Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Internet Businesses

Paul Vixie On What DNS Is Not 164

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"
This discussion has been archived. No new comments can be posted.

Paul Vixie On What DNS Is Not

Comments Filter:
  • not only Verisign (Score:5, Insightful)

    by Tom ( 822 ) on Saturday November 07, 2009 @02:40PM (#30016274) Homepage Journal

    Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

    Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

    Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

    Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

    • Re:not only Verisign (Score:4, Interesting)

      by Anonymous Coward on Saturday November 07, 2009 @02:49PM (#30016310)

      If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.

      Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.

      Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

      • Don't be a baby! (Score:5, Insightful)

        by iYk6 ( 1425255 ) on Saturday November 07, 2009 @03:12PM (#30016442)

        So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

        Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

        Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

        • Re: (Score:3, Insightful)

          by shentino ( 1139071 )

          There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.

          If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.

          If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. Th

          • There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.

            There's this little thing called capitalism, which optimally distributes resources to those who can best utilize them. In short, if you can get more use out of a resource, you can afford to pay more for that resource.

            If someone is willing to pay Vixie more, I expect he'd take them up on the offer...

        • Re: (Score:3, Insightful)

          So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems.

          The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.

      • by epine ( 68316 )

        Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

        Is that you, Obelix the gallstone? Fell into a vat of anonymous coward super juice as a young infant? I thought so.

        He's only having it both ways if he privately supports Nominum's stupidity, while publicly declaiming his involvement.

        This post is an excellent example of polarization disorder: the belief that the world will run most smoothly if everyone is neatly al

      • Re: (Score:2, Interesting)

        by mibh ( 920980 )

        actually i can have it both ways. i was a co-founder and was the first board chairman of nominum, and i still have many friends there. they know exactly how i feel about typosquatting. their product is smarter and tamer than others i can think of, but i still complain to them about it. i'm happy to be able to advise them on other matters.

    • by Zerth ( 26112 )

      And that's why a cheap, low-power computer or hackable router is awesome. Just run your own nameserver.

      My ISP isn't horrible, but they hijack DNS with a "friendly" error message when there is more than a little network congestion, which sticks until the cache is flushed. That was enough to get me to stop using their server.

      • Re:not only Verisign (Score:4, Informative)

        by ChipMonk ( 711367 ) on Saturday November 07, 2009 @03:00PM (#30016380) Journal
        Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.
        • Well, I suppose a workaround to that would be to set up an encrypted tunnel to some machine outside their network and running your own DNS server there, depending on your work IT policies you could even use your employer's VPN to run "private" DNS requests while still using your own internet connection for actually accessing the net.

          That said I sure wish ISPs wouldn't do dumb shit like this, it pretty much breaks DNS.

          /Mikael

        • by Zerth ( 26112 )

          If I'm OCD enough to set up my own DNSd, why do you assume I'd not think about that?

          True, most people don't have hardware on another network, but virtual servers are silly cheap if you are only using it for DNS and SSH redirection.

        • Comment removed based on user account deletion
          • by sopssa ( 1498795 ) *

            You dont even need to point it to OpenDNS (which FYI does *exactly* the same kind of advertisement serving on non-existing domains). Just run your own recursive DNS server and you're good to go.

            (unless of course your ISP doesn't let you send DNS requests to any other server than theirs, which some people seem to have here)

            • Re: (Score:3, Interesting)

              Comment removed based on user account deletion
              • I use an old laptop to provide DNS for my home office network. It's running a minimal Debian install; the only post-install commands I issued to get things up and running were "apt-get install unbound" and "nano /etc/unbound/unbound.conf" to allow queries from the LAN (instead of just localhost, which is the default setting). Instant recursive name server, with no more dependence on anything my ISP offers. They're not presently intercepting outbound DNS queries, but should they decide to do so I'll just mov
              • Re: (Score:2, Insightful)

                by mindstrm ( 20013 )

                IT's not a problem per-se - but everyone running a caching DNS server on their PC, because they can't trust the ISP, while seemingly beneficial now, has problems in theory down the road. The point of an ISP having a caching nameserver is so that queries get cached closer to home, and for a larger segment of the network. If *every* end client had their own full caching nameserver, rather than relying on a heirarchy, we'd have a tragedy of the commons, and the load on the authoritative servers would go way

          • OpenDNS Basic

            * Reliable DNS Infrastructure
            * Web Content Filtering
            * Basic Customization
            * Typo Correction
            OpenDNS [opendns.com]

            See that, "Typo Correction" = broken DNS. DNS is not suppose to answer what It thinks you meant, it is supposed to answer what you asked!

        • Re: (Score:3, Interesting)

          by pjt33 ( 739471 )

          Using a local installation of dnsmasq for your DNS server does, however, allow you to work around NXDOMAIN hijacking, assuming that your ISP uses a consistent IP address for its hijack.

    • Re:not only Verisign (Score:5, Interesting)

      by NoYob ( 1630681 ) on Saturday November 07, 2009 @02:55PM (#30016350)
      Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

      Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.

      And so would most of you, too.

    • by sopssa ( 1498795 ) *

      Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

      Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

      I doubt it still would go anywhere in court. It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers, who have opted-in and bought them. You might have a case if they blocked using other DNS servers, but they dont. And if they included a part in contract that says you're only allowed to use their DNS server (like they say for email port 25), you don't have a case with that either.

      btw, this thing seems to only be a problem in USA too - they're not doing anyt

      • It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers

        No, but it might be illegal to break RFCs and protocol standards on services that you advertise support for. There are lots of truth in advertising laws around the world that could be used to enforce this.

        My ISP does the DNS redirection thing, but it's only marginally evil. They only do it for domain names starting www and the page that they redirect to has a permanent opt-out button (which doesn't store anything in a cookie; dig works correctly for looking up www.madeup.example.com after setting it). I

        • >> My ISP does the DNS redirection thing, but it's only marginally evil. They only do it for domain names starting www and the page that they redirect to has a permanent opt-out button...

          and... how do you find that optout button?
          and... how does dig operate if you don't press the button?

          • and... how do you find that optout button?

            It's on the page they redirect you to.

            and... how does dig operate if you don't press the button?

            Incorrectly - it returns their address instead of NXDOMAIN for nonexistent domains with the www. prefix.

            You do need to have a machine with a web browser connected to the connection to be able to opt out, but for a consumer grade connection that's not an unreasonable assumption.

            • They're not redirecting you to a web page - they're redirecting you to a different IP address, which has a web server on it. What if you weren't running http? Besides dig, there's also https (are they only serving http?), and ssh, and email (less common on www.x.x, admittedly), but they're still fundamentally breaking it.

              It's not unreasonable to expect that my machine might have a web browser on it - but if that's not the application I used, they need to know not to break it, and they *can't* know that, b

        • Oh, right, they can't tell you're trying to open an https connection instead of an http connection because they're hijacking the DNS query, not the browser query. That's why it's called *broken*.

          And where do they put the opt-out button on ssh connections? Unlike email, where I'm usually not emailing to a www.* address, I fairly often want to ssh to a web server (admittedly, that's usually inside my own network, but not always), and they shouldn't be fraking with it - and they can't tell whether they are o

    • Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly

      And that would be enforced, how?

      • Trademarks? Anyone can make a non-conformant ZeroConf implementation, but it has to pass the conformance test suite to be allowed to use the Bonjour trademark and logo. Anyone can implement a UNIX-like operating system, but it has to be certified as conforming to the Single UNIX Specification before you can call it UNIX.
    • Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

      I invite you to write the RFC. It's easy to do, and basically, anybody can write an RFC. There's the infamous evil bit [faqs.org] for example. But here's the thing... RFCs are just that: Requests For Ccomment. They

  • Maybe it's time for someone to set up a DNS system in competition to ICANN. I don't think it's impossible to change your root servers list.
    • by sopssa ( 1498795 ) *

      Good luck getting everyone join your root servers instead.

      • Good luck getting everyone join your root servers instead.

        Isn't that what the 'OpenDNS', which isn't open, about? It looks like viral marketing for a parallel name service.

      • Have it fallback to icann for unknown addresses? Not that I think it is a very useful idea. I think a 2nd net could be valuable but DNS isn't really the most worrisome issue in regards to net freedom.
    • Such things exist. [wikipedia.org] Nobody uses them.

    • by Shark ( 78448 )

      Or, as ICANN members, we could all submit/vote for a proposal to pull IP address blocks from companies who do such things. That'll get some attention. Submit it Vixie and I'll vote.

  • what it is becoming (Score:3, Interesting)

    by phantomfive ( 622387 ) on Saturday November 07, 2009 @03:07PM (#30016412) Journal
    Looks like this article is more about, "what DNS is becoming but I don't like." He may not like it, but that's what's happening with DNS.

    Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.
    • Re: (Score:2, Insightful)

      by greensoap ( 566467 )
      I would argue tht IP Masquerading became popular because all of the home consumers that had a single ip address access point to their ISP and multiple devices in the home that needed a connection. High speed home access got affordable and prevalent (outside of major cities) right around '99. At the same time, home access network gateways started having an internet port and four internal network ports with NAT built in to provide the private-public IP translation. IPv4 vs. IPv6 was not as much as an issue
      • Re: (Score:3, Insightful)

        by phantomfive ( 622387 )
        In fact, that was a great use for masquerading, to get around silly limits by ISPs. The objection is that masquerading eventually became a crutch to avoid switching to IPv6, which wasn't a great use for masquerading.
    • by Jay L ( 74152 ) *

      Looks like this article is more about, "what DNS is becoming but I don't like."

      What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies.

      Erm.. didn't Paul create MAPS to explicitly provide - and later monetize - the RBL? Wasn't the RBL a "directory service"? Didn't it map IPs to policy-based information?

      I agree with the point he's trying to make; I hate NXDOMAIN hijacks too. I don't get the rant about CDNs, though; seems to m

      • Re: (Score:3, Informative)

        by TheRaven64 ( 641858 )

        I think you're missing his point. It's easy to do, because he does hide it quite well behind a large wall of text. DNS, as Vixie (awesome name) rightly says, should be a cacheable mapping. The result should depend on the query and nothing else. It should not depend on who your ISP is. It should not depend on your geographical location. If you do a DNS lookup from your computer, you should get exactly the same result that I get from my computer at the same time, irrespective of where we both are in the

        • by Jay L ( 74152 ) *

          They express facts that don't change depending on who is asking for them.

          See, you're making Paul's point better than he does! Even in his comment above, he just says that "All DNS responses issued by our DNS servers were absolutely factual in the policy they expressed." - which is in equal parts true, predictable, tautological and irrelevant to his own point.

          Mod Paul's interpreter up.

    • by jgrahn ( 181062 )

      Looks like this article is more about, "what DNS is becoming but I don't like." He may not like it, but that's what's happening with DNS.

      Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' [...] Sometimes technologies are twisted in ways you don't intend or like.

      So you're saying he should shut up and learn to like it?

      Part of his point is, if we let it go this way, we'll lose the opportunity to do other nifty

  • Fuck you Bell! Give me my NXDOMAIN back.
  • by kimvette ( 919543 ) on Saturday November 07, 2009 @03:15PM (#30016460) Homepage Journal

    Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.

    • Re: (Score:3, Informative)

      by DaveGillam ( 880499 )
      SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. Some spammers use SPF and SenderID records to give their spam a higher sense of legitimacy. A spammer cannot forge "paypal.com" because Paypal publishes SPF records. A spammer CAN pretend to be Paypal by using a look-alike domain with its own set of SPF records (ie: paypall.com, paypal.org). SPF and SenderID simply publish what IPs are authorized to send email claiming to be from a particular domain. DKIM d
      • by lennier ( 44736 )

        "SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. "

        Yes, of course. But I don't think you're understanding the point of SPF.

        It's not just the URLS advertised in spam. If we have global SPF to the point where sending from a server not named in the SPF record is a useful indicator, wham, that will cut spam instantly as a side-effect.

        First, because every spam sent from a botnet will be dropped because they're not SPF servers.

        Second, because in a world where you can

    • by dodobh ( 65811 )

      SPF breaks forwarding. Oh, and SPF itself does nothing much to help stop spam.

  • by jcam2 ( 248062 ) on Saturday November 07, 2009 @03:20PM (#30016492) Homepage

    While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.

    Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.

    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
      • Re: (Score:3, Informative)

        by rekoil ( 168689 )

        I suspect anycast would be a better method, honestly.

        And you'd be completely, utterly wrong. I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".

        This might be OK for simple DNS queries, but for actual web sites it is a True Path To Pain.

    • Re: (Score:3, Informative)

      by QuantumRiff ( 120817 )

      He argues that the problem is, the client doesn't usually hit the DNS server, the clients DNS server only does after it expires its own local cache.

      Just because your ISP's DNS servers are sitting in LA, doesn't mean you are. You could be on Seattle, and using those DNS servers, or out in the world, on the work VPN, using their DNS server in downtown Chicago. Thats how many people get around regional restrictions now, in fact.

      People have shoehorned DNS into something that it is neither Efficient, or design

      • by sopssa ( 1498795 ) *

        That might be the case in USA, but in other parts of world you're 99% of the time using DNS servers in your own country, which is pretty much the closest area CDN can have their things anyway. Yes you could use a vpn, have changed your dns servers and so on, but you're the minority case there, and even then it works normally, probably just not as efficiently as it could.

        It is a completely different situation when you look it at the whole world view.

    • Re: (Score:3, Informative)

      by John Hasler ( 414242 )

      > For example, check out what www.google.com resolves to from different
      > countries or even at different times - depending on where you look it up from
      > and what network links are up, you will get a different set of IPs.

      According to Google I spent the last two weeks of October jumping around between Japan, France, Spain, and Britain.

      I never left Wisconsin. And no, I was not using Tor or a VPN or any such thing.

    • Re: (Score:2, Insightful)

      by kegon ( 766647 )

      Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness

      I disagree.

      Getting the wrong web page is not helpful. For example, go to Japan and look up some big name website, e.g. google.com and you get it localized into Japanese. I didn't want google.co.jp, I wanted google.com. How does DNS know what language I speak ?

      Many, many times I tried to look up the website of a big American or European

  • by Wrath0fb0b ( 302444 ) on Saturday November 07, 2009 @03:40PM (#30016598)

    Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.

    What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.

    His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.

    Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.

    Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.

    • by BitZtream ( 692029 ) on Saturday November 07, 2009 @04:27PM (#30016894)

      Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

      Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

      I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.

      • by rmm4pi8 ( 680224 )

        As the senior systems engineer for a website with points of sale all over the world but datacenters only in the U.S., and a heavy Akamai user, I can tell you that the amount of time for a 301 (requires tcp handshake and http headers) vs the time for DNS is nearly an order of magnitude, so it's a no-brainer to use DNS for this sort of thing.

        • It's only a no-brainer if you're ignoring other people's costs that result from your misuse of the DNS protocol.

          • by rmm4pi8 ( 680224 )

            The abuse being....a lower cache hit rate on caching DNS servers? We're talking about Akamai here, not wildcarding. DNS service just isn't that expensive to provide, and when you consider that ISPs actively encourage Akamai to have caching servers inside the cages on their head ends, I think the "more DNS queries" vs "lower upstream bandwidth usage and better latency for our customers" doesn't seem like a tradeoff they're complaining about.

        • A single redirect the first time you click on a site can't be that bad. I agree of course it is slower than fucking with DNS. But fucking with DNS has its own dangers. Along the lines of helping break net neutrality. I realize my ISPs could currently fuck with me using automatic redirection anyways but this way would allow them to be sneakier. And to a non-techy 'making requests faster' seems far less insidious than redirection. On top of that DNS was NOT designed for this. I'm sure there are a plethora of
      • Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects.

        I'd like to see how you'd do that for RTSP, FTP, and any of the dozens of other internet protocols Akamai serves up...

  • News to me (Score:2, Interesting)

    by Anonymous Coward

    Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs from their graphical front end in order to do fancy "auto-completion." This means that during the typing time of a URI such as http://www.cnn.com/, the browser will have asked questions such as W, WW, WWW, WWW.C, WWW.CN, WWW.CNN, and so on. It's not quite that bad, since the browsers have a precompiled idea of what the top-level domains are. They won't actually ask for WWW.C, for example, but they are now asking for WWW.CN, which is in China, and WWW.CNN.CO, which is in Colombia.

    Which browsers actually do this? Is Mozilla actually participating in that nonsense?

    • Which browsers actually do this? Is Mozilla actually participating in that nonsense?

      I hope so, otherwise I'm switching back to IE prompto.

    • by BZ ( 40346 )

      > Is Mozilla actually participating in that nonsense?

      No. I have no idea where Mr. Vixie got that misinformation, nor do I know why he's spreading it.

  • facts (Score:3, Interesting)

    by epine ( 68316 ) on Saturday November 07, 2009 @05:24PM (#30017246)

    Interesting echo from FAQ [monotone.ca] which I read the other night. The original contains a lot of italic I'm not going to replicate.

    An important fact about monotone's networking is that it deals in facts rather than operations. Networking simply informs the other party of some facts, and receives some facts from the other party. The netsync protocol determines which facts to send, based on an interactive analysis of "what is missing" on each end. No obligations, transactions, or commitments are made during networking. For all non-networking functions, monotone decides what to do by interpreting the facts it has on hand, rather than having specific conversations with other programs.

    The closer one lives to the foundation, the stronger the argument for a fact-based architecture. DNS is about as foundational as one can get in internet security. Interesting, the architecture of monotone is highly cryptographic, and somewhat reminiscent of DNSSEC from the 40,000 foot view.

    The people who don't see the problem with mixing fact and policy are likely the same people who don't regard it as a big problem that your credit card numbers is widely distributed in plain text: to every vendor you do business with, many of their employees, the trash collectors out back, and their governing union.

    Why is it that some guy on the GPS thread complained that the police are free to criminalize driving under the age of 18 (to collect more revenue) and effectively act as their own judge, jury, and executioner (in the corrupt towns where this practice becomes established), but there is generally less complaint about VISA architecting themselves the same powers?

    If the police collected a 2% slice of gasoline revenues and awarded bonus points for trips to Hawaii in any year where you keep your license clear and generally found other clever ways to rebate unpenalized drivers the 2% (with enough hidden strings attached it doesn't ultimately cost them much), would they be as loved as the VISA company? Just asking.

    Dan Ariely asks, Are we in control of our own decisions? [ted.com]

    Turns out it depends on how you frame the question. If the question is: do you want the DNS system to become so badly abused it might as well have been designed by a bank, you might get one answer. If the question is: do you want DNS optimized so your porn streams with ten seconds less delay between clips, you probably get the other answer.

    I vote for facts. That said, I will say one thing in defense of Akamai: one can construe CDN as a fact based system, if the factoids you are dealing in that "this IP address can deliver the content you want". Ideally, you already have a secure hash signature of the file you're seeking so it can't play too many games with the notion of "the file you want".

    I don't see why DNS needs the facts to be so low level as "this is the same IP address everyone else gets for the same query". There could be a good reason, but Vixie's excellent article fell short of providing it.

    Ideally, the CDN problem would have been solved with another layer of delegation: the content you are seeking can be obtained from a vast array of different places, here's an authoritative address for a highly overloaded server; if you're in a hurry go talk to xxx.xxx.xxx.xxx to find a location near you. Then the caching proxy can send a request with the header "I represent a client in the Pacific Northwest" rather than sending back to the client the name of the video store where client's attorney rents his own porn.

  • Is everyone here forgetting IP over DNS? How else would I get free internet at paid wifi access points??
  • I see too many organizations using DNS as an inventory system (e.g prtsertor01) resulting in host names more difficult to remember than IP addresses.

  • It all comes down to thrust. If my ISP changes the answers of the root server for non existing adresses how do I know they don't do it for other adresses, too ? And if they use something like deep packet inspection to select my DNS requests and redirect them to their server, it's actually a man in the middle attack. Also known as DSN spoofing and used by many criminals to collect all sorts of information.

    Seriously, we have to stop taking crap from those return of investment and cash flow management idiots,

Keep up the good work! But please don't ask me to help.

Working...