Paul Vixie On What DNS Is Not

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

Re:not only Verisign

[ChipMonk]

Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

Re:CDNs are good thing

[QuantumRiff]

He argues that the problem is, the client doesn't usually hit the DNS server, the clients DNS server only does after it expires its own local cache.

Just because your ISP's DNS servers are sitting in LA, doesn't mean you are. You could be on Seattle, and using those DNS servers, or out in the world, on the work VPN, using their DNS server in downtown Chicago. Thats how many people get around regional restrictions now, in fact.

People have shoehorned DNS into something that it is neither Efficient, or designed to do.

Re:Breaking the standards to implement policy

[DaveGillam]

SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. Some spammers use SPF and SenderID records to give their spam a higher sense of legitimacy. A spammer cannot forge "paypal.com" because Paypal publishes SPF records. A spammer CAN pretend to be Paypal by using a look-alike domain with its own set of SPF records (ie: paypall.com, paypal.org). SPF and SenderID simply publish what IPs are authorized to send email claiming to be from a particular domain. DKIM does essentially the same thing, but is arguably better since it uses a cryptographic mechanism to assure the message in question was not appreciably altered in transit.

Re:Breaking the standards to implement policy

[Anonymous Coward]

Nonsense, SPF does absolutely nothing to stop spam. In fact, because spammers have jumped on the SPF bandwagon pronto, the presence of an SPF record is a reasonable indicator that the message in question might be spam.

Re:CDNs are good thing

[rekoil]

I suspect anycast would be a better method, honestly.

And you'd be completely, utterly wrong. I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".

This might be OK for simple DNS queries, but for actual web sites it is a True Path To Pain.

Listen to this man!

[TrisexualPuppy]

He is a credible source. For a little background, he wrote one of the most popular cron daemons.

(Wiki) With the advent of the GNU Project and Linux, new crons appeared. The most prevalent of these is the Vixie cron, originally coded by Paul Vixie in 1987. Version 3 of Vixie cron was released in late 1993. Version 4.1 was renamed to ISC Cron and was released in January 2004. Version 3, with some minor bugfixes, is used in most distributions of Linux and BSDs.

I met Vixie some number of years ago in Vegas and he blew my mind away with his insight. He's spot on once again in this article.

Re:CDNs are good thing

[John Hasler]

> For example, check out what www.google.com resolves to from different
> countries or even at different times - depending on where you look it up from
> and what network links are up, you will get a different set of IPs.

According to Google I spent the last two weeks of October jumping around between Japan, France, Spain, and Britain.

I never left Wisconsin. And no, I was not using Tor or a VPN or any such thing.

Re:not only Verisign

[bruce_the_loon]

Bind has Windows binaries for XP/2003/2008

https://www.isc.org/downloadables/11 [isc.org]

Re:what it is becoming

[TheRaven64]

I think you're missing his point. It's easy to do, because he does hide it quite well behind a large wall of text. DNS, as Vixie (awesome name) rightly says, should be a cacheable mapping. The result should depend on the query and nothing else. It should not depend on who your ISP is. It should not depend on your geographical location. If you do a DNS lookup from your computer, you should get exactly the same result that I get from my computer at the same time, irrespective of where we both are in the network topology. This is a fundamental aspect of DNS and lots of software has been written on top of the assumption that this is how DNS works. Changing this is going to break things in fun and exciting ways.

A real-time block list is a perfectly acceptable use of DNS. It maps from a domain name to some information, in this case whether the IP is a known spammer. Putting geolocation information and telephone numbers into DNS are also valid uses. They express facts that don't change depending on who is asking for them. The page is a bit confusing because he uses 'policy' to mean 'information that depends on who is asking'. A better word would be 'propaganda'.

By the way, he also makes the point that domain names should be written the other way around if you want autocompletion (e.g. org.slashdot.tech). It's worth noting that the Joint Academic Network (JANET) in the UK did write them this way around, which meant things like tab-completion of hostnames could work nicely. It was forced to change because the rest of the world was writing them the wrong way around.