← DNS ServersServer Type

Root Nameservers

The apex of the DNS hierarchy. Thirteen root server addresses — operated by 12 independent organizations across hundreds of anycast nodes — form the authoritative starting point for every DNS resolution on the internet.

Overview

The Top of the Delegation Tree

Root nameservers don't know the IP address of thedns.guru. What they do know is which nameservers are responsible for every top-level domain — .com, .net, .guru, and the hundreds of others. Their job is purely referral.

Despite the "13 addresses" constraint (imposed by the 512-byte UDP limit of early DNS), the root server infrastructure today spans over 1,600 physical nodes across more than 170 countries, all reachable via anycast routing. This means a "query to a.root-servers.net" is answered by whichever physical node is closest to you — not one server in Virginia.

Root zone content is maintained by IANA (a function of ICANN) and distributed to all root server operators. The root zone contains about 1,500 TLD delegations and is updated multiple times per day.

13
Root addresses
12
Operators
1,600+
Physical nodes
Why only 13 addresses?The original DNS protocol used 512-byte UDP packets. A DNS response listing all root nameservers — each needing a full NS record and glue A record — could not exceed 13 entries and still fit in 512 bytes. IPv6 (AAAA records) and EDNS(0) have since relaxed this constraint, but 13 addresses remain by convention.
Infrastructure

The 13 Root Server Addresses

A through M — each operated independently by a different organization

A
a.root-servers.net
198.41.0.4
Verisign, Inc.
B
b.root-servers.net
170.247.170.2
University of Southern California (ISI)
C
c.root-servers.net
192.33.4.12
Cogent Communications
D
d.root-servers.net
199.7.91.13
University of Maryland
E
e.root-servers.net
192.203.230.10
NASA Ames Research Center
F
f.root-servers.net
192.5.5.241
Internet Systems Consortium (ISC)
G
g.root-servers.net
192.112.36.4
US DoD Network Information Center
H
h.root-servers.net
198.97.190.53
US Army Research Laboratory
I
i.root-servers.net
192.36.148.17
Netnod (Sweden)
J
j.root-servers.net
192.58.128.30
Verisign, Inc.
K
k.root-servers.net
193.0.14.129
RIPE NCC (Netherlands)
L
l.root-servers.net
199.7.83.42
ICANN
M
m.root-servers.net
202.12.27.33
WIDE Project (Japan)
IPv6 SupportAll 13 root servers also have AAAA records (IPv6 addresses). For example, A-root is reachable at 2001:503:ba3e::2:30. The root zone has been fully DNSSEC-signed since July 2010.
Technology

How Anycast Makes Root Servers Resilient

One IP address, many physical locations

Anycast is a routing technique where multiple physical servers share the same IP address. BGP routing protocols direct each query to the topologically nearest node. If one node goes offline, BGP automatically reroutes traffic to the next-closest instance — with no change needed at the resolver or client.

This architecture means a DDoS attack targeting a single root server address affects only the nodes serving that attack's traffic. The 2016 Mirai botnet attack sent 1+ Tbps at several root operators — the attacks were largely absorbed by anycast spreading the load across hundreds of nodes.

Recursive resolvers also mitigate root server load heavily: modern resolvers cache root NS records for up to 6 hours (518,400 seconds — the root zone's NS TTL). In practice, a busy resolver may go days without querying a root server.

; Root hints file excerpt (named.root / db.root) ; Updated periodically — included with BIND, Unbound, etc. . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 170.247.170.2 B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b ; ... entries for C through M ...

The root hints file is bundled with resolver software (BIND, Unbound, PowerDNS) and tells the resolver how to reach root servers before any queries have been made. It is refreshed periodically via priming queries.

DNSSEC

The Root Key Signing Key (KSK)

The trust anchor at the top of the DNSSEC chain

DNSSEC relies on a chain of cryptographic signatures from child zones up to the parent. The root zone is the ultimate trust anchor — its KSK (Key Signing Key) is the single point of truth that validating resolvers trust implicitly.

ICANN manages the root KSK through a formal, ceremony-based process held in a controlled facility. The private key material is stored on Hardware Security Modules (HSMs) in two geographically separated locations (El Segundo, CA and Culpeper, VA). Key ceremonies are live-streamed and audited by independent "Trusted Community Representatives."

The root KSK was first generated in 2010 (KSK-2010). The first root key rollover occurred in October 2018 (KSK-2017), replacing the 8-year-old KSK — the largest coordinated key rollover in internet history, affecting all DNSSEC-validating resolvers globally.

Trust Anchor ConfigurationValidating resolvers embed the root KSK's public key as a hard-coded trust anchor. You can verify your resolver uses it with: dig . DNSKEY +dnssec
KSK Rollover ImpactResolvers that fail to update their trust anchor before a KSK rollover will start returning SERVFAIL for all DNSSEC-validated queries — effectively losing DNS access to validated domains. The 2018 rollover was preceded by months of monitoring resolver readiness.
Diagnostics

Querying Root Servers Directly

Tools and commands for inspecting root server behavior

Query a root server directly

# Ask A-root what it knows about .guru TLD dig guru NS @198.41.0.4 # List all root nameservers dig . NS @198.41.0.4 # Trace full resolution from root dig thedns.guru +trace

Check root DNSSEC

# Retrieve root zone DNSKEY records dig . DNSKEY +dnssec @198.41.0.4 # Retrieve root zone SOA dig . SOA @198.41.0.4 # Get root zone DS for a TLD dig guru DS @198.41.0.4

Identify closest anycast node

# Ping root server — each hop goes # to your nearest anycast node ping a.root-servers.net # Traceroute to root tracert a.root-servers.net (Windows) traceroute a.root-servers.net (Linux)

Root zone statistics

# Root zone contains ~1500 TLD delegations # The zone file is publicly available at: # https://www.internic.net/domain/root.zone # Measure root server latency dig . SOA @a.root-servers.net +stats

Related Topics

TLD Nameserver

Root servers delegate to TLD nameservers, which hold NS records for every registered domain.

Recursive Resolver

Recursive resolvers query root servers at the start of iterative resolution for uncached names.

Authoritative Nameserver

The end of the referral chain — authoritative servers hold the actual zone records.