How DNS Root Servers Work: The 13 Identities Explained
Every DNS lookup on the internet ultimately traces back to 13 logical root server identities. These are the authoritative source for the root zone — the top of the DNS namespace that delegates to every top-level domain. Understanding how the root servers actually work requires separating two distinct concepts: the 13 named identities (a through m) and the physical infrastructure behind them, which consists of over 1,900 individual server instances distributed across the globe via anycast.
Why 13? The 512-Byte UDP Constraint
The number 13 was not chosen arbitrarily. When the root server system was designed, DNS responses were required to fit in a single UDP datagram of 512 bytes (the minimum guaranteed MTU in RFC 1035). A DNS response listing the root name servers must include both the names and their IP addresses (A records in the additional section). With IPv4 addresses and the overhead of DNS wire format encoding, 13 names with 13 A records fit within 512 bytes; 14 would not.
This constraint is entirely a historical artifact. EDNS0 (RFC 2671, later 2965, now RFC 6891) extended the maximum UDP payload size, and DNS over TCP has always supported larger messages. The root zone itself now publishes both A and AAAA records for all 13 servers. But the number 13 is locked in by operational inertia — changing it would require updating every resolver that has the root hints list hardcoded, every RFC that references 13 root servers, and decades of documentation. The number 13 is now the definition of a root server identity rather than a technical limit.
The 13 Root Server Operators
| Name | IPv4 (anycast) | Operator |
|---|---|---|
| a.root-servers.net | 198.41.0.4 | Verisign |
| b.root-servers.net | 199.9.14.201 | USC-ISI |
| c.root-servers.net | 192.33.4.12 | Cogent Communications |
| d.root-servers.net | 199.7.91.13 | University of Maryland |
| e.root-servers.net | 192.203.230.10 | NASA Ames |
| f.root-servers.net | 192.5.5.241 | Internet Systems Consortium (ISC) |
| g.root-servers.net | 192.112.36.4 | US DOD-NIC (DISA) |
| h.root-servers.net | 198.97.190.53 | US Army Research Lab |
| i.root-servers.net | 192.36.148.17 | Netnod |
| j.root-servers.net | 192.58.128.30 | Verisign |
| k.root-servers.net | 193.0.14.129 | RIPE NCC |
| l.root-servers.net | 199.7.83.42 | ICANN |
| m.root-servers.net | 202.12.27.33 | WIDE Project (Japan) |
Each operator independently runs the infrastructure for their letter. They all serve identical data — the root zone file — but their hardware, network architecture, and geographic distribution differ. This diversity of operators is deliberate: it means no single organization can compromise the entire root system, and different failure modes affect different letters independently.
Anycast: 1,900+ Instances Behind 13 Addresses
The 13 root server IP addresses are anycast addresses. Anycast means that the same IP address is announced via BGP from multiple physical locations simultaneously. When your resolver sends a query to 198.41.0.4 (A root), BGP routing determines which physical server receives it — typically the one topologically closest to the resolver. The resolver has no knowledge of which physical server it contacted; the IP is the same regardless.
As of 2025, the root server system consists of over 1,900 individual server instances across more than 130 countries. F-root (ISC) alone operates several hundred sites. This geographic density means that most resolvers reach a root server within a few milliseconds — a root server instance exists within low-latency reach of almost every internet exchange point and major hosting location.
Root Zone Management: IANA, PTI, and Verisign
The root zone file — the single file that lists all top-level domains and their name servers — is managed through a multi-party process. The Internet Assigned Numbers Authority (IANA), now operated by Public Technical Identifiers (PTI), a subsidiary of ICANN, is responsible for maintaining the content of the root zone. When a country-code TLD operator changes their name servers, they submit a request to IANA, which validates and incorporates the change.
Verisign, the operator of A and J root servers, also serves as the root zone maintainer — they publish the signed root zone file and distribute it to all root server operators. Root zone updates are published several times per day. All 13 root server identities serve identical data at all times; if any operator falls behind, resolvers will simply use a different root server.
DNSSEC and the KSK Ceremonies
The root zone is signed with DNSSEC. The root zone signing infrastructure involves two key types: the Zone Signing Key (ZSK), which signs the zone content and is rolled frequently, and the Key Signing Key (KSK), which signs the ZSK and represents the ultimate trust anchor for the entire DNS hierarchy.
The KSK is stored in Hardware Security Modules (HSMs) at two geographically separate secure facilities. Approximately four times per year, ICANN holds a public, scripted KSK ceremony in which a group of Trusted Community Representatives physically convenes at a facility, unlocks the HSM under multi-party control, and performs any required cryptographic operations. The ceremonies are recorded on video and attended by external auditors. The public visibility is deliberate: the KSK is the root of trust for all of DNS, and its management must be verifiable.
The KSK was rolled over in 2018 — the first-ever change to the root KSK. The rollover was carefully staged over months to give resolvers time to fetch and cache the new key before the old one was retired.
Priming Queries and Root Hints
A recursive resolver must know the addresses of root servers before it can resolve anything. This information is bootstrapped via the root hints file, a locally configured list of the 13 root server names and their IP addresses. The resolver uses the hints to send its first query; the response contains the current root zone delegation (NS and A/AAAA records), which the resolver caches and uses going forward. This process is called priming.
Priming happens at resolver startup and periodically thereafter. The root hints file is bundled with every major resolver implementation (BIND, Unbound, Knot Resolver). It rarely needs updating — the root server IP addresses are extremely stable, changing only with significant advance notice over years.
RFC 7706 describes an alternative: local root, where a resolver downloads the entire root zone and serves it locally, eliminating external root server queries entirely. This reduces latency for root queries to near-zero and removes dependency on external infrastructure. Some large deployments use this approach, though it requires keeping the local root zone synchronized.
Attacks on the Root: 2002 and 2015
The root servers have been targeted by large-scale DDoS attacks twice with notable impact. In October 2002, a coordinated attack using ICMP floods targeted all 13 root servers simultaneously. At the time, anycast deployment was limited, and the attack was measurably effective — 9 of 13 servers became unresponsive or degraded. The internet itself did not fail because resolvers cache responses heavily: the root servers are only needed to initiate new name lookups for uncached domains, and TTLs are long enough that most traffic was unaffected during the hours of the attack.
In November 2015, a more sophisticated attack using DNS query floods reached reported rates of 5 million queries per second at some anycast sites. The massively expanded anycast deployment by 2015 — far more instances and far greater aggregate capacity than 2002 — absorbed the attack without visible impact to end users. The distributed nature of anycast meant that the attack traffic was spread across hundreds of sites, none of which saw individually overwhelming loads.
Both attacks demonstrated the same lesson: anycast distribution makes the root far more resilient than its 13-address count suggests. An attack that would take down a single server is diluted across dozens or hundreds of instances, each only seeing a fraction of the total volume.
What Happens When You Query a Root Server
A root server query is not like a normal DNS lookup. Root servers are authoritative only for the root zone itself — they do not know the address of www.example.com. When a resolver queries a root server for www.example.com, the root server returns a referral: the NS records for the com TLD and the glue A/AAAA records for those name servers. The resolver then queries a .com TLD server, which returns a referral to example.com's authoritative servers, which finally return the A record for www. This three-step process is called iterative resolution.
In practice, most resolvers need to query root servers very infrequently. The .com TLD servers are cached for 48 hours; the .net TLD for 48 hours; most TLDs have NS records with TTLs of 172800 seconds (2 days). Only after those TTLs expire must the resolver consult the root again. A busy resolver handles millions of queries per day but sends only a tiny fraction to root servers — the rest are answered from cache or from cached TLD delegations. This is why even a complete root server outage would not immediately break the internet: existing caches would continue serving most queries for hours or days.
The root zone file itself is publicly available and updated several times daily. You can download it from https://www.internic.net/domain/root.zone and inspect every TLD delegation directly. The file contains roughly 10,000 records covering around 1,500 TLDs — the entire DNS namespace starts here.
Root Server Independence and Governance
The 13 root server operators are legally and operationally independent entities. No single organization controls more than two letters (Verisign operates A and J). The operators range from US government agencies (NASA, the Army, DISA) to academic institutions (USC-ISI, University of Maryland, WIDE Project in Japan) to commercial operators (Verisign, Cogent, ISC). This diversity is intentional — a US government agency cannot compel a Japanese university to alter its root server operation.
ICANN's role is to coordinate the root zone content through IANA functions, not to operate the servers. The operators are bound by ICANN's Root Server System Advisory Committee (RSSAC) guidance and voluntarily follow common operational standards, but each runs their infrastructure independently. This loose coordination has proven robust: the root server system has maintained near-perfect availability for decades despite governance disputes, legal challenges, and technical incidents.
Proposals to add more root server identities (beyond 13) exist and have been discussed for years. EDNS0 removes the 512-byte constraint that originally set the number. But the operational cost of coordinating a change to every resolver's root hints file globally, and the lack of a pressing technical need given the anycast density already deployed, has kept the number at 13. The anycast model solved the scaling problem without requiring a protocol change.
Root Servers and DNSSEC Validation
The root zone is signed with DNSSEC, and the root's DNSKEY records serve as the trust anchor for the entire validation chain. When a resolver performs DNSSEC validation, it ultimately traces the chain of signatures back to the root. The resolver must have the root zone's public KSK (Key Signing Key) configured as a trust anchor — this is called the root trust anchor.
Every major resolver ships with the root trust anchor embedded. The IANA-operated DNSSEC Root Zone Trust Anchor Repository at https://data.iana.org/root-anchors/ publishes the current trust anchors in machine-readable form. After the 2018 KSK rollover, resolvers that had not been updated to fetch the new key via the RFC 5011 automatic rollover mechanism temporarily failed to validate responses — a small but real operational incident that demonstrated how tightly the root signing infrastructure is coupled to global DNS health.
Understanding root server mechanics also clarifies why DNS as a system is both remarkably resilient and critically centralized. The root zone is a single point of definition for all internet naming, but the infrastructure serving it is among the most distributed and redundant in existence. No other naming system at internet scale has matched this combination of logical centralization and physical resilience.
Alternative Root and Why It Doesn't Work
Periodically, organizations propose alternative root servers — independent root server systems not coordinated with ICANN. The technical mechanism is straightforward: configure resolvers to query a different set of root servers that publish a different root zone with additional or different TLDs. Some of these systems (like OpenNIC) have existed for years and offer experimental TLDs not found in the IANA root.
The fundamental problem with alternative roots is fragmentation: if two users query different roots, lookups for the same hostname may return different results. The internet's naming system depends on universal agreement that a given hostname resolves to the same address for everyone. Alternative roots break this assumption. The commercial internet has converged entirely on the IANA root, and alternative roots remain niche experiments used by small communities with specific needs. The governance disputes that motivate alternative roots are real, but the technical cost of fragmentation has consistently outweighed the benefit of escaping ICANN's coordination.
Root Servers in Everyday Resolver Operation
For most internet users, the root servers are invisible. Home routers and ISP-provided resolvers cache responses aggressively, and stub resolvers (what your laptop or phone runs) simply forward queries to the recursive resolver without involving root servers directly. A device on a home network sends DNS queries to the router, which forwards them to the ISP's resolver, which handles root server interactions entirely internally.
The root servers become relevant to operators running their own recursive resolvers — either for privacy (not sending queries to an ISP resolver), for performance (caching at scale), or for enterprise security policy. Tools like Unbound, BIND 9, Knot Resolver, and PowerDNS Recursor all perform full iterative resolution starting from root server priming. Operators of these resolvers should monitor root server RTT (typically under 5ms from most well-connected locations) and ensure their root hints are current — though in practice the root server addresses are so stable that hints rarely need updating.
From a routing perspective, root server anycast prefixes are among the most carefully managed on the internet. The operators coordinate prefix announcements with major transit providers to ensure global reachability. A network that filters root server prefixes — accidentally or intentionally — will break DNS resolution for any resolver it serves that does not have a cached path to the TLD servers it needs. Checking the BGP reachability of root server addresses from different vantage points is a useful sanity check when diagnosing mysterious DNS failures, since the cause is sometimes a routing issue rather than a DNS configuration error.
The relationship between anycast routing and DNS is particularly tight at the root level. The same anycast principles that make root servers resilient also apply at the TLD level and to large public resolvers like 8.8.8.8 and 1.1.1.1. Understanding root server architecture is foundational to understanding how DNS as a whole achieves global scale and resilience.
Explore It Live
You can look up the routing and BGP details for any root server's anycast address directly:
- 198.41.0.4 — A root (Verisign), see which AS originates the anycast prefix
- 192.5.5.241 — F root (ISC), one of the most widely distributed root servers
- 193.0.14.129 — K root (RIPE NCC), operated out of Europe with global anycast reach