[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Imminent Death of Usenet Predicted



>	One thing that I'm worried about is InterNIC. As I understand it, it
>is a central company that is in the business of receiving domain name
>registrations, including the info on what that domain is connected to, and
>sending it out to various nameservers. The nameservers then use this to route
>some (not all, I do believe) traffic.

Close, but not quite.  The role that the InterNIC serves is to register 
domains
and to maintain the top-level mappings.  It is from InterNIC that the 
root-level 
nameservers load info regarding which domains are served by which 
nameservers.
The way this process works from any particular users point of view is as
follows:

1) You request that the host name www.foo.bar be resolved to an IP 
address.
2) Your TCP/IP software checks its local cache (if any) to see if it 
already
   has the requested information and if so it returns it without doing a
   lookup [there are timeouts and other bits involved but this is the 
simple version]
3) If a lookup is necessary your TCP/IP software digs up a pre-defined 
name/number
   for who is should ask.  This is the info that you enter into a 
resolv.conf file
   in unix, a MacTCP DNS setting, etc.  It is usually the nameserver for 
your
   internet service provider or a local nameserver for your network.  
Once the
   resolver knows who to ask it formats a query and sends it off.
4) This nameserver checks its cache to see if it already has the info and 
if not
   it forwards the request to another nameserver.  Eventually the request 
hits
   a root server; the root servers then check the domain name against 
their tables
   (the ones it loaded up from the NIC) and forward the request to the 
appropriate
   nameserver.
5) Eventually the request is forwarded to a nameserver which is able to 
give an
   authortative answer for this domain and the result is sent back to the 
original
   requester.

At any point in this chain it is possible for someone to decide who will 
give the
authoratative answer for this domain.  It is possible for you, the 
requester, to
decide for yourself who will be asked.  All you need to do is to add 
whatever
nameserver you trust early into the query chain and that server will be 
asked first
and only if it does not answer authoratatively will the regular 
nameservers be
asked to resolve the request.

The DNS system represents to oldest digital reputation system I know ot.  
It is _all_ 
about trust; if you think that someone is giving out bogus information or 
you want
your answers to come from someone else it is trivial to change the way 
your nameservice
is configured so that lookups happen in the manner that you want.  No one 
can control
how names are resolved into numbers unless someone else grants them that 
power.  There
was a minor rebellion among the internet service providers this fall when 
the NIC
announced that they would begin charging for their services and it flares 
up every now
and then when some of the larger independant ISPs begin to feel that the 
NIC is favoring
the major players like MCI, Sprint, et al. when it comes to address and 
routing blocks
and other name/IP number issues.  The point that is frequently raised to 
keep the NIC
in line is that there is nothing preventing these providers from going 
out and doing
whatever they want, whether it be establishing new root servers, 
allocating whatever
numbers they want, or just plain ignoring that the NIC exists.  And there 
would be
absolutely nothing that InterNIC could do about it, because that is how 
DNS works. The
biggest problems that would occur would be when there was a conflict in 
the namespaces
served (e.g. your lookup for www.foo.com returns one number when a 
InterNIC served
root nameserver responds and another when a different set of root 
nameservers respond)
and the number that would be returned would depend entirely on which 
nameservers your
query asked to get the answer.  In short, it would depend on who you 
decided to trust...

On a more cypherpunk-related note, it is actually quite trivial for you 
to create your
own shadow domains which are completely private to whatever group you 
want.  If you
want to create the foo.cypherpunk domain you can do it just by 
downloading the BIND
nameserver code and settting up a nameserver which answers queries for 
the top-level
.cypherpunk domain.  All that is required for someone else to resolve 
names in this
set of domains is for them to know that a .cypherpunk address needs to be 
resolved
by the nameserver you created (which involves adding only a single line 
in every DNS 
config system that I know of.)  It is also difficult for any authority to 
mandate 
that certain nameservers be used because the entire system is already so 
distributed 
as to make such a mandate useless (it would also cause such a performance 
hit for 
net connections that it would be about as effective as the old 55mph 
federal speed 
limits :)

jim
--
Jim McCoy
[email protected]