Paul Vixie On What DNS Is Not 164
CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"
Re:not only Verisign (Score:4, Interesting)
If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.
Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.
Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.
Re:not only Verisign (Score:5, Interesting)
Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.
And so would most of you, too.
what it is becoming (Score:3, Interesting)
Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.
Breaking the standards to implement policy (Score:4, Interesting)
Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.
The two examples don't seem anything alike ... (Score:5, Interesting)
Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.
What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.
His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.
Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.
Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.
Re:not only Verisign (Score:1, Interesting)
Since when is DNS by legal terms part of internet service?
Are you honestly going to claim that the internet, as the vast majority of people know it, won't work without DNS?
Are you honestly going to claim that people are expecting to type http://123.456.789.123/ [123.456.789.123] when they go to a website? Or send email to johndoe@[123.456.789.123] ? (yes, that's a legal email address according to the RFCs)
No, DNS is part of internet service when a company offers internet service to its customers. I'm pretty sure most ISP contracts don't explictly say, "you may use this service to go to www.yahoo.com", but it is an expected part of the deal.
And it's not like you cant use other DNS servers or set up your own.
Actually, many of the ISPs that don't correctly report NXDOMAIN hijack DNS traffic to prevent you from going elsewhere.
ISP's have usually also had email accounts, news and other services but 2000+ they've started dropping those and you wouldn't have a legal case in those situations either, unless of course, they were specified in your contract.
There are expected norms that go along with internet service. And I never claimed you should sue for breach of contract. I said you should sue for FALSE ADVERTISING.
They are advertising internet service, but not delivering.
News to me (Score:2, Interesting)
Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs from their graphical front end in order to do fancy "auto-completion." This means that during the typing time of a URI such as http://www.cnn.com/, the browser will have asked questions such as W, WW, WWW, WWW.C, WWW.CN, WWW.CNN, and so on. It's not quite that bad, since the browsers have a precompiled idea of what the top-level domains are. They won't actually ask for WWW.C, for example, but they are now asking for WWW.CN, which is in China, and WWW.CNN.CO, which is in Colombia.
Which browsers actually do this? Is Mozilla actually participating in that nonsense?
Comment removed (Score:3, Interesting)
facts (Score:3, Interesting)
Interesting echo from FAQ [monotone.ca] which I read the other night. The original contains a lot of italic I'm not going to replicate.
The closer one lives to the foundation, the stronger the argument for a fact-based architecture. DNS is about as foundational as one can get in internet security. Interesting, the architecture of monotone is highly cryptographic, and somewhat reminiscent of DNSSEC from the 40,000 foot view.
The people who don't see the problem with mixing fact and policy are likely the same people who don't regard it as a big problem that your credit card numbers is widely distributed in plain text: to every vendor you do business with, many of their employees, the trash collectors out back, and their governing union.
Why is it that some guy on the GPS thread complained that the police are free to criminalize driving under the age of 18 (to collect more revenue) and effectively act as their own judge, jury, and executioner (in the corrupt towns where this practice becomes established), but there is generally less complaint about VISA architecting themselves the same powers?
If the police collected a 2% slice of gasoline revenues and awarded bonus points for trips to Hawaii in any year where you keep your license clear and generally found other clever ways to rebate unpenalized drivers the 2% (with enough hidden strings attached it doesn't ultimately cost them much), would they be as loved as the VISA company? Just asking.
Dan Ariely asks, Are we in control of our own decisions? [ted.com]
Turns out it depends on how you frame the question. If the question is: do you want the DNS system to become so badly abused it might as well have been designed by a bank, you might get one answer. If the question is: do you want DNS optimized so your porn streams with ten seconds less delay between clips, you probably get the other answer.
I vote for facts. That said, I will say one thing in defense of Akamai: one can construe CDN as a fact based system, if the factoids you are dealing in that "this IP address can deliver the content you want". Ideally, you already have a secure hash signature of the file you're seeking so it can't play too many games with the notion of "the file you want".
I don't see why DNS needs the facts to be so low level as "this is the same IP address everyone else gets for the same query". There could be a good reason, but Vixie's excellent article fell short of providing it.
Ideally, the CDN problem would have been solved with another layer of delegation: the content you are seeking can be obtained from a vast array of different places, here's an authoritative address for a highly overloaded server; if you're in a hurry go talk to xxx.xxx.xxx.xxx to find a location near you. Then the caching proxy can send a request with the header "I represent a client in the Pacific Northwest" rather than sending back to the client the name of the video store where client's attorney rents his own porn.
Re:not only Verisign (Score:3, Interesting)
Using a local installation of dnsmasq for your DNS server does, however, allow you to work around NXDOMAIN hijacking, assuming that your ISP uses a consistent IP address for its hijack.
Re:not only Verisign (Score:2, Interesting)
actually i can have it both ways. i was a co-founder and was the first board chairman of nominum, and i still have many friends there. they know exactly how i feel about typosquatting. their product is smarter and tamer than others i can think of, but i still complain to them about it. i'm happy to be able to advise them on other matters.
He is absolutly right ! (Score:2, Interesting)
It all comes down to thrust. If my ISP changes the answers of the root server for non existing adresses how do I know they don't do it for other adresses, too ? And if they use something like deep packet inspection to select my DNS requests and redirect them to their server, it's actually a man in the middle attack. Also known as DSN spoofing and used by many criminals to collect all sorts of information.
Seriously, we have to stop taking crap from those return of investment and cash flow management idiots, who think they can change the way everything works, because they own the infrastructure.
As slashdotters seem to like car analogies, would anyone of you use a navigation system which would give you any directions for not existing streets ? I would throw it out of my car.
Probably I should write a script which just asks for a bogus URL every ms. Also it would follow every link on this site. Let's see for how long this practice is being used if every DNS request is answered by a web site and all their advertisement contractors have to pay for "clicks" by a stoopid script ?