At the beginning of the New Year, Robert Knake, who was once the Obama administration’s Director for Cybersecurity Policy at the National Security Council and is now a fellow at the Council on Foreign Relations, predicted in a blog that “at some point in the next decade, the Chinese government, with the support of Russia and other authoritarian regimes, will move forward with plans to establish a separate [DNS] root system for their share of the internet.” It sounds terrible — the global Internet breaking into two.
I respect the fact that Knake didn’t play it safe by just expressing another “China is bad and a threat to the global internet” opinion. No, he made a prediction that something specific will happen. Predictions advance knowledge because they can be proven right or wrong. One can also quantify their probability by placing bets on them.
I am willing to make a bet with Mr. Knake on this one. I am personally offering to write him a $500 check if his prediction comes true. And I ask that he reciprocate by sending me $500 if it doesn’t.
What does it mean?
I’ll explain below why I think he’s wrong. But pinning down the meaning of his prediction is an interesting exercise in itself. What exactly does it mean to “establish a separate root system for their share of the internet”? Knake needs to be warned that I, the party on the other side of this bet, have been contemplating the economic, political and technical aspects of alternate/competing DNS root systems for the past 25 years. I published paper on the topic back in 2001. I recently published a book on Internet “fragmentation” which devotes most of a chapter to an assessment of the likelihood of a split DNS root based on geopolitical conflict. My colleagues at the Internet Governance Project and I have blogged and analyzed the issue several times over the past decade, including in connection with China. So below I explain a bit about the root of the domain name system, how it holds the internet together, and what an alternate DNS root means.
The DNS Root
The DNS protocol maps IP addresses to domain names. The domain name space is organized in a hierarchy, with the root at the top. Whenever you go to a website like medium.com, your browser is sending out a query to the root that says, “where can I find the .com server?” Once your system knows where .com is, it can find out where medium.com is by asking the .com server. The root server contains a simple text file, known as the root zone file, that has a list of all authorized top level domains, and the IP address associated with them. The Internet Corporation for Assigned Names and Numbers (ICANN), decides what top level domains exist and maintains this file.
For Knake to be correct, here’s what has to happen
Let’s break down Knake’s prediction into its component parts and develop a list of all the things that must happen for it to be true. We can summarize the conditions in these five bullet points:
- The content of China’s DNS Root Zone file must deviate from the root zone file of ICANN.
- China must require its domestic Internet service providers to use its alternate root exclusively
- China must offer this deviant root zone file to the world and openly solicit Internet operators from other countries to make it their authoritative root
- China must do so with support from Russia and other authoritarian regimes
- All this must happen before January 1, 2030
If Knake understands and agrees to these conditions, the bet is on. Let’s explain the reasoning behind them.
1. Deviant root zone file
The first condition is the most important one.
The defining characteristic of a “separate root system” is that the contents of the root zone file deviate from the authoritative root zone file promulgated by ICANN. The root zone file contains the information that consistently maps IP addresses to top level domains. So a separate root would contain information different from the ICANN root. That is, for any given TLD — let’s say Taiwan’s country code .TW — it either wouldn’t exist as an entry in the China root, or the IP address would point to a name server in mainland China instead of to TWNIC as it does now.
If there is no difference in the contents of the root zone file, then his prediction is utterly meaningless. Anyone can run their own DNS name server and call it a “root server.” Anyone can — and lots of people do — create mirrors of existing root servers, using anycast or other techniques. None of these count as alternate roots, much less as a “break from the global Internet,” because the contents of the root zone file are the same as ICANN’s. So if Knake’s prediction is to be true, China must operate a DNS root server system which disseminates a root zone file the contents of which do not match the ICANN root zone file.
2. Requirement to use it
China must also force its domestic internet users to use this deviant root — to the exclusion of the ICANN root. If this condition is not met, it is not a “separate root” or a “break with the global internet.” It is merely a parallel root that does not involve a break. And since pointing to a truly deviant root would risk incompatibility with many domains in the world, no Chinese ISP, user or browser manufacturer is going to voluntarily migrate to a deviant DNS root as authoritative. Most internet users get their DNS root selected for them by their Internet service provider. China can force domestic ISPs to use its own root. But the browser can also be critical. As DNS over HTTPS is implemented, any user of Chrome, Firefox, Safari or Edge is going to have the ICANN root hardwired into their DNS. China certainly has the power to force Chinese browser manufacturers to use an alternate root, but will it? Knake thinks it will. I think it won’t.
3. Offer it to the world
Once China’s own DNS has seceded from the global Internet’s DNS, then it must take another strong step to make Knake’s scenario come true. It must openly and publicly make this deviant root available to the world and actively solicit other countries, telecom operators and internet service providers to point to it as their authoritative root zone file. Obviously it can’t force other nations or service providers outside of its jurisdiction to do so. So it would have to publicly hang out a shingle advertising “alternate root — sign up here!”
4. Authoritarian coalition
Related to point 3, Knake’s prediction also asserts that China will be joined by a coalition of authoritarian states. China will, he states, do this with “the support of Russia and other authoritarian regimes.” That’s a very specific prediction. China will execute, Russia will support. I’ll be satisfied his prediction is correct if China gets Russia, never mind all the other authoritarian states. Am I not generous?
And of course, this all must happen “at some point in the next decade.” So the clock is running. Knake “only” has 9 years and 9 months for his alternate Internet to gestate and be born. China’s actions can prove him right at any time in that period. I on the other hand have to wait until 2030, and I am an old, old man to prove him wrong. But the $500 will make a nice contribution to my retirement.
Why is this prediction likely to be wrong?
Why am I so confident that Knake is wrong? As I explain below, this kind of prediction is rooted in a bad case of Washington-insideritis. It is not based on a careful assessment of the situation.
To begin with, the global compatibility fostered by convergence on a single DNS root is extremely valuable to China as well as the US. There are literally millions of international interactions that depend in one way or another on a making all domain names work globally. The costs of a break would be immediate and high. What would be the benefits? Knake’s assumption that China needs to fragment the DNS in order to protect itself from unwanted information flows is not well thought out. China already filters out a lot of unwanted material from the internet without sacrificing global DNS compatibility. The potential losses from an incompatible DNS are high, the gains, if any, would be minor.
There is also reason to question whether Russia and other authoritarian states would trust a root run by China. Russia’s blundering attempts to create a “national DNS” are emanating from nationalistic legislators in the Duma. Their premise is national autonomy. Why would they want to substitute dependence on China for dependency on the U.S.?
Why does this difference of opinion matter?
It is also quite interesting to reflect on why Knake made this prediction, why the Council on Foreign Relations published it, and why I am responding. For my part, there’s something intensely irritating about Washington insiders fretting about Chinese threats to the global unity of the internet.
In the past year or two the U.S. has cut off capital flows from China in the tech sector, broadened the scope of CFIUS reviews in a way intended to target China, imposed sanctions on Chinese equipment manufacturers that are causing operating systems to fork and the chip market to de-globalize, and waged a global campaign to portray the world’s leading telecommunications equipment manufacturer a national security threat to all countries in the world simply because its origin is in China. A State Department official has said that the purchase or use of any equipment or internet-based service from China is the same as importing Chinese authoritarianism. Without a trace of irony, they have claimed that TikTok is a national security threat. We have torpedoed a badly needed international cable project simply because one of the partners of two American firms was a Chinese firm. What we see here is a systematic long term attack on the globalization of the tech sector. It is the U.S., more than China, that is fomenting a split.
In the midst of all this, one would think someone would have to be blind to speak of China as the country pushing to fragment the internet. But this narrative plays well in Washington. It allows Republicans and Obama-era Democrats to reassure themselves that yes, the U.S. still believes in a global, free and open internet and digital free trade and China is the one who threatens it.
All that aside, the issue now is, will Robert Knake stand up for his prediction? I am looking forward to this being the 21st century version of the Julian Simon — Paul Ehrlich wager. Stay tuned.
Originally published at https://www.internetgovernance.org on February 26, 2020.