Denys Inhul

ch3: who is in charge

date: May 14 2026

1. What’s literally in the root zone

You can fetch the root zone yourself. dig @b.root-servers.net . AXFR returns the entire thing in a few seconds. It’s about 2.5 MB unsigned, larger with DNSSEC, and as of March 2025 it contains 1,443 TLDs (Huston, APNIC). The peak was 1,547 in August 2017; the count has slowly shrunk as failed 2012-round gTLDs retire.

What’s actually in those entries is narrow. Almost every line is an NS record pointing at a TLD’s nameservers, plus a glue A/AAAA so resolvers can reach those nameservers in the first place. There are no records about google.com, no records about wikipedia.org. The root’s whole job is “for anything ending in .com, ask those nameservers.” Every other answer lives elsewhere.

; ===== the root's own nameservers =====
.                     86400  IN  NS   a.root-servers.net.
.                     86400  IN  NS   b.root-servers.net.
;  ... 13 NS records total ...

; ===== delegations to TLDs =====
com.                 172800  IN  NS   a.gtld-servers.net.
edu.                 172800  IN  NS   a.edu-servers.net.
org.                 172800  IN  NS   a0.org.afilias-nst.info.
io.                  172800  IN  NS   a0.nic.io.
;  ... ~1,443 TLDs total, each with their own NS set ...

; ===== "glue" (A/AAAA records for those nameservers) =====
a.root-servers.net.  3600000  IN  A     198.41.0.4
a.root-servers.net.  3600000  IN  AAAA  2001:503:ba3e::2:30

Two things are worth flagging about how the world actually queries this file. First, about half of root queries return NXDOMAIN: the queried TLD doesn’t exist. Second, that fraction used to be much worse, and the reason it dropped is a story about how leveraged the root is on what a single browser does.

Until late 2020, Chrome’s “Intranet Redirect Detector” fired three random-string lookups at startup to detect captive portals. Those queries dominated root traffic for years: roughly 75% of all root queries were NXDOMAIN for names that no one had ever registered and no one ever would. Chrome 87 (November 2020) removed the feature. Root NXDOMAIN rate dropped to about 50% within weeks. One default in one browser rewrote the entire global query mix.

[demo placeholder] Searchable root-zone browser: filter the live root zone by category (gTLD / ccTLD / sponsored / infrastructure), operator, year delegated. Click any row to see its NS records and glue.

2. Why thirteen names

“There are 13 root servers” is one of the most-repeated and most-misleading sentences in internet folklore. There are 13 root letters: a.root-servers.net through m.root-servers.net. Behind those letters, as of May 2026, are 2,020 instances across roughly 1,742 sites (root-servers.org). Behind those instances are 26 IP addresses (one IPv4, one IPv6 per letter). When you “ask the root,” your packet ends up at whichever physical node anycast routing puts closest to you. Chapter 5 covers anycast properly.

The 13 cap itself is a 1987 packet-size artifact. When a resolver boots cold, it needs to learn the IPs of the root servers. It does this with a “priming query”: . NS sent to whichever root it remembers from a tiny hardcoded hints file. The response has to fit the 13 NS records plus their glue addresses in one UDP packet, all under 512 bytes. With name compression, 13 NS plus glue lands around the safe ceiling. Fourteen would have overflowed.

Today’s priming response runs 823 bytes plain, 1,097 with DNSSEC (Huston, APNIC 2025). Both already past the old 512 cap. EDNS(0) is what keeps it working. So technically we could add more letters now. The Yeti project (a community experiment, roughly 2015 to 2018) demonstrated that running with ~25 servers was fine on the wire. The reason we don’t isn’t technical. Every resolver, OS, and embedded device on Earth ships with these 13 in its hints file. Replacing them all is operationally impossible. And every letter already anycasts to hundreds of nodes; more letters wouldn’t add meaningful redundancy. Yeti also surfaced the governance question (who picks new operators, who arbitrates, how does the set ever change?) that has killed every “more letters” proposal since.

3. The twelve operators

Thirteen letters, twelve operators. Verisign runs both A and J, a historical artifact from inheriting Network Solutions’ original A role and the J letter added in 1995.

LetterOperatorSites
AVerisign, Inc.59
BUSC Information Sciences Institute6
CCogent Communications13
DUniversity of Maryland231
ENASA Office of the CIO328
FInternet Systems Consortium (ISC)366
GDefense Information Systems Agency (DISA)6
HU.S. Army DEVCOM Army Research Lab12
INetnod90
JVerisign, Inc.150
KRIPE NCC153
LICANN141
MWIDE Project29

The split is enormous. F (ISC, 366 sites), E (NASA, 328), and D (Maryland, 231) together carry roughly half the global deployment. B and G have 6 sites each. The “13 root servers” framing flattens an asymmetry that matters operationally: when you query the root from anywhere with reasonable peering, the answer almost certainly came from F, E, D, K, L, or J.

There was never a competitive procurement. The operators got the job by being the institutions already running the infrastructure when DNS became real. USC, NASA, the US Army, DoD: early ARPANET-era operators. Verisign inherited A and J via Network Solutions. RIPE NCC, Netnod, and WIDE were added between the 1990s and early 2000s for geographic distribution outside North America. ICANN took L in 2007. The set has been frozen since.

None of them is paid for it.

[demo placeholder] Which root letter answers you fastest: RTT probe to each letter from the user’s browser, sorted bar chart with the operator name and site count.

4. Who gets paid

The root operators bear their own bandwidth, hardware, and staffing costs. There is no per-query fee. No ISP pays into a root fund. No registry remits a slice of registration revenue to keep the root running. The role is community service, coordinated informally through ICANN’s Root Server System Advisory Committee (RSSAC) and, since 2024, the more formal Root Server Operator accountability framework. The compensation, such as it is, is reputational.

Geoff Huston (APNIC, 2025) calls this the “unfunded query system.” Every other piece of internet infrastructure people consume scales economically with use: ISPs charge for bandwidth, CDNs charge for delivery, registries charge per name. Root operation is the exception. ISPs pay a fixed network-access fee regardless of how many DNS queries cross their links. Root operators get nothing per query. So when query load grows ~25% a year (it has, climbing from ~90 billion queries a day in early 2023 to ~130 billion by early 2025), operator costs grow with it, and no revenue does.

This is the long-term scaling problem, and it isn’t a technical one. The system is held up by volunteer commitment from a small set of institutions whose costs go up every year. Chapter 5 covers the architectural alternatives being proposed in response (aggressive NSEC caching, root zone mirroring, ZONEMD, Huston’s CDN-distributed root). They’re partly about taking pressure off operators who can’t recoup the cost of more capacity.

5. ICANN, IANA, RIRs

Three names that get conflated in casual reading. They are distinct, and the distinctions matter.

NameWhat it isWhat it does
ICANNInternet Corporation for Assigned Names and Numbers. California-incorporated nonprofit. Founded 1998.Policy. Sets the rules for gTLD creation, accredits registrars, coordinates the namespace through a multistakeholder process that includes governments, businesses, technical experts, and civil society.
IANAInternet Assigned Numbers Authority. Not a separate organization but a set of functions performed by PTI, an ICANN affiliate.The actual registry-maintenance work. Updating the root zone when a TLD changes nameservers. Allocating top-level IP space to RIRs. Maintaining protocol-parameter registries (port numbers, ASN ranges).
RIRsRegional Internet Registries. Five of them.Allocate IPv4 and IPv6 space, ASNs, and reverse-DNS delegations within their regions. Self-governing.

The five RIRs are ARIN (North America), RIPE NCC (Europe, Middle East, Central Asia), APNIC (Asia-Pacific), LACNIC (Latin America and Caribbean), and AFRINIC (Africa). They’re autonomous within their regions, and they’re not subordinate to ICANN. For IP addresses, ICANN allocates the top-level blocks to IANA, which hands them to the RIRs, who then run their own bottom-up member-driven policy processes for the sub-allocations.

The clean way to remember it: ICANN does names and sets policy. IANA does the registry-keeping. RIRs do numbers and run themselves. The split between name authority (ICANN-led) and number authority (RIR-led) is intentional. It’s a key reason no single body can flip a switch and break the internet.

6. The 2016 IANA transition

Until October 1, 2016, the IANA functions were performed by ICANN under a contract with the US Department of Commerce. The contract dated to 1998. In practice the US never meaningfully exercised oversight (every root-zone change ICANN proposed got approved) but the contract existed, and the contract said this was ultimately under US authority.

That ended on October 1, 2016, after a two-year multistakeholder transition process. Technically, nothing changed. Politically, a great deal did: the formal US oversight of the namespace went away, and IANA functions are now governed by a global community process. The transition’s main effect was symbolic, which is exactly what made it matter to the people who cared about it.

7. Registry, registrar, registrant

Three administrative roles, often confused because the same company frequently plays more than one.

  • Registry: the operator of a TLD. Runs the authoritative nameservers for, say, .com; maintains the database of all registered names under that TLD. Verisign for .com, Public Interest Registry for .org, Nominet for .uk.
  • Registrar: sells names to the public on behalf of registries. Talks to the registry via EPP (RFC 5730). Namecheap, GoDaddy, Cloudflare Registrar, hundreds of others.
  • Registrant: the owner of the registered name. You.

The registry/registrar split is a 1999 ICANN policy decision, not a protocol concept. Until then, Network Solutions ran both the .com registry and the only registrar. ICANN’s Shared Registration System broke them apart to introduce competition at the registrar layer. The DNS protocol itself doesn’t know registrars exist; it only sees zones and delegations.

Some registries are thick (they store full registrant contact information themselves) and some are thin (they store only the name + nameservers and rely on the registrar to keep contact details). .com is thin. .org is thick. The distinction shows up in WHOIS responses and in how data breaches at a registrar propagate.

8. Where the money flows

The .com chain dollar by dollar, as of 2025: a registrar charges you ~$10 to $15 for a year of example.com. Of that, Verisign takes $10.26 as the wholesale registry fee. ICANN takes $0.18 as the per-domain transaction fee. The registrar keeps the rest, plus whatever it makes on upsells (WHOIS privacy, email, hosting). Verisign’s .com wholesale price is capped and rate-limited by their Registry Agreement with ICANN. Without that cap they would have monopoly pricing power: switching costs are infinite per name. The price has risen from $7.85 to $10.26 over the last decade, about 31% in ten years, well under what an uncapped monopolist would charge.

ccTLDs

The two-letter TLDs (.uk, .de, .io, .cn, ~250 in total) are country code TLDs. The source of truth for which codes exist is ISO 3166-1 alpha-2, the standardized list of country codes. IANA’s policy, dating to RFC 1591 (1994), is that if a code is on the ISO list, it gets a TLD delegated to the country’s designated technical authority, usually a national academic institution, a government agency, or a private registry the country authorized.

Economics vary wildly. Some ccTLDs (like Tuvalu’s .tv, licensed to GoDaddy) reportedly contribute a substantial fraction of a small nation’s GDP. Others operate as nonprofits. A few are run as state monopolies. ICANN has minimal authority over ccTLD policy; each country sets its own rules. That is why ccTLDs are where most of the politics happens (Chapter 4).

gTLDs

The original generic TLDs (.com, .net, .org, .edu, .gov, .mil) were defined by RFC 920 in 1984 and have been operated continuously since. The new gTLD program opened the namespace in two big rounds: .biz, .info, and a handful of others in 2000, then the much larger 2012 round that brought us .club, .xyz, .app, .dev, .blog, .lol, and hundreds more. The application fee for a 2012-round gTLD was $185,000, plus operational and contractual obligations afterwards. The cost was deliberately high: ICANN wanted serious applicants who could fund the operation long-term.

Technically there is no difference between a gTLD, a ccTLD, and the original Postel set. They’re all just NS records in the root zone, served by the same anycast root servers, resolved by the same protocol. The differences are 100% policy: who gets to delegate, what rules apply, who can register names under it, how prices are set.

9. Interesting bits

Could a country fork the root?

Technically yes. China and Russia have both explored “alternative root” plans at various times. The problem is consensus: a name only works if every resolver agrees what it points to. Forking the root forks the internet. No national project has been willing to pay the isolation cost.

What stops Verisign from charging $100 for .com?

Their Registry Agreement with ICANN. The price is capped, and the rate of allowed increases is negotiated. Without that contractual cap, Verisign has effectively monopoly pricing power: they run the database, and switching costs are infinite per name. The ~31% rise over a decade is what monopoly looks like when somebody’s watching.

What happens if a root operator goes dark?

Resolvers cache root referrals for about 48 hours, and at any moment the other 12 letters cover the same data. A whole letter going dark would be invisible to most users; they’d hit a different letter on the next priming query. The bigger risk is a coordinated outage or a corruption of the root zone file itself. That’s why DNSSEC (Chapter 6) signs the root.

Next: ch4: politics of the namespace

Further reading

  • Huston, The Root of the DNS (APNIC, 2025). The canonical recent piece on root operation, query growth, and the unfunded-query-system thesis.
  • root-servers.org. Live per-letter instance and site counts, IPv4/IPv6 status, incident reports.
  • IANA Root Zone Database. Every TLD currently delegated, with sponsor info.
  • ICANN Bylaws. The multistakeholder accountability framework.
  • Mueller (2010), Networks and States: The Global Politics of Internet Governance. The canonical history of ICANN’s formation.
  • NTIA’s IANA Stewardship Transition archive. Primary documents from the 2014-2016 process.
  • RFC 5730. EPP, the protocol every registrar uses to talk to every registry.