answers to the same question based on
requester identity and policy, and have
the signatures all be perfectly valid.
DNSSEC will also complicate life for
sys admins and application developers. We (ISC—the BIND people) are doing what we can to improve on that in
BIND 9. 7, and there are plenty of other
service and technology providers in the
space as well. The killer app for DNSSEC will be a Web browser and Web
server that can authenticate to each
other without using X.509 (volunteers
are hereby encouraged to get together
and try to make that happen).
Directory Services
Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs
from their graphical front end in order
to do fancy “autocompletion.” This
means that during the typing time of a
URI such as http://www.cnn.com/, the
browser will have asked questions such
as W, WW, WWW, WWW.C, WWW.CN,
WWW.CNN, and so on. It’s not quite
that bad, since the browsers have a
precompiled idea of what the top-level
domains are. They won’t actually ask
for WWW.C, for example, but they are
now asking for WWW.CN, which is in
China, and WWW.CNN.CO, which is in
Colombia.
Although one simple-sounding solution is for Microsoft and Firefox to
buy some name-server hardware and
network links for China and Colombia
(and no doubt many other affected top-level domain operators), that won’t stop
the information leak or remove this stupid and useless traffic from the rest of
the network. Since the truly best solution is, as usual, stop doing this stupid
thing—and we all know that isn’t going
to happen—perhaps this behavior can
be made optional, and then we can just
argue about what the default (opt-in
vs. opt-out) should be. This is the first
time in the history of DNS that someone has used it prospectively, to find
out if what has been typed is or isn’t a
valid domain name, in order to support
something like autocompletion. As in
so many other novel uses of DNS, this
is not what it was designed for.
Had DNS been designed with this in
mind, one of the ways we would be able
to tell is that domain names would be
written from highest- to lowest-order
DnSSEC will
complicate life for
CDn providers using
Stupid DnS tricks,
but it won’t end
that war since it’s
still possible to sign
every policy-based
answer and keep
all the answers
and signatures
available, and still
send different
answers to the
same question
based on requester
identity and policy,
and have the
signatures all be
perfectly valid.
term ( COM.CNN.WWW). This would
allow partial name completion just
as happens in graphical file system
browsers. Absent a complete redesign,
which won’t happen in our lifetime
because of the size and usefulness of
the installed base, all we can do is ask
browser implementers to be smarter
and prepare for more DNS traffic on
our networks.
Conclusion
What DNS is not is a mapping service
or a mechanism for delivering policy-based information. DNS was designed
to express facts, not policies. Because
it works so well and is ubiquitous,
however, it’s all too common for entrepreneurs to see it as a greenfield
opportunity. Those of us who work to
implement, enhance, and deploy DNS
and to keep the global system of name
servers operating will continue to find
ways to keep the thing alive even with
all these innovators taking their little
bites out of it.
These are unhappy observations
and there is no solution within reach
because of the extraordinary size of the
installed base. The tasks where DNS
falls short, but that people nevertheless want it to be able to do, are in most
cases fundamental to the current design. What will play out now will be an
information war in which innovators
who muscle in early enough and gain
enough market share will prevent others from doing likewise—DNS lies vs.
DNS security is only one example.
Related articles
on queue.acm.org
DNS Complexity
Paul Vixie
http://queue.acm.org/detail.cfm?id=1242499
Improving Performance on the Internet
Tom Leighton
http://queue.acm.org/detail.cfm?id=1466449
Paul Vixie is president of internet Systems Consortium
(iSC), a nonprofit company that operates the DNS F
root name server and publishes the BiND software used
by 80% of the internet for DNS publication. He is also
chairman of American Registry for internet Numbers
(ARiN), a nonprofit company that allocates internet
number resources in the North American and Caribbean
regions. Previously, he was a founder and president of
PAix, the first neutral commercial internet exchange;
SVP/C TO of AboveNet; and founder of the first anti-spam
company (MAPS LLC) in 1996.
