Can the US Shut Down .cn Domains? Inside DNS Root Servers and Their Defenses

DNS Overview

DNS translates human‑readable domain names into IP addresses. A recursive resolver (LDNS) queries a root server, then the appropriate top‑level‑domain (TLD) server, and finally the authoritative server for the queried name. The resolver returns the final A record or follows a CNAME chain. Caches in browsers, operating systems, hosts files and resolvers often satisfy the query without a full root‑to‑leaf walk.

Why Only 13 Logical Root Servers?

Legacy DNS messages are limited to 512 bytes over UDP (RFC 1035). The name, TTL and IPv4 address of each root server consume most of that space, so only 13 root server names (A‑M) can be listed in a single response. In practice each logical root is served by many physical instances worldwide. As of August 2020 there were 1 097 physical root server instances, and the number continues to grow.

Root Server Operation and Anycast

All logical roots share the same IP addresses using anycast routing (RFC 1546). An anycast address represents a set of servers; the network routes a query to the nearest instance based on topology, latency or load. This provides low latency and redundancy. For Chinese users the anycast routing typically directs queries to Chinese anycast instances.

Root Zone File

The root zone file contains NS records for every top‑level domain. It is published by IANA at https://www.iana.org/domains/root/files (≈2.2 MiB, ~20 k lines). The file can be downloaded and inspected; records for the .cn TLD occupy only a few lines.

China’s Root Mirrors

Since 2003 China has deployed multiple root‑server mirrors:

2003 – F‑root mirror (China Telecom)

2005 – I‑root mirror (CNNIC)

2006 – J‑root mirror (VeriSign cooperation)

2014 – L‑root mirror (Century Internet)

2019 – Additional mirrors for F, I, K, L, J approved by the Ministry of Industry and Information Technology (MIIT) with identifiers JX0001F … JX0012K.

These mirrors operate under Chinese regulations, use the same anycast IPs as the global roots, and therefore resolve domestic queries locally.

Potential Manipulation of the Root Zone

If a government forced a change to the root zone (e.g., removal of all .cn records), the modified file would propagate to all synchronized mirrors after cache expiration, making .cn domains unreachable worldwide. The root zone file is publicly downloadable, so any unauthorized removal would be evident. Chinese mirrors can simply refuse to apply the change, preserving .cn resolution for domestic users.

Mitigation Strategies

Maintain sovereign root mirrors and configure them to ignore malicious updates.

Automate re‑insertion of .cn records after each synchronization.

Deploy an independent primary root that is not synchronized with the global root.

Governance

The logical root servers are operated by twelve independent organizations (e.g., VeriSign, ICANN). The root zone is managed by ICANN under a multistakeholder model since the 2016 IANA transition. The .cn TLD is delegated to the China Internet Network Information Center (CNNIC).

Conclusion

Although the United States historically operated a majority of the logical root servers, the distributed anycast architecture, independent national mirrors, and multistakeholder governance make a wholesale shutdown of .cn domains technically difficult and politically costly. The DNS design provides inherent resilience against such attacks.

References

Root‑servers.org

IANA root‑zone files: https://www.iana.org/domains/root/files RFC 1035, RFC 1546

Internic named.root file:

https://www.internic.net/domain/named.root