Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

An Immodest DNS Proposal

By Arkady in Culture
Thu Jun 01, 2000 at 10:45:30 PM EST
Tags: Internet (all tags)

We all have issues with what the DNS has become over the last few years or, to be completely accurate, I've never actually spoken to someone who didn't have any issues with it. I would like to lay out what I see as the largest problems, explain how I think they are intrinsic to the current structural arrangement of DNS and propose an immediately available solution.

So, for K5 readers, I probably don't need to go too deeply into descriptions of what's wrong with the current state of the DNS, right? Here, as I see it, are the main problems which I think we should consider and to which I'd like to propose a solution:

  • DNS is centrally controlled by an organization (ICANN) whose primary interest is supporting business, rather than in maintaining and improving the system itself and whose primary claim to legitimacy is through delegation by a single country's government (USA).
  • The system is managed by a single for-profit corporation (NSI), which is bad enough but registrations are managed by many competing for-profit corporations. NSI is also primarily legitimized by delegation from a single government (USA again, naturally).
  • The Intellectual Property laws of a single country (there's the USA again) are being used inappropriately to control the activities of users in non-commercial parts of the Net (corporate control of the .net and .org domain trees through US Trademark law) and in other countries.

I think we can, for the most part, agree that the amount of effort necessary to gain sufficient control of the existing ICANN/NSI system to repair these faults would be too great for that to be a viable option, though I do think it should not be ruled out completely. With the support of the American government and the large corporations, this system is very well defended from outside influence. As the recent post to Slashdot describes, ICANN's voting "membership" is being given far too few seats on the Board to have any real impact on its activities and as a recent K5 post describes, those activities are not necessarily desirable.

So, any viable solution must come from and operate outside the ICANN/NSI system. It cannot attempt to fix the current hierarchies (.net, ,org, .us, .fr and so on), since those are all controlled by the current established system, but must be based on either the establishment of a new name resolution protocol or on the raising of new hierarchies using the existing protocol. There is a system being proposed for a new protocol which could be used to replace the ICANN/NSI system but, since I do not personally find much to fault in DNS/BIND (from a technical perspective), I propose that the best solution is to establish new domain hierarchies using the existing protocol.

As AlterNIC attempted demonstrate a few years ago (and what seems to be anotherAlterNIC continues to try) this is technically possible, though it has not worked out for them. Many of us, myself included, who would have supported such a project even several years ago refused to support the AlterNIC project largely because they are just another profit-motivated business. Since the major problems in the current DNS system derive from the fact that it is run by corporations whose primary motivation is profit rather than maintaining the system itself, I fail to see how adding another such system would improve the situation.

AlterNIC has demonstrated, however, that there are no large technical issues preventing the establishment of new domain hierarchies. The real impediment is social, rather than technical: in order to succeed, an alternate hierarchy must convince a sufficient number of networks to support their root servers as well as NSI's. Whereas domains registered through the ICANN/NSI system work automatically, since that system is supported by the ISC BIND distribution, alternate hierarchies must convince network administrators to add support themselves. This has been difficult for AlterNIC, as I said above, largely because they are just another for-profit venture.

From this I conclude that any new DNS proposal which depends on establishing new domain hierarchies needs to meet these criteria:

  • It must be non-profit, as its primary motivation has to be the functioning of the system itself, not shareholder profit.
  • Control and functionality need to be distributed Net-wide as a true membership organization since its legitimacy must derive from its users, rather than from the business and government interests of a few countries (or from one country).
  • It must provide domain trees that are explicitly and unconditionally non-commercial, to maintain the freedom of those domain's users from commercial interests, as well as trees which are completely commercial, to guarantee uniqueness within the commercial sphere. It must actually enforce these policies.

If this analysis is correct, the best (and possibly only) way to repair the DNS system is to establish a set of linked non-profit organizations around the world to operate it. This distribution of the social structure would also help distribute the technological structure as well, since each regional or local registrar would also maintain a regional or local root DNS system. These organizations need to be controlled by their users in a manner similar to consumer cooperatives (or whatever is closest in the host country's legal system).

What do you folks think? We, the users of the Net, have the technical expertise. We have the computational and bandwidth resources. We have, if organizations like the Electronic Frontier Foundation can be convinced to support it, the legal expertise. We have the worldwide distributed presence and the example of other global projects to lean on. I think we could do it.



Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o Slashdot
o K5
o the recent post to Slashdot
o a recent K5 post
o AlterNIC
o AlterNIC [2]
o technical issues
o Also by Arkady

Display: Sort:
An Immodest DNS Proposal | 66 comments (66 topical, editorial, 0 hidden)
Vive l'resistance! ... (3.50 / 2) (#4)
by Ozymandias on Thu Jun 01, 2000 at 06:32:56 PM EST

Ozymandias voted 1 on this story.

Vive l'resistance!

I'm willing to support it on my DNS servers. You volunteering to head up the effort and get the ball rolling?

- Ozymandias

Re: Vive l'resistance!... (none / 0) (#23)
by Anonymous Hero on Fri Jun 02, 2000 at 02:46:48 PM EST


look on me, ye mighty and despair ......

[ Parent ]

Re: Vive l'resistance!... (none / 0) (#59)
by Ozymandias on Mon Jun 05, 2000 at 07:46:48 PM EST

Sigh. Misquoted again...

I met a traveler from an antique land
Who said: Two vast and trunkless legs of stone
Stand in the desert . . . Near them, on the sand,
Half sunk, a shattered visage lies, whose frown,
And wrinkled lip, and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them, and the heart that fed.

And on the pedestal these words appear:
"My name is Ozymandias, king of kings:
Look on my works, ye Mighty, and despair!"

Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare
The lone and level sands stretch far away.
Percy Bysshe Shelley, 1818
- Ozymandias
[ Parent ]
Re: Vive l'resistance!... (none / 0) (#50)
by Arkady on Sat Jun 03, 2000 at 01:08:55 PM EST

See my later comment posting, eh? ;-)

I've set up a site for an OpenNIC and have DNS running for .opennic and .null, so hop right in!


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Vive l'transconductance!... (none / 0) (#54)
by Stormbringer on Sun Jun 04, 2000 at 01:27:33 AM EST

Two thoughts:

1. Consider a business model where static TLD listings are free; dynamic DNS and subdomain management, since they require more than just lookup-and-report, cost a small yearly sum (or a waiver based on evident Good Behavior -- open-source contributions, etc., insert your personal bias here, why not, it's your server farm).

2. For a head start on populating your tables, also put in ".ham", and perhaps talk to the folks at qrz.com about some kind of collaboration. (I'll be going from ppp to DSL soon, at that point I'm willing and eager to pay to have a dynamic-and-subdomain listing for wb1hku.ham).

[ Parent ]
Interesting idea. Let's think seri... (3.00 / 1) (#7)
by decomyn on Thu Jun 01, 2000 at 06:33:53 PM EST

decomyn voted 1 on this story.

Interesting idea. Let's think seriously about it. I'd also like to see any alternate name <-> address scheme have support for the newer large-address-space (IP6? don't follow it much) addressing. If it were done carefully, there might be a seamless transition between systems. Timing looks good. Would require some sort of parallel operation and resolution mechanism if the 2 systems returned different addresses, hmm... Perhaps a mechanism that looked up the netDNS servers, then fell back on the NIC servers in case of failure? In case both servers resolved, the netDNS would be there first...

Perhaps an "OpenDNS" project needs ... (3.70 / 3) (#8)
by iCEBaLM on Thu Jun 01, 2000 at 08:23:46 PM EST

iCEBaLM voted 1 on this story.

Perhaps an "OpenDNS" project needs to be undertaken to promote an alternative root server set. Clearly ICANN is not working out, and I don't see it working out anytime soon, the only solution I see is if people take it upon themselves to start, push, and use a new and truely open registry.

I've wondered for a long time why t... (none / 0) (#1)
by rusty on Thu Jun 01, 2000 at 08:38:47 PM EST

rusty voted 1 on this story.

I've wondered for a long time why this hasn't happened already. There's *no* technical reason for NSI to hold a monopoly on TLD registrations. As Arkady points out, the only bottleneck is getting admins to add root servers to their DNS setup. So, umm... why hasn't this been done already?

Not the real rusty

DNS system needs to be changed, any... (none / 0) (#2)
by fvw on Thu Jun 01, 2000 at 09:16:46 PM EST

fvw voted 1 on this story.

DNS system needs to be changed, anything on DNS is good atm.

Wonderful writeup and pertinant too... (none / 0) (#6)
by ishbak on Thu Jun 01, 2000 at 09:47:56 PM EST

ishbak voted 1 on this story.

Wonderful writeup and pertinant too!

This is a great idea. Maybe we shou... (none / 0) (#5)
by hooty on Thu Jun 01, 2000 at 10:06:06 PM EST

hooty voted 1 on this story.

This is a great idea. Maybe we should start with the .god domains :)

My primary nit to pick is the autho... (3.70 / 3) (#3)
by eann on Thu Jun 01, 2000 at 10:45:30 PM EST

eann voted 1 on this story.

My primary nit to pick is the author's apparent belief that commercial interest is the cause of all evil. For example:

This has been difficult for AlterNIC, as I said above, largely because they are just another for-profit venture.
When I was a sysadmin at a fairly good-sized regional ISP in the mid-1990s, I had the choice of configuring my name servers to check AlterNIC's for random domains. At the time, the idea was not ripe. Part of it was the traditional vicious circle problem: there was no demand for me to change the nameserver config because no one registered domains with AlterNIC, and no one registered domains with AlterNIC because ISPs wouldn't change their nameservers. The other question I had was reliability: the existing system gave me 8 root servers, spread out across and connected to all the major (and most of the minor) backbones. No matter what was happening on the net, if I could get to my upstream ISP at all, I could look up a domain name. Under AlterNIC's proposal (at the time--I haven't looked since), I'd insert theirs first in my list. But what if it failed? Or the network between what-was-then-here and there? Some domains would work and some wouldn't. And third, just in case this business model somehow worked, how would it be reasonable to decide between alternative NICs? That's not the kind of service we wanted to provide to our customers.

It really had nothing to do with AlterNIC being for-profit.

One final note, as ideas for this are tossed around: it has always bugged me that people think "local" on the net means geographically nearby. It means no such thing. It means topologically nearby, which could be the same thing, or it could be halfway around the planet if that's where your least congested link to the outside world ends up. It's a sticky wicket for dealing with legal systems when trying to deal with something like this, but it's the only way to think about the network correctly and it'll likely be a condition of widespread acceptance.

Our scientific power has outrun our spiritual power. We have guided missiles and misguided men. —MLK

$email =~ s/0/o/; # The K5 cabal is out to get you.

Re: My primary nit to pick is the autho... (none / 0) (#10)
by Arkady on Thu Jun 01, 2000 at 11:31:49 PM EST

Thanks for the comment. I wasn't trying to say that the for-profit aspect was a root of evil, however. We've all got to make a living somehow. ;-)

In my opinion, and those of the other network admins with whom I discussed it at the time, I didn't want to support another DNS system that would just be run for profit. We wanted to support a DNS system that was run for the benefit of its users. I agree that another reason not to support AlterNIC was that they were not likely to be as reliable, but that was secondary to us.

You are also correct about the geography vs. topography issue. In this case, however, I think geography is important, since the structure of the system will be forced to conform with local laws all over the planet. It would therefore be simplest and, I think, most appropriate, to structure the system based on existing political geography. I agree that it's not the best, but I think it's the best we'd be allowed to do.

Thanks for the comments,

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
ahh.. the proto- "UnderNIC"... that was (4.40 / 5) (#9)
by sjanes71 on Thu Jun 01, 2000 at 11:18:14 PM EST

When I was your age [...] uphill-- both ways! I remembered the days before InterNIC/NetSol become the commercial beast... domain registrations took months, and were arbitrated on appropriateness (no (seven-unmentionable-words).(org|com|net)). And then, the bombshell.. .com and .net domains cost money now-- back then it started at $30/yr I believe.

And then .org... it didn't take long. Now you have every permutation imaginable. Someone recommended that they make new TLDs... it never happened-- we'll someone said "Let's make them..." but no one ever did it at the Root Servers.

At the time, we were very angry about it-- we planned ("we" meaning the people who hung out on LinuxNET IRC) to make the UnderNIC... UnderNIC root servers would grandfather in the InterNIC namespace and create a bunch of good TLD's for companies to use.

.card, .bank, .corp, .card, .inc .llc, .assoc, .etc, et al. (Today we would consider the additon of .pr0n, back then pr0n didn't exist as an expression of a certain kind of entertainment downloaded from the Internet).

What happened? Do you know how hard it is to get the whole Internet to change their root.cache? :)

Using the Evil of the Internet Against Itself? Sadly, maybe the only way to get the Internet to regain control of the root servers away from the slow beauracracy that absorbed them is a very antisocial DoS attack on the root servers AFTER the new root heirarchy is built and well publicised. (Could we nominate kibo as our spokesperson?) Someone can buy a copy of the InterNIC's mailing list and SPAM administrators letting them know that The End Of The Net As They Know It[tm] is going to happen at... whatever. If someone wants to be MILLENNIAL about it, they've got 6-months to build it and tell everyone about it before the real Millennium starts. (I would have worked in a Backbone Cabal reference in there but that was slightly before my time.)

The above is mostly in jest-- I think the real answer lies within FreeNET-- FreeNET should consider figuring out how to not only protect content, but also create a mechanism for a distributed DNS system which would not be vulnerable to DoS attacks or legal threats.

[I speak for myself, no part of this comment may be construed as anything my employer would consider as its party line.]

Simon Janes
Money makes the world go around... (3.50 / 2) (#11)
by Zuid on Fri Jun 02, 2000 at 12:01:42 AM EST

This idea is, essentially, exactly what the internet needs. Well, one of the things the internet needs. :)

With the WWW being one of the primary catalysts for the recent and sudden expansion of the internet from a couple of university dialins here and there to being able to order your shopping off the door of your microwave, most of the non-tech-oriented community has come to see the internet as not much more than the transport on which the WWW lies.

Unfortunately, the WWW is (well, was) one of the few examples of how the internet _shouldn't_ work. A single server (or nest of servers) hanging off one or two pipes. This idea wouldn't stand up very well to the "can this survive a nuclear war?" test. :)

This has resulted in a "this is how things are done" mentality amongst those who, really, shouldn't be in a position to dictate how things are done (and, frankly, are making a huge and difficult mess of things). Advertisers, non-tech managers, and worst of all, "e-business solution" providers.

So, while the internet expands to include more and more people who have no idea of all the awful mismanagement going on and also have no idea why they're putting ".com" on the end of every damn website they visit, profit oriented companies are using "This is how things are done", mixed with "what do the consumers know?" to make sysadmins jobs very difficult, and slowly but surely bog the internet down to a place where we now have court cases over companies squatting on the domains of other companies just to ensure they can't have an easily accessible web presence.

Not only is this quickly bringing about the need for administration bodies which base decisions on rules rather than profits, but it also suggests a need for a restructuring of TLDs and some firm guidelines on the matter.

Re: Money makes the world go around... (none / 0) (#41)
by KindBud on Sat Jun 03, 2000 at 01:05:41 AM EST

You don't seem to be acquainted with Akamai... it's all the rage with people who operate websites - big ones - for a living.

just roll a fatty

[ Parent ]
Re: Money makes the world go around... (none / 0) (#44)
by rusty on Sat Jun 03, 2000 at 01:44:32 AM EST

But guess what happens if all the root DNS boxes go down? akamai.com: Non-existent host/domain. And that *is* a possibility. DNS is semi-distributed, but not really. It's still basically all in the hands of one company. That's just not the way the internet was supposed to work.

Not the real rusty
[ Parent ]
SIMPLE FIX: It's a bug in BIND, fix it like any o (5.00 / 3) (#13)
by torpor on Fri Jun 02, 2000 at 12:37:54 AM EST

(Sorry for the re-post - forgot to hit 'plain text' before I posted)

The problem is one of distribution of additional root.cache entries. Source code releases are a solution to distributions - so include the new root.cache entries in the DNS/BIND tarballs.

Start by modifying the default root.cache file that gets distributed with the standard bind package to include the new root servers. BIND is responsible for the majority of DNS traffic on the 'net, so fix it and let other DNS vendors play catchup accordingly. Alterna-root servers is a *feature* upgrade of BIND/DNS servers, and as such, it should just be treated as a feature upgrade, same as any security patch or optimization patch release of the BIND code.

There's *factually* nothing stopping the BIND maintainers from doing this.

Then, we could make patches available for all major distro's of OS's that will automatically update the root.cache file as needed, and get them everywhere.

RedHat/Mandrake/SuSE/etc. could all very easily just include extra root servers in their default installs of root.cache, as could the various BSD vendors, and maybe eventually Microsoft too - and thus within a few months (given the release frequency of the average distro), a lot more new and upgraded DNS servers will be paying attention to the new root domain servers.

This will cover a fair majority of DNS servers that are being run out there by people who generally don't give a crap - as long as DNS for their local domains works, they're cool with it. I've been running a DNS server since 1991, and I'd be happy to add alterna-root servers to my BIND install if there were a simple way for me to do it and never have to worry about it again - but I'd be happier to have it just happen the next time I upgrade/patch/fix BIND due to some security update release or something.

And the long-term solution for this is to have BIND implementations automatically go out and get new root.cache records from the 'net itself as needed, periodically, preferably from a non-commercial body such as ISO or ECMA or some such non-profit, standards-based organization.

j. -- boink! i have no sig!
Sounds like a great idea (4.00 / 1) (#14)
by Potsy on Fri Jun 02, 2000 at 03:53:11 AM EST

This sounds like a terrific idea. I would be very happy to volunteer time and money towards the creation of an alternate DNS system. The current ICANN/NSI system is, as you pointed out, a sham in which business interests are the only interests that matter. A system in which fairness and equality prevail over money is desperately needed.

That said, the big question is, how could such a system avoid the trap of "no users"? I propose the following features as a solution: Naturally, the most important feature would be the fairness and flexibility of the new system. There has been much discussion about what is wrong with the current system, so I won't go into that here. However, I do think that having a system that fixes the problems of the current one would not quite be enough to get everyone to use it. There have to be some other incentives to use it as well.

  • Make registration free. That's right, free, as in zero cost. Just fill out a form, and you're registered. Any one with a static IP address could have a domain name under this system.
  • Give it a catchy name. This is far more important than it may at first seem. A reason frequently cited for the popularity of Linux is that it has a catchy name. The name should also emphasise the . "FreeDNS", "OpenDNS" might be good choices.

Of course, gimmicks like the catchy name are not the main point. The main point is to free people of the tyranny of the current system. But the gimmicks can help get people's attention.

Re: Sounds like a great idea (none / 0) (#15)
by Potsy on Fri Jun 02, 2000 at 03:58:05 AM EST

Oops. One of my sentences got munched when I was editing.

In the second item of the bulleted list above, replace:

"The name should also emphasise the ."


"The name should also emphasize the free (in both senses of the word) nature of the system."

Sorry 'bout that. (I also misspelled "emphasize", d'oh!)

[ Parent ]

Re: Sounds like a great idea (5.00 / 1) (#16)
by Anonymous Hero on Fri Jun 02, 2000 at 08:10:39 AM EST

How would you deal with domain name squatters, if registration is free?

[ Parent ]
We might just have to learn to live with squatting (none / 0) (#20)
by marlowe on Fri Jun 02, 2000 at 11:16:15 AM EST

If someone is really anal about having a particular domain name, maybe he should stick with ICANN and .com. Not that this is much help. But hey, life is tough. And for those who aren't that picky, there are always plenty of other possible names.

--- I will insist on my right to question ---
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --
[ Parent ]
Re: Sounds like a great idea (none / 0) (#37)
by Arkady on Fri Jun 02, 2000 at 08:26:46 PM EST

I think that would be handled by the TLD's policies, since what is appropriate depends on the context.

For example, a TLD used exclusively by US not-for-profit corporations would have American law as it's standard, since that's what would apply legally anyway. A TLD for American for-profit corps would have a similar structure.

A TLD established for personal home pages could set as its policy that each person could only have a single domain, which strikes me as reasonable in that context.

.null, of course, will solve that problem largely by ignoring it, though it'd be nice if the group of people with .null registrations could vote to revoke a registration if the domain was left idle for a specified period of time.

Thanks for bringing that up,

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Discouraging domain-name squatters, and encouragin (none / 0) (#60)
by Deven on Wed Jun 07, 2000 at 11:25:48 AM EST

Non-commercial domains shouldn't have any value to domain squatters if non-commercial use is enforced. Maybe the way to handle this is to have "domain czars" a la Usenet 2. (Their website seems to be broken right now; try Google's cache for a recent copy of the homepage and especially the Usenet 2 rules...)

As for commercial domains, one possibility would be to charge for domain names on a different basis. Perhaps a single domain name would be free. Beyond that, charge exponentially higher annual rates to hold more high-level domains. The first (or second) domain could be a nominal fee ($1.00? $10.00? $0.01?) - each subsequent domain could cost double the last one.

As an example, suppose that one commercial domain is free, and the second is $1/year, the third is $2/year, the fourth is $4/year, etc. To hold 5 domains would cost only $15/year, averaging $3/year. To hold 10 domains would cost $511/year, averaging $51.10/year. To hold 15 domains would cost $16,383/year, averaging $1092.20/year. To hold 20 domains would cost $524,287/year, averaging $26,214.35/year. To hold 25 domains would cost $16,777,215/year, averaging $671,088.60/year.

This would discourage companies from the kind of serious abuse of the DNS we currently see, such as registering separate domains for each product, movie, etc. No flat rate could do this; any rate that a small business can afford will be chump change to a huge multinational corporation. If a company was ever insane enough to hold 25 domains under this scheme, for $16,777,215/year, they would have a strong incentive to release one of those 25 domains to save $8,388,608/year. No matter how big the company is, sooner or later it will get expensive enough that they will need to start conserving domain names. (Obviously, registering through shills (e.g. in the names of employees) would have to be strictly prohibited and grounds for loss of the domain name for this to work.)

This scheme makes the most sense for free-for-all domains like .com is currently. If a new commercial domain is created that is truly appropriate to create many domains, and they're not likely to conflict much, the "domain czar" for that domain might choose to use different rules. Also, domain czars could choose different fee structures as appropriate to the domain in question; some might be free, some might be flat-rate, some might be exponential with more aggressive parameters (e.g. starting at $10/year and multiplying by 5 each time) as necessary to ensure responsible domain usage.

For example, if a .movie domain existed, that domain czar might reasonably allow all movie studios to register names on a first-come, first-served basis for movies actually released by that studio, and reasonable variations, for no charge. Warner Bros. could register the-matrix.movie, thematrix.movie and matrix.movie all for free, but Paramount could not register any of them to deny availability of the domain name. Conflicts could be arbitrated by the domain czar in his best (impartial) judgement.

An obvious question is what to do with collected fees. The obvious answer is that they should be applied first to actual infrastructure costs (e.g. root nameservers), and remaining funds should be used for the benefit of all. How the distribution of such funds is decided is open to question, but good candidates for funding would be donations to the FSF, funding for infrastructure software (e.g. BIND 9), maybe even hardware (a non-profit backbone ISP?), subsidizing low-cost solutions to get new people on the Internet who can't normally afford computers or ISP charges, etc. Things that would benefit the Internet and society as a whole, not commercial investments looking for a return. (If played right, this could be as valuable for the Internet as U.S. government funding through NSF was in the 80's, without using tax dollars for the purpose...)


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

Who can be trusted as "domain czars"? (none / 0) (#62)
by Deven on Wed Jun 07, 2000 at 03:06:18 PM EST

While I think that "domain czars" a la Usenet 2 are the best way to ensure responsible use of a replacement for the current DNS system. Unfortunately, that implies having one person personally in charge of all top-level domains. (A group might be possible, but could have its own problems.)

The hardest problem would be figuring out who could play such a role, given the extreme level of trust it implies. Jon Postel was trusted to that level; if any one person could have been trusted with such a responsibility, it was him. (After all, he was IANA!) It was a great loss to the world when Jon died.

Dave Lawrence (a friend of mine, actually) was trusted nearly as much when it came to the creation or deletion of Usenet newsgroups. Although Dave's no longer working for UUNET, I wonder if he would still be trusted enough for such a role?

Who would be other candidates for this kind of extreme trust?


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

Overcoming the no users problem by increasing visi (4.00 / 1) (#19)
by marlowe on Fri Jun 02, 2000 at 11:11:22 AM EST

A bunch of us could together and make our own network of alternate DNS servers and point our computers at them, but the point of a domnain name is it's supposed to mean the same thing to everybody. Unless we have a way to swap URLs with the outside world, we'll have a hard time winning converts.

One partial solution: gateway systems. A gateway system would have a URL on the official DNS hierarchy, and will act as a proxy so outsiders can get at our alternate address space. Example:

A machine is called blulite.someisp.net from the ICANN-controlled world's point of view. It so happens that blulite is a gateway as described above.

On the alternate DNS network, there is a host called mean.street serving a page called http://mean.street/marlowe/paranoia.html

Only those who tie in to the alternate system can even ping mean.street. But the rest of the world can see the page mentioned above, by going to: http://blulite.someisp.net/mean.street/marlowe/paranoia.html

The more of these gateways there are out there on the reigning DNS, the more paths there are to http://mean.street/marlowe/paranoia.html. Which might confuse web spiders and lead to inadvertent de facto search engine spamming. That's a drawback, I suppose. But at least we won't be invisible.

Now here's the good part:

In all our pages, wherever we can justify doing so, put a link to information about our new DNS network. In fact, each gateway server, in its root index page, would have links to such information. We want to get people curious. Once the user has found a page of ours, we can offer him an easier way to get at it in the future. Make sure we offer a Windows binary version of the software, in a convenient free download.

--- I will insist on my right to question ---
-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --
[ Parent ]
Re: Overcoming the no users problem by increasing (3.00 / 1) (#36)
by Arkady on Fri Jun 02, 2000 at 08:21:53 PM EST

That's a good idea. It would definitely be wise to have proxy servers run by each of the new TLD admins to gate in traffic.

Ideally, and more generally useful for web users, would be getting W3 to extend the href tag to take alternate arguments. This way you could link to www.dev.null and specify www.devnull.net as an alternate. This would solve the parallel hierarchy resolution issue and also allow sites without that problem to specify a backup URL in links in case the primary is unreachable.

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Re: Sounds like a great idea (5.00 / 1) (#35)
by Arkady on Fri Jun 02, 2000 at 08:17:15 PM EST

I think I'll go with OpenDNS and call the administrative group the OpenNIC. The server _is_ running OpenBSD, after all.

I wasn't thinking free. I was thinking something like a $25/year membership fee which would make you a voting member a let you register domains. Individual domains, however, would be free to members so your yearly cost would never change. People who volunteer time, machines or bandwidth would get free membership as a sort of minimul compensation.

Sound OK?

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
There must be a reason why it have never been done (none / 0) (#17)
by Anonymous Hero on Fri Jun 02, 2000 at 09:03:21 AM EST

I mean, I hear this kind of proposal half-a dozen time each year and I never see anything beeing done. Why ?

I don't even want to force my ISP to use those alternate servers, I'd be happy to add them in my resolv.conf (Sure, it is bad for perf, but won't be as bad as gnutella :-) )

So can't someone set-up a DNS so we can add it to our personal config and start to refering to <http://slashdot.weblog> and <http://kuro5hin.weblog> ?

Then ISP could start adding them in config when it get mindshare...

You need added value? (5.00 / 3) (#18)
by paranoidfish on Fri Jun 02, 2000 at 10:19:12 AM EST

I've been mulling over things like this for a long time now, and I'm not surprised that this is being suggested. There are a couple of points that sprang into my mind recently:

  • DNS does not make sense to joe public

    It took me an hour to explain to my mum (who is a db2 consultant, so is not exactly computer illiterate nor afraid of abstraction) why web addresses have http://www at the start and mostly end in .com. Some people refuse to beleive my email address is real, just because it ends in .ac.uk and not .com. Heirachical systems do not make sense unless you think about them, and most people do not want to think. They want to type in "WWF" to their browser and get to the wrestling.

    URL's were never meant to be seen by the public. Things like Realnames have the right idea, in that if nobody except the techys sees the urls, a company would be happy with the address http://www.companyname.ohio.us.isp.net/, and the controversial part of icann's role disapears and netsol runs of of business to deal with quickly.

    A keyword based system would make so much more sense what with the web/net as it is today, at least, from the consumers perspective. Keywords are already a reality (whatever.com), it's only a matter of time before people stop bothering with the ".com" like they stopped bothering with "http://www"

  • People need a reason to switch to an alternative system

    If it ain't broke, don't fix it, right? Try explaining to some sysadmins, let alone a AOL-newbie, what is wrong with the current system. Any alternative to ICANN, no matter how well run will still be the same thing in their eyes.

    So to get people to switch, you need to give them something new in the way of features. If you say to them "Here is something cool, which you can only get by switching to this new system", they'll demand access to it from their ISP soon enough.

    Look at it as the open source version of "embrace and extend" if you will :-)

Thinking about these two points leads to the final conclusion, which is that maybe instead of trying to reinvent icann, people should look to reinvent DNS?

A well thought out system, learning from the mistakes made in administering the dns system, which is more intuitive to the common user, with more protection from spoofing and other security problems and greater support for cacheability, distributedness, mirrors and round-robin-dns style systems, along with a few killer options and foresight for potential problems in a wireless, mobile world, could be taken up quite quickly by those in the know. Everyone else could follow soon after, especially if it is supported by linuxv2.6 and Windows2002

(Note, I'm not saying there is anything wrong with DNS in itself, just that if you are going to bother trying to reinvent the wheel you might as well invent ball bearings to fix some of the problems you've got with axles while you're at it. Of course, I'm being optimistic in assuming that there are ball bearings to invent, never mind if they are in easy to use cartridges.)

Nobody thinks the net is going to remain the same forever, yet everyone seems to be scared of actually changing anything, especially now that the whole world is watching. How many people still use Gopher?

I guess that was worth about 15cents...

Re: You need added value? (Common Sense Names!) (5.00 / 1) (#21)
by sjanes71 on Fri Jun 02, 2000 at 01:35:51 PM EST

We're working on that with RealNames-- the Common Name Resolution Protocol is being worked on, and we hope that browser-makers quickly adopt it so that people indeed can use "plain language" names instead of URLs--- without needing to download any additional software.

The CNRP protocol is XML-based which implies UNICODE support. Currently the CNRP transport is being defined as layered on top of HTTP, and is likely to have its own port number registered with IANA.

You can read more about CNRP at http://www.ietf.org/html.charters/cnrp-charter.html or use the Netword "CNRP Charter" to get to the same place.

Simon Janes
[ Parent ]
Realnames (none / 0) (#22)
by mattc on Fri Jun 02, 2000 at 02:36:24 PM EST

But if we use a system like Realnames, we run into the "AOL problem," that is, everyone who wants a name has to have a bunch of numbers after it.

Your mention of WWF is a good example of an instance where Realnames does not work. When you said WWF, the first thing that came to my mind was "World Wildlife Fund," not wrestling. Now, if I am using Realnames and I type in WWF and come up with a page about wrestling, I'm going to be a little confused. This problem doesn't exist(1) in our current system though, because the first thing I'd try for World Wildlife Fund is www.wwf.org, not .com (which is the wrestling home page).

Since realnames doesn't have as much flexibility as the current system, it would have to have something like WWF-1 and WWF-2 or else you have to know the entire full name of the organization.. which isn't always something you know (is it World Wildlife Fund or Foundation?)

The diversity of TLDs is a good thing IMO. It allows many different groups to share the same name. Currently I have a domain with .CX that I wouldn't have been able to have under COM/NET/ORG because it was already taken. I'm looking forward to the day when there are more TLDs (like .SHOP, .XXX, and so on..)

As for a reason to switch to new TLDs? I think low prices and a cool sounding name would be reason enough.

1. With the exception of when businesses register .orgs and orgs register .COMs (ugh)

[ Parent ]

Re: Realnames (5.00 / 1) (#48)
by paranoidfish on Sat Jun 03, 2000 at 09:35:03 AM EST

But if we use a system like Realnames, we run into the "AOL problem," that is, everyone who wants a name has to have a bunch of numbers after it.
With the exception of when businesses register .orgs and orgs register .COMs (ugh)

We've got a heirachical system, and it turned into a keyword based system without anyone stopping it. Current practice for any UK business is to register .co.uk, .com, .net and .org, and if you can't get all three, rebrand. It's crazy, but it happens.

Your mention of WWF is a good example of an instance where Realnames does not work.

It was not accidental :-)

As for a reason to switch to new TLDs? I think low prices and a cool sounding name would be reason enough.

30 pounds (going rate of a .com in the UK) is not a lot of money for a domain name. Yeah, we can get cool names set up, but by doing that you are not solving the problem, and in two years time we have the same discussion again. Learn from our mistakes, yes?

I'm not sure what kind of system would result, but I'm sure some people out there have some ideas (technically and theoretically).

[ Parent ]
Re: You need added value? (5.00 / 1) (#29)
by fluffy grue on Fri Jun 02, 2000 at 05:52:43 PM EST

One thing that's really pissing me off nowadays with probably 99% of the nameservers out there is that they completely BREAK semantics. The purpose to 'www' in the past was to have a server specifically for being a HTTP server. Nowadays it's just fluff, and most of the domains out there have ONLY a webserver (or, more likely, an everything-in-one server which is vhosted by some other ISP). So instead of just using the @.domain A record like they're supposed to (and having www. as a convenient-for-the-idiots CNAME to the @ record), they have NO @ A record at all, which is just plain broken. Of course, this gets back to what you said about people having a hard time understanding hierarchal systems; hell, on Hobbes I had a hell of a time convincing people that a deep hierarchal directory structure was better for a multi-gigabyte thousands-of-files shareware archive than the shallow, huge-directory scheme that everyone loved so much, and had to actually FORCE them to accept the restructuring.
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Changing your Root Cache? (5.00 / 1) (#24)
by Anonymous Hero on Fri Jun 02, 2000 at 02:56:19 PM EST

How about developing a product that is the first to offer DNSSec (an added value service), which contains the standard root cache nameservers in, but also a few choice other roots.

I don't understand why the US government should have such control over a global phenomenon developed by academics.

OTOH, I'm making some money out of the current system, so why should I change ... :-)

Re: Changing your Root Cache? (5.00 / 1) (#26)
by gaudior on Fri Jun 02, 2000 at 03:37:10 PM EST

I don't understand why the US government should have such control over a global phenomenon developed by academics.

Because the US taxpayers paid for that development.

The expansion of the Internet we are currently experiencing is a very recent phenomenon. For the first 2 thirds of it's life, the Internet, and the DNS was the exclusive property of the US government, and assigned agencies.

[ Parent ]

Corporation though (none / 0) (#25)
by Anonymous Hero on Fri Jun 02, 2000 at 03:02:40 PM EST

The large US corporations control a large chunk of the net.

The large US corporation is who is best served by ICANN...

so how does one convince the large US corporations that they want to make use of the new system?

with out them, the whole thing will be a flop...

Re: Corporation though (none / 0) (#27)
by Arkady on Fri Jun 02, 2000 at 03:57:12 PM EST

That's certainly true to some extent. But if we establish it and use it without them, they will be along later wanting to use it as well. I certainly think it's worth a shot.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
It's all about critical mass. (none / 0) (#61)
by Deven on Wed Jun 07, 2000 at 11:48:22 AM EST

Acheiving critical mass is a hard thing to do. AlterNIC has failed, and I'm sure a large part of the reason is because they're for-profit; why exchange the devil you know for one you don't? A truly altruistic "OpenNIC" running an "OpenDNS" may have a better chance if they're really in it for the benefit of the entire Internet rather than commercial interests.

Assuming critical mass can be acheived (and I don't know if it can), the greedy commercial interests will fall in line, because they'll have to. When customer demand becomes sufficiently ubiquitous, any company will surrender to it to remain in business. Even the mighty Microsoft capitulated when they finally realized that the Internet was truly a steamroller that could marginalize even them if they didn't embrace it. Even MSN was (and remains) a dismal failure; Microsoft was unable to force their model on the world.

It's not impossible; create a universal demand, and companies will universally comply or be marginalized quickly. Creating the universal demand is the hard part.


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

NSI does not control the root nameservers.. (none / 0) (#28)
by Anonymous Hero on Fri Jun 02, 2000 at 04:09:57 PM EST

The root nameservers take direction from ICANN, not NSI.

OK, so I've prototyped it; it works (5.00 / 3) (#30)
by Arkady on Fri Jun 02, 2000 at 06:18:15 PM EST

Hi all,

Since there were some folks expressing interest, I went ahead and set it up on my servers on devnull.net. I'm building a web page to describe it, but here's what to add to your named.conf file to set yourself up to see it (running BIND8):

# #
#Compatibility: OpenNIC TLDs #
# #

zone "opennic" in
   type slave;
   file "tld-opennic";
   masters {; };

zone "null" in
   type slave;
   file "tld-null";
   masters {; };

I've set the OpenDNS TLD as .opennic and, as an example of another TLD I set up .null (since I've always wanted to have dev.null to go with devnull.net ...;-).

Unlike AlterNIC, this example does not depend on your modifying your .cache file since you cannot rely on my name servers always being available. Instead, each top-tier server will secondary the TLD files for now. By the time that enough domains are registered the resources should be available to do real root name serving. That way we can grow carefully.

Email me at opennic@unrated.net if you'd like to organize a TLD or think you'd like a domain in .null (which will be required to be completely non-commercial). We'll start setting up the organization and policies for the OpenNIC.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

Re: OK, so I've prototyped it; it works (none / 0) (#31)
by rusty on Fri Jun 02, 2000 at 06:43:54 PM EST

Kick ass! I think there should be a TLD for weblogs. ".log"? ".zine"? Soemthing like that. Make sure you let us know when you're up and running, and have some clear policies. The only way to move this forward is publicity. :-)

Not the real rusty
[ Parent ]
Re: OK, so I've prototyped it; it works (none / 0) (#38)
by Arkady on Fri Jun 02, 2000 at 09:49:16 PM EST

OK, I didn't feel like writing more Mac software today, so there's a site up at http://www.opennic/projects/opendns (http://www.unrated.net/projects/opendns) for the OpenDNS/OpenNIC system.

On it you can find some proposal's for how a project like this should be structured and some suggestions for the top-level policies. I've basically just adapted our use policy from http://www.devnull.net/use.html to a more generally applicable form.

Where does weblog as a term come from? I think this is the first time I've seen it. Would you prefer .weblog or .zine? And are you willing to organize a team to maintain the TLD (I'm proposing that TLDs be organized as independant administrative units)?

One of my housemates has suggested .parody to be used as a TLD for non-commercial parody which could not, by definition, be mistaken for infringing the trademark of the target. I like that idea.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Re: OK, so I've prototyped it; it works (none / 0) (#32)
by hattig on Fri Jun 02, 2000 at 07:12:40 PM EST

Grin... can I have star.null? :-)

How about setting up .fish, for the people who love fish around here! Maybe you should set up .bank now and leave ICANN and .co to their wibblings. In the meantime you can, as a service to all of hte banks out there, set up all the banks domains for them, which they would be eternally grateful for (yeah, right) and that would be a great way to get your DNS recognised by a lot of the world... "please set this up so that people can access .bank domains", "erm, okay, what's the harm in that?"...

and while you are at it, .xxx or .sex would be the moneyspinner for you. Just my meaningless tired thoughts at midnight.

[ Parent ]

.fish tld (none / 0) (#47)
by paranoidfish on Sat Jun 03, 2000 at 09:14:57 AM EST

Suits me fine :-)

[ Parent ]
.pr0n (none / 0) (#51)
by dlc on Sat Jun 03, 2000 at 03:57:39 PM EST

    and while you are at it, .xxx or .sex would be the moneyspinner for you.

How about .pr0n instead of .xxx or .sex?


[ Parent ]

Re: OK, so I've prototyped it; it works (none / 0) (#33)
by Anonymous Hero on Fri Jun 02, 2000 at 07:52:22 PM EST

Well, I am interested in the idea, and no doubt if you blasted it about on Slashdot as being the new open source thing of the future some of them would take you up on it (whilst the cynical among them would deride it + you, probably saying it was some sort of publicity stunt).

Now, while I would be interested in supporting this, I run some commercial nameservers that are crucial to my own (small) business. I'm just wondering how secure your set up is? If we put you in as a root DNS server, then your setup has to have total integrity. Presumably, if someone hacked into your machine, and changed your settings for authoritative zones, they could really mess up our settings, with dot coms resolving all over the place to not very nice sites, etc.

If you are going to do it, and do it properly, you will have to get a load of white hats in to check your set up is totally secure, and provide enough bandwidth that it couldn't be subject to a DoS attack (what would be the point if it couldn't, anyway?) The first test of that may be to see how it handles a Slashdotting....

[ Parent ]

Re: OK, so I've prototyped it; it works (none / 0) (#34)
by Arkady on Fri Jun 02, 2000 at 08:13:17 PM EST

Right. Slahdotting. Oh my. I hadn't anticipated that possibility and I'm _really_ not looking forward to that.

Since I'm not recommending that you modify your root settings, all a cracker getting into the system could do to your resolution would be to screw up your ability to resolve in the OpenNIC domains, and the same damage would happen to everybody else using it as well.

Your point is well taken. The machine at the IP number cited above is a Pentium 166 running OpenBSD, pretty much completely default except for the bind8 port install and an install of the NetHack port ;-). Bandwidth would be the issue, since it's connected to the Net through a DSL line. We have two DSL lines, however, and if necessary I can dedicate one just to that box.

The Slashdotting would more likely hit our web server, which is a different machine. So it might make it through.

Thanks for the thoughts,

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Re: OK, so I've prototyped it; it works (none / 0) (#43)
by Inoshiro on Sat Jun 03, 2000 at 01:35:47 AM EST

It'd be nice if this worked.

Jun 2 23:28:09 xxxxxx named-xfer[25432]: send AXFR query 0 to
Jun 2 23:28:09 xxxxxx named-xfer[25432]: [[XX.XX.XX.XX].3026] transfer refused from [], zone null

Ditto for "OpenNIC" zone.

** xxxxxx can't find devnull.net: Non-existent host/domain

Not heartening.

[ イノシロ ]
[ Parent ]
Same here (none / 0) (#45)
by rusty on Sat Jun 03, 2000 at 01:53:07 AM EST

I got the same "transfer refused" error.

Not the real rusty
[ Parent ]
Re: OK, so I've prototyped it; it works (none / 0) (#46)
by Arkady on Sat Jun 03, 2000 at 02:53:30 AM EST

Heh. As another comment here stated, it's important to keep the security in mind. It seems to have bitten the other way here.

My DNS servers are configured for maximum security by default, so they don't allow transfer connections except from specified hosts. Naturally, when I tested it, all my hosts are in the allowed list already.

My sincerest apologies. I have opened up public transfers on that server.

Whoops. Thanks for posting about it.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Re: OK, so I've prototyped it; it works (none / 0) (#53)
by Inoshiro on Sat Jun 03, 2000 at 06:23:45 PM EST

Besides that, it'd be nice if devnull.net had an A record for "devnull.net" instead of just www.devnull.net :-)

[ イノシロ ]
[ Parent ]
It may be a bigger problem than you think (5.00 / 2) (#39)
by KindBud on Sat Jun 03, 2000 at 12:37:08 AM EST

ISC gets funding from NSOL, Sun, lots of others. I think you will have a hard time getting alternate roots distributed with the BIND source for this reason. You shouldn't need to anyway, but BIND enforces the current hegemony. You realize the named.cache file is really a "hints" file. In it, you place the names and addresses of the servers your BIND should query to discover the real roots. Try putting some other names and addresses in your hints file sometime, public servers that allow anyone to make queries. Right after startup, your BIND will have cached the "real" roots and will forget about the ones in the hints file.

BIND has another annoying "feature" leftover from the days when cache poisoning was a problem, that also contributes to enforcing compliance with the prevailing authorities. It accepts the non-authoritative glue from the roots in preference to the glue supplied by the authoritative nameservers. You cannot override the TTL of your own NS records and their A records, so you cannot reduce your domains' reliance on the roots by increasing the TTL of your own glue. Client caches will have to recurse to the roots every two days no matter what TTL you set on your glue. I seem to recall that this is an artifact of the now-obsolete "credibility rules" that were added to BIND in the late 4.9.x series. BIND 8 now discards out-of-zone glue, solving the poison problem, so the credibility rules are no longer needed, but they are still there, and it screws with my ability to improve the reliability of my own domains by making my glue persist longer in client caches, thereby reducing the number of trips clients must make to the roots.

I followed a link to this site from the freenet mailing list, and on my first visit, I felt like posting. Site looks great, I am getting worn out by Slashdot. In case you can't tell, I have a few axes to grind with NSOL and BIND. :) See cr.yp.to for one part of the solution. I highly recommend it. And it's perfectly suited for adding alternate top levels to your own network services. There is no hints file. It believes you when tell it where the roots are, and you can also set it to ignore the roots and query particular servers for particular domains. Very nice, and very robust. Check it out.

just roll a fatty

Re: It may be a bigger problem than you think (5.00 / 1) (#40)
by rusty on Sat Jun 03, 2000 at 12:56:27 AM EST

Hey, welcome. Glad you found something that grabbed your attention. :-)

For the record, we covered Freenet way before anyone else was paying attention. And again a few weeks later when the media vultures started screaming "child porn". So how's the project going? If you'd like to send around a memo on the mailing list, I'd like to see a status update here. Napster, IMO, isn't long for this world, and Gnutella's cool, but Freenet had the most broad-ranging promise. So, what's up?

Not the real rusty
[ Parent ]

Important concepts (5.00 / 2) (#42)
by Anonymous Hero on Sat Jun 03, 2000 at 01:30:10 AM EST

That something like this needs to happen is a truth, but much of the posting here seems to, well, "not get it." To do this right requires working to find the right way to do things, not just jumping out with something nifty. Nifty comes later.

First, we need to get away from the concept of owning names. Where did this even come from? Names are things people use, not buy. Names aren't commodities, no matter what companies who want to sell them try to tell us. The service needs to allow names to just be, and that means a name can never be considered "taken." Some product named "Nova" shouldn't keep people from finding some other product coincidentally sharing the name. So, we need to allow identical names to coexist, even to encourage it.

To many, the biggest issue is the ridiculous proliferation of domains. Soon you'll be able to type anything in and get a web site, but you'll have to do a search to ever find a specific site for a given name. What kind of organization do we have when everything is in a single flat list? Is that even an organization? We need something more unique than the bare name already; the standard solution to that is an essentially fixed qualifying path, which we get naturally from a hierarchy. Domains were supposed to be hierarchical--now we've got to go back to the beginning and make sure the hierarchy matters this time. It needs to be what everyone wants: short, easy, deep, complex, unique. No single hierarchy can do this--we need multiple hierarchies that can intuitively overlap. "Intuitive" implies a non-rigid system.

This brings us to hierarchies of clear categories, where a given address can exist in several places, a given path can lead to multiple distinct addresses, and inferrable sub-paths can be omitted. For example, if I wanted information about Sprite, I could look under /Product/Sprite, /Product/Food/Pepsi, Company/Coca-Cola Company/Pepsi, /Country/USA/Georgia/Coca-Cola Company/Sprite, and quite a few other variations. If I chose a path that gave multiple addresses, I should get prompted to add qualifiers, pick from a list, or the resolution should fail (Or a user could have some resoltion preferences that the client applies to automatically narrow searches, like the search domain entries in DNS resolvers).

Next, we need freedom from the US and English. All the name suggestions I saw posted were strictly English--and for the top level domains! Do Basque speakers really have to use .Bank? Shouldn't the name service components be translated into the local language until a resolving name is reached? If the Martian word for "product" is "quux" then Martians should be able to find Twinkie info under .../Quux/Twinkie.

But what is really interesting here is that none of this actually requires DNS at all. Set up mirrored web servers to do the name resolution (basically returning a list of sub categories or addresses), and then change the browsers to provide more intuitive access with the new urls (For old browsers, return a redirect). Don't make people type: the browser should offer name completion transparently and preferable have or connect to something with a bit of smarts in the name search, for users who just want to type a single name. Know when to hide parts of the URL. The browser probably doesn't need to show the name service portion of the url unless the user specifically wants to edit it (and not just type in a new url). With helpful expansion, we can keep many annoying abbreviations and amalgamations from clogging the naming hierarchy.

Well, it's getting harder to convince myself I'm not rambling, so that's probably more than enough from me on this.

Uh... isn't this RealNames? (none / 0) (#49)
by pin0cchio on Sat Jun 03, 2000 at 11:54:19 AM EST

Set up mirrored web servers to do the name resolution (basically returning a list of sub categories or addresses), and then change the browsers to provide more intuitive access with the new urls (For old browsers, return a redirect).

So you're talking about Internet "keywords" with tab completion. Isn't that what RealNames is all about? (The RealNames search engine is here.)

[ Parent ]
Re: Important concepts (none / 0) (#63)
by Deven on Wed Jun 07, 2000 at 03:34:43 PM EST

The point about non-English names is a good one. Should they have multiple equivalents or have the topmost level be a language specifier? (DNS resolver search paths could handle this quite nicely, actually, and integrate with current DNS roots cleanly...)

As for your Sprite/Pepsi/Coca-Cola examples, there's a big problem -- this is very much like X.500 naming, and you will run into similar troubles. First, you need canonical names, especially in today's world where deliberate bogus sites are commonplace. (Like the classic "whitehouse.com" porn site.) Now, X.500 has canonical names, but they are so complex and awkward to use that nobody wants to use them. In short, a name service much as you describe exists, but has largely failed due to its sheer complexity and overgeneralization. (The HTTP-based version of what you're talking about also exists -- it's called Yahoo!)

While Joe Sixpack may find DNS domain names awkward and confusing, canonical X.500 names would send him screaming into the hills. We're probably better off with an ad-hoc hierarchy like DNS, but with controls to prevent the rampant abuse it has suffered. (How is the current .com TLD any better than the HOSTS.TXT of old, really?) The abuse of .com, .net and .org domains demonstrates the disaster of a free-for-all system. As I mentioned in other messages, I'm thinking "domain czars" a la Usenet 2 might be a better solution to the namespace problem...


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

Problems and comments. (5.00 / 1) (#52)
by Anonymous Hero on Sat Jun 03, 2000 at 05:00:37 PM EST

There's at least one problem with this that will be difficult to address: Web caches tend to receive most of their requests as hostnames while web servers sometimes require them. Virtual hosts for eg. Proxies not in on the deal will have to be avoided for this to work, and transparent proxies can't be. The fact that Alternic asked people to trust them more than the root servers was a big problem too. These for me were the killers for Alternic. The way I see it, something better needs to be created _and_ ICANN needs to be taken on. Neither is good enough alone. May I suggest that once the issues others have mentioned have been hammered out, that some sort of voting mechanism is added. TLDs can be created randomly unless they're well established and get to live as long as people keep refering to them perhaps. Plus or minus a few minor details I think that could be made to work.

Re: Problems and comments. (none / 0) (#55)
by Arkady on Sun Jun 04, 2000 at 01:54:46 AM EST


I've been thinking about the proxy concept and I think I've come up with a better way. Here's an example.

I set up .null on the example system (because I wanted to ... ;-). .null will be run from the ICANN/NSI domain devnull.net, which I already administer. I've delegated splinter.null to Rusty, but at the same time I delegated splinter.devnull.net to him as well. This way, if he sets up his DNS properly, www.splinter.null will also be accessible as www.splinter.devnull.net since both records would be set up to point to the same IP number.

If we tie the new TLDs into existing ICANN/NSI domains this way, a user who is connected only to a DNS server which doesn't support this will still be able to resolve the name by replacing the TLD with the alternate domain name.

Since this isn't being set up as root server entries in the cache file, but rather by having a network of DNS servers which secondary the TLD file from the core server, the issue of trust is lessened as well. You don't have to use someone else's root servers yet. You just secondary the TLD zone files and leave your root servers pointed to NSI. By the time those files are large enough to be unwieldy we should have been able to set up truly trustworthy root servers.

What do you think?


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
OpenNIC web site and email lists (none / 0) (#56)
by Arkady on Sun Jun 04, 2000 at 01:09:17 PM EST

I've set up a site at "http://www.unrated.net/projects/opendns" (which you can get to as "http://www.opennic/projects/opendns" if you're already configured for OpenDNS" ... ;-).

I've set up a few mailing lists as well, since no community project seems to be complete without at least a few. They're described on the site. Basically, if you're interested, you can subscribe by sending an email to "majordomo@unrated.net" containing either "subscribe opennic-discuss" or "subscribe opennic-announce", depending on to which list you're subscribing.

Thank you all for your responses and suggestions. I will keep track of all the comments and try to integrate all your suggestions into the project.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

Open or not, namespaces face the same basic proble (5.00 / 1) (#57)
by andyo on Mon Jun 05, 2000 at 01:02:49 PM EST

The proposals for new naming systems are exciting. And in some ways, innovative sites like Napster are branching out into new areas already--you find other people on Napster through the names by which they registered themselves, not through DNS. (There's an interesting article about this little-noted aspect of Napster.

But I'd like to see more discussion of how to avoid the problems in Realnames and in the current system. Do you stick to first-come-first-served, or have a dispute resolution policy? How do you avoid favoritism in the sites returned from a search? These problems don't go away just because good people will presumably be in charge.

As for keeping DNS and making it a non-profit activity--that's been discussed a lot on mailing lists among DNS activists. Most think that non-profits can have as many agendas of their own as for-profits. What's important is to reduce the importance of the DNS namespace (by providing alternative search mechanisms) or to increase its size to reduce scarcity, as people have discussed on this list.

Re: Open or not, namespaces face the same basic pr (none / 0) (#58)
by Arkady on Mon Jun 05, 2000 at 03:49:34 PM EST

Hi Andy!

I'm glad you're interested; maybe if I can answer your concerns we could get an essay about it posted on cyber-rights? ;-)

I think that, after checking for appropriateness within the TLD, subdomain name registrations should be on a first-come basis. I have a proposal for this principle behind a dispute resolution policy on the OpenDNS policies page (at "http://www.unrated.net/projects/opendns/policies.html"). AS I see it, policies about this should be set by the TLD. Some TLDs need to guarantee global, regional or local uniquesness; some need to guarantee compliance with various Trademark laws and some (through careful thematic design) can be built to be exempt from all of these. This should also help solve the scarcity problem ... ;-)

Favoritism in search engines, unfortunately, cannot be solved directly. It could, however, be solved by writing its conditions into the Use Policy for the .search domain, right?

I also agree with you on the issue of non-profits pushing vested interests. Look at ICANN for a nice example. What we're proposing, however, goes a touch beyond simply not-for-profit. What we want to create is akin to a consumer cooperative like AAA, where the DNS organization would be controlled by vote of its users. Traditional non-profit law makes this difficult, but not insurmountable (at least in the US).

No more time to continue. I have to go assemble some servers for a client. We all still have to make a living ... ;-)

Please check out the site for OpenDNS (at "http://www.unrated.net/projects/opendns/"), Andy, and feel free to email me directly (at "arkady@unrated.net"). I've been very impressed with your material on cyber-rights and would value your opinion.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Avoiding corruption in namespace management... (none / 0) (#65)
by Deven on Wed Jun 07, 2000 at 04:31:00 PM EST

The current abuses of ".com", ".net" and ".org" prove that unchecked free-for-all's on a first-come, first-served basis are an unmitigated disaster. I don't have a problem with first-come, first-served as the general rule of thumb, but when the system gets abused, someone has to step in and do something about it.

The problem is, who should step in? The DNS is basically a cooperative system that happens to work universally only because of a universal convention whereby everyone on the Internet agrees to honor the DNS system and the existing DNS root.

Does it really make sense for the courts and legislators to step in and try to regulate the Internet when it's nothing more than voluntary communications held together by decades of conventions including TCP/IP and DNS? Let's not forget that it's an international network; is it really reasonable for any country (even the USA) to expect to control the way the entire network works, effectively regulating voluntary interactions between foreign citizens on foreign soil (of soverign nations), where none of it is even under the USA's jurisdiction?

If we don't leave it up to the legal system (and that's really an unworkable solution heavily weighted toward corporate interests), do we put it up for a vote? Then we open ourselves up to the "tyranny of the majority" instead, and pave the way for corporate interests to get their way by persuasive propaganda to sway voters in their favor.

No, the only model I can really see working is the "benevolent dictator" model. (This is the exact model used for Linux kernel development, which works rather well.) I'm calling these benevolent dictators for a new DNS "domain czars" after Usenet 2's "hierarchy czars" which follow the same model.

Each domain would have a "domain czar" with (almost) absolute authority over that domain and all subdomains, and the ability to create new domain czars by delegating authority for subdomains at his/her sole discretion. Each domain czar would ultimately have to answer only to higher-level domain czars who delegated their authority down the line. Conflicts resolved by escalation to a higher-level domain czar would be structurally similar to appeals in a court system, appealing up one level at a time, who could refuse to "hear the case". Successful appeals should be unusual; if a domain czar keeps having to overturn unreasonable rulings, he/she will presumably seek a more suitable replacement domain czar that will make better judgements.

The obvious question is where the authority comes from for the domain czar in charge of the root namespace. A single person with unquestioned authority over the entire namespace? It's unthinkable. Or is it? Ultimately, this person's authority comes from "the consent of the governed"; if the root czar abuses his/her authority, somebody will stage a coup, much as this system would represent a coup over ICANN. If Linus Torvalds abuses his authority over the Linux kernel, someone else (probably Alan Cox) would have to fork the kernel and everyone would converge on the forked version.

Similarly, abuses in the DNS system could lead to a fork in the DNS system. This is clearly an extremely drastic thing to do, but it's always the ultimate check on the system. We wouldn't even be discussing this now if it weren't for a pervasive feeling that the DNS system has been abused (with NSI's cooperation) and ICANN hasn't fixed it.

When Jon Postel was IANA, he was a benevolent dictator. He wielded incredible power over the entire Internet, but he never abused it; under his supervision, things ran smoothly. Dave Lawrence used to be a benevolent dictator over Usenet when he moderated news.newgroups, and again it worked well. Linus Torvalds is a benevolent dictator over the Linux kernel and it continues to work well. Time and again, nothing seems more immune to corruption than a community with a spirit of cooperation and a trusted benevolent dictator to keep that community from getting out of hand.

The hard part is getting there from here.


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

Re: Avoiding corruption in namespace management... (none / 0) (#66)
by Arkady on Thu Jun 08, 2000 at 05:46:25 PM EST

That's really an interesting perspective. You are correct that the Net has largely worked on that model and, on the whole, it's worked quite well. The only really large failure that I can think of, and I only think it's a failure because I disagree with the dictator in this case, is Vixie's refusal to add support for multiple heirarchies to BIND. Obviously, I'm going to disagree with that one ... ;-)

What we're looking for with OpenDNS, is a sort of parliamentary version of what your talking about. We basically just want to add an ability for a sufficiently large percentage of the users withing a domain to overrule to dictator(s).

Fascinating. I had honestly not thought of it that way before. Thanks for the ideas.


Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.

[ Parent ]
Re: Avoiding corruption in namespace management... (none / 0) (#67)
by Deven on Thu Jun 08, 2000 at 07:53:16 PM EST

While I understand the desire to allow for an override, it may open the door for trouble to come back in. "Tyranny of the majority" is a very real danger, and the effects of corporate propaganda cannot be underestimated. The vast majority of Internet users are not sufficiently cognizant of the issues of namespace management to make a decision in the best interest of the Internet as a whole.

After all, a flat namespace is simpler to use and understand than a good hierarchy, but it doesn't scale well. The average Internet user is relatively new to the network and culture, and they see an effectively flat namespace in "www.company.com" -- many express disbelief in addresses that don't end with ".com", thinking them invalid because they don't match most of their limited experience with domain names.

When the DNS was created, most Internet users recognized the scalability problems with HOSTS.TXT from experience. Now, most Internet users know nothing else and would rather not have to contemplate more complexity anyway. Eventually, many of them may come to recognize the problems, but it's an uphill battle. This means that namespace management may not be well-suited to a democratic vote.

Rather than having such voting/override procedures, I'm thinking that a hierarchical appeals process of these benevolent dictators (domain czars) would be more effective and immune to corruption. If the appeal is a strong one, one of the higher-level domain czars would presumably "grant the appeal". If the system got so corrupt that the root domain czar can't be trusted, then you're talking about a revolution, much as OpenDNS is with regard to ICANN. That's the ultimate protection against rampant abuse and corruption...


"Simple things should be simple, and complex things should be possible." - Alan Kay
[ Parent ]

Shamelessly plugging my own proposal (5.00 / 1) (#64)
by Anonymous Hero on Wed Jun 07, 2000 at 04:09:58 PM EST

I wrote up a proposal for a solution to the DNS problem a while back. It's <a href="http://www.literati.org/seanl/dns.html>here. Flames welcome.

An Immodest DNS Proposal | 66 comments (66 topical, 0 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!