SAC132 - The Domain Name System Runs on Free and Open Source Software (FOSS)
Abstract
The Domain Name System (DNS) is a globally distributed, hierarchical, and decentralized
system whose information underpins nearly every online interaction. Its principal purpose is to
map user-friendly domain names to the computer-friendly IP addresses required to locate
resources on the network. Whether browsing the web, sending an email, or using a mobile
application, every online connection relies on information that originates from and is structured
by the DNS.
This report’s core finding is that the DNS is built and sustained on Free and Open Source
Software (FOSS). This is not a niche practice, but the dominant reality. FOSS is the norm for the
most fundamental components of DNS infrastructure. For example, at least nine of the 12
independent organizations that operate the Internet’s root server system (RSS) exclusively use
FOSS implementations, and nine of the 10 largest service providers for top-level domains
(TLDs) use FOSS. This dominance stems from the inherent strengths of the FOSS development
model, which combines economic efficiency and low-friction adoption with the transparency,
collaborative security, and operational resilience essential for critical infrastructure.
Although the FOSS development model is fundamentally different from that of proprietary
software, FOSS is not inherently more or less secure. The security of any software project is
determined by the quality of its development and maintenance processes, not the visibility of its
source code. Unlike commercial software, FOSS is a collaborative, global effort built upon four
essential freedoms: to use, study, share, and change. This ecosystem depends on a global
network of maintainers and contributors who are often unpaid volunteers. While many are
unpaid volunteers, the DNS space is unique in also relying on a handful of long-lived
maintenance organizations. This creates a model based on community collaboration rather than the commercial contracts that define a traditional software supply chain, which introduces unique risks related to financial sustainability for the maintenance organizations and maintainer burnout for volunteers.
These unique characteristics mean that regulatory frameworks designed for proprietary software may not be well-suited for FOSS and therefore could have severe unintended consequences to the stability of critical Internet infrastructure. To navigate these complexities and foster a secure digital ecosystem, the Security and Stability Advisory Committee (SSAC) provides the following guidelines for policymakers:
• Acknowledge the Critical Role of FOSS: Policymakers should explicitly acknowledge
in any relevant legislation or regulation that critical Internet infrastructure relies on
FOSS, and that its use is a strength to be preserved.
• Consult the FOSS Community: Developing legislation and regulations should be
informed by consulting all parts of the FOSS ecosystem, from individual maintainers to
non-profits and corporations.
• Make Use of the Contemporary Cases in FOSS Regulation: Policymakers can
reference recent case studies in the report of contemporary approaches that incorporate
the unique characteristics of the FOSS development model.
• Incentivize FOSS Sustainability: Encourage public and private sector contributions to
critical FOSS projects as a form of investment in a shared public good.
• Address Systemic Risks Collectively: Foster and fund collaborative, ecosystem-wide
solutions to mitigate risks from shared dependencies instead of burdening individual
maintainers.
system whose information underpins nearly every online interaction. Its principal purpose is to
map user-friendly domain names to the computer-friendly IP addresses required to locate
resources on the network. Whether browsing the web, sending an email, or using a mobile
application, every online connection relies on information that originates from and is structured
by the DNS.
This report’s core finding is that the DNS is built and sustained on Free and Open Source
Software (FOSS). This is not a niche practice, but the dominant reality. FOSS is the norm for the
most fundamental components of DNS infrastructure. For example, at least nine of the 12
independent organizations that operate the Internet’s root server system (RSS) exclusively use
FOSS implementations, and nine of the 10 largest service providers for top-level domains
(TLDs) use FOSS. This dominance stems from the inherent strengths of the FOSS development
model, which combines economic efficiency and low-friction adoption with the transparency,
collaborative security, and operational resilience essential for critical infrastructure.
Although the FOSS development model is fundamentally different from that of proprietary
software, FOSS is not inherently more or less secure. The security of any software project is
determined by the quality of its development and maintenance processes, not the visibility of its
source code. Unlike commercial software, FOSS is a collaborative, global effort built upon four
essential freedoms: to use, study, share, and change. This ecosystem depends on a global
network of maintainers and contributors who are often unpaid volunteers. While many are
unpaid volunteers, the DNS space is unique in also relying on a handful of long-lived
maintenance organizations. This creates a model based on community collaboration rather than the commercial contracts that define a traditional software supply chain, which introduces unique risks related to financial sustainability for the maintenance organizations and maintainer burnout for volunteers.
These unique characteristics mean that regulatory frameworks designed for proprietary software may not be well-suited for FOSS and therefore could have severe unintended consequences to the stability of critical Internet infrastructure. To navigate these complexities and foster a secure digital ecosystem, the Security and Stability Advisory Committee (SSAC) provides the following guidelines for policymakers:
• Acknowledge the Critical Role of FOSS: Policymakers should explicitly acknowledge
in any relevant legislation or regulation that critical Internet infrastructure relies on
FOSS, and that its use is a strength to be preserved.
• Consult the FOSS Community: Developing legislation and regulations should be
informed by consulting all parts of the FOSS ecosystem, from individual maintainers to
non-profits and corporations.
• Make Use of the Contemporary Cases in FOSS Regulation: Policymakers can
reference recent case studies in the report of contemporary approaches that incorporate
the unique characteristics of the FOSS development model.
• Incentivize FOSS Sustainability: Encourage public and private sector contributions to
critical FOSS projects as a form of investment in a shared public good.
• Address Systemic Risks Collectively: Foster and fund collaborative, ecosystem-wide
solutions to mitigate risks from shared dependencies instead of burdening individual
maintainers.
