Paul Vixie On What DNS Is Not 164
CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"
them dollar (Score:0, Insightful)
not only Verisign (Score:5, Insightful)
Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.
Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."
Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.
Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.
Don't be a baby! (Score:5, Insightful)
So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?
Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.
Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.
CDNs are good thing (Score:4, Insightful)
While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.
Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.
Comment removed (Score:3, Insightful)
Re:what it is becoming (Score:2, Insightful)
Re:not only Verisign (Score:3, Insightful)
When your ISP gives you name(s) for POP3 service (and maybe NNTP also), rather than addresses, and those names are within the ISP's domain...
Then a working DNS, administered by the ISP, is part of the service. Without it, the ISP is unable to offer the services stated to their customers in their paperwork.
Yes, maybe it's contracted out. But that doesn't change the ISP's responsibility to its customers, or its liability when service fails.
Re:what it is becoming (Score:3, Insightful)
Re:The two examples don't seem anything alike ... (Score:5, Insightful)
Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.
Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'
I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.
Re:Don't be a baby! (Score:3, Insightful)
There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.
If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.
If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. There are other companies who could put my advice to a lot better use, which are currently going without thanks to my current asshole of a client.
Don't forget about society's opportunity cost.
Re:Don't be a baby! (Score:3, Insightful)
The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.
By participating in such boards, Paul Vixie and people like him are choosing to be part of the problem.
Re:not only Verisign (Score:2, Insightful)
Re:CDNs are good thing (Score:2, Insightful)
I disagree.
Getting the wrong web page is not helpful. For example, go to Japan and look up some big name website, e.g. google.com and you get it localized into Japanese. I didn't want google.co.jp, I wanted google.com. How does DNS know what language I speak ?
Many, many times I tried to look up the website of a big American or European company while in Japan and I could only get the the Japanese language version. No matter which page I tried to get brain dead websites trust DNS absolutely and always redirect to a Japanese language page. Japanese friends have these same problems all the time. One friend wanted to buy something from an American company and get it shipped but he simply couldn't check out the specification because they had closed their local operation and all requests originating from Japan were redirected to the local website apologizing for closing their local store.
These examples are not isolated; users in other countries must suffer similar problems. Stop abusing DNS is the answer.
Re:not only Verisign (Score:2, Insightful)
IT's not a problem per-se - but everyone running a caching DNS server on their PC, because they can't trust the ISP, while seemingly beneficial now, has problems in theory down the road. The point of an ISP having a caching nameserver is so that queries get cached closer to home, and for a larger segment of the network. If *every* end client had their own full caching nameserver, rather than relying on a heirarchy, we'd have a tragedy of the commons, and the load on the authoritative servers would go way, way up.
If network operators stuck to not interfering with DNS, and used it as intended, people wouldn't see the need to work around (and potentially, eventually, invalidate) the model.