resolution service is open to all iterative resolvers

兼容性 Compatibility
•  新体系只涉及域名解析，对当前ICANN •  The new system only name resolution, and it is transparent to current ICANN
的域名授权管理理透明 name delegation management
•  国家根联盟对除采⽤用国家根的递归解析 •  The Root Union is transparent to other DNS components except for the
器器外其他DNS组件透明 iterative resolver using by national root

可扩展性 Scalability
•  新体系继承了了DNS作为⼀一个分布式系统
•  The new system inherits the scalability of DNS as a distributed system
的扩展性
•  The size of the Root Union does not exceed the number of sovereign countries
•  根联盟规模不不超过主权国家数量量
互连根可解决消失性⻛风险
Inter-Roots can solve the risk of disappearance
存在问题：根区⽂文件⼀一致性
Issues: Consistency of root zone files
如何保证所有国家根上的根区⽂文件都⼀一致？
How to ensure that all countries have the same root zone file?
•  如何保证国家根的信息发布到了了其他根成员？
How to ensure that a national root information is published to other root members?
•  如何检测⼀一个国家根发布根区⽂文件不不⼀一致（私钥泄露露）？
How to detect the inconsistency of a country's root publishing root zone file (private key disclosure)?
•  如何将两个国家间互信扩展到整个根联盟上？
How to extend mutual trust between two countries to the entire root union?

伪装为国家根发布假数据 国家根间尚未全结盟
Play as a national root to publish fake info The national roots have not yet fully aligned

CN CN KG CN IN
Attackers

PK KZ BR ZA

RU UZ RU TJ
互连根+：将分布式共识应⽤用于互连根
Inter-Root+: Applying Distributed Consensus to Inter-Roots+
1、公开 vs. 私有 Public vs Private

⽬目标 私有：只有联盟国家根（或TLD权威）才有权交换数据
Goals Private: Only the national root (or TLD authority) are allowed to exchange data
总结
根联盟内对的 Conclusion
根区⽂文件达成 2、平台 vs. 专⽤用 Platform vs Specified
共识
Reach ⾮非公开，专⽤用，
consensus on 专⽤用：避免平台所带来的不不必要的复杂性 类BFT共识
Root Zone File Specified: Avoid unnecessary complexity caused by the platform Non-public,
in the Root specified, BFT-
Union
3、 类PoW共识 vs. 类BFT共识 PoW-like like consensus
consensus vs. BFT-like consensus

类BFT：数据交换基于互信，⽆无需引⼊入算⼒力力竞争与激励
BFT-like: data exchange based on mutual trust, no need to use competition and
incentives
 基于分布式共识的“互连根+”⽅方案概览
An Overview of Inter-Root+ Based on Distributed Consensus
基于分布式共识在根联盟上实 类PBFT的根区数据共识⽅方案
PBFT root zone data consensus
现⼀一个根区⽂文件的公开账簿
Implementing a Public ledger for Root CN KZ
Zone Files on the Root Union based on
distributed consensus BR PK

线下名⽚片交换 RU ZA
Offline name card
exchange 公开账簿（哈希链） Public Ledger
联盟协议签订 根区⽂文件⽇日志 Root Zone file log 来⾃自IANA的数据
Sign Agreement
国家根名⽚片
历史快照 历史快照 历史快照 根区⽂文件
Root Zone
Data from IANA
Snapshot Snapshot Snapshot
Name card of file 本国TLD数据
National Roots Domestic TLD data
根名⽚片⽇日志 Root Name Card Log
• 顶级域列列表 TLDs 盟友TLD数据
• 本国公钥 Pubic key 历史快照 历史快照 历史快照 名⽚片⽂文件
• 服务器器信息 Server Info Snapshot Snapshot Snapshot Name TLD data from Allies
Card File
• 版本号 Version
• 盟友签名 Signature from
others in allies
“互连根+”的根区交换⽅方案
Root Zone file exchange in Inter-Root+
国家根（客户端和主节点）：单数据源，因为⼀一个TLD只属于⼀一个国家根
National root (client and primary node): Single data source, because a TLD only belongs to one national root
1 通知（request，pre-prepare）：国家根通知友根准备本国数据更更新
Notice(request，pre-prepare): The national root informs allies that it is preparing its own data update
2 同意（prepare）：友根检查并签名“同意”；国家根收集⾜足够的“同意”合并为“联名同意背书”并⼴广播（在同意更更新上达成共识）
Agree(Prepare): An ally checks and signs "agree"; the national root gather enough "agree" to merge into "joint endorsement for
agreeing" and broadcast (Consensus is reached on agreeing to update).
3 更更新（commit）：友根承诺执⾏行行更更新；国家根收集⾜足够的“承诺”合并为“联名承诺背书”并⼴广播（在承诺更更新上达成共识）；友根执⾏行行
更更新
Update(commit): Allies committed to conduct the update; the national roots collected enough "commitments" to be merged into "joint
endorsement for commit" and broadcast (consensus reached on commitment update); Allies perform updates
确认（reply）：友根返回更更新结果；国家根确认更更新被执⾏行行
4 Check (reply)： Allies returns the update results, national root confirm the update has been performed

通知 同意 更更新 确认
CN

BR

KZ

RU
“互连根+”的根区⽂文件⼀一致性
Root Zone file consistency of Inter-Root+
伪装为国家根发布假数据
伪装为国家根发布假数据
Play as a national root to publish fake info
•  受骗节点（UK根）若占少数，则伪造更更新不不会被同意
If fraudulent node (UK) is in the minority, fake
updates will not be performed
•  若更更新被成功伪造（私钥泄露露），则将发现冲突（更更新有
⼀一个缓冲期）；受害节点（CN根）发现遭受攻击，线下
应急响应
If the update is successfully forged (private key
leaked), the conflict will be found (the update has a
buffer period); the victim node (CN) is found to have
been attacked, and the offline emergency response
will be activated
国家根间尚未全结盟
国家根间尚未全结盟
The national roots have not yet fully aligned
•  公开⽇日志中“名⽚片”、“背书”与“更更新”公开可验证，少数未
结盟节点可信任多数达成的共识
•  The name card, endorsement and update will be
recorded in public log and can be verified. The
consensus can also be trusted by a few non-aligned
nodes
•  定时更更新机制可令被孤⽴立节点发现⾃自身被孤⽴立（更更新计时
器器超时）
•  Timed update mechanism allows orphaned nodes to
find themselves isolated (update timer expires)
互连根+可与现有体系并存运⾏行行
Inter-Root+ can coexist with existing systems
根联盟与原根并存 根联盟 Root Union
Root Union coexists with the original root
中国 China 俄罗斯 Russia
根区 原根 CN root RU root
Root Zone Original root
国家根联盟内节点
交换根区信息
com cn ru National Roots
exchange info
between Union
foo foo foo nodes

www www www

递归解析器器
Iterative Resolver

递归解析器器⾃自⾏行行选择原根或根联盟，或以原根为主、根联盟为辅
The iterative resolver chooses the original root/root union by itself. Or choose original root as primary, root union as 2nd
三个⽅方案的⽐比较
Comparison among 3 solutions
DNS根体系 root-DNS 互连根 Inter-Root 互连根+ Inter-Root+
信任 单点 点对点 集体
Trust Single p2p group
单边 双边 多边
共识 Consensus
unilateral bilateral multilateral
授权权⼒力力 中⼼心 中⼼心 中⼼心
Authority Centralized Centralized Centralized
解析权⼒力力 中⼼心 多点 多点
Resolving Centralized Distributed Distributed
根区存储 中⼼心 多点 公开账簿
Root Zone Centralized Distributed Public Ledger
数据发布 TLD à 单根 TLD à 多根 TLD à 账簿
Data Publish TLD à Single root TLD à Multiple roots TLD à Ledger
信任锚 根的公钥 国家根公钥 公钥集
Trust Anchor Public key of root Public key of national root Public key set
中国部分研究单位共同构建了了研究联盟，旨在从事基于区块链的DNS互连根的研究，
欢迎各国专家学者共同参与实验，中⽅方将⽆无偿为共同参与实验的国家提供技术⽀支持。
Some research units in China have jointly established research alliances that aim to
engage in the research on the DNS inter-roots based on the blockchain. They welcome
the participation of experts and scholars from all countries. China will provide
technical support to countries participating in the experiment for free.

⽅方滨兴 Prof. Binxing FANG

中国云安全与新兴技术安全创新联盟 理理事⻓长
中国电⼦子信息产业集团 ⾸首席科学家
Chairman, China Cloud Security and Emerging Technologies Security
Innovation Alliance
Chief Scientist, China Electronics Corporation (CEC)