Slashdot Mirror
DNSSEC: Good Enough?
Phil Windley writes "DNS Security Extension, or DNSSEC, is a set of extensions to DNS, which provide end-to-end authenticity and integrity. Paul Mockapetris, the inventor of DNS believes DNSSEC is the answer to many of the identity problems on the Internet. He wants the IETF to get off the dime and approve the DNSSEC spec. A recent article in ZDNet TechUpdate interviews Mockapertis on DNSSEC (summary)."
D. J. Bernstein, the author of the supremely reliable and secure qmail mail server, wrote a proposal for a new Internet mail system a couple of years ago. It's called Internet Mail 2000. Check it out at:
...
http://cr.yp.to/im2000.html
The basic premise is this:
"IM2000 is a project to design a new Internet mail infrastructure around the following concept: Mail storage is the sender's responsibility."
It's an interesting concept and worth a read.
Unfortunately it doesn't look like it would do much to stop spamming, which is the major problem with the current internet mail infrastructure. For that, we need some way to make sending bulk email costly to spammers. Actually I'd say that this could be done already with current technologies, it's just that ISPs and large network providers are not being responsible in ensuring that the users of their networks pay the appropriate price for sending out SPAM.
Maybe ISP's should charge users for each outbound SMTP connection they make? I'd happily pay 10 cents per email I sent if it would reduce the amount of SPAM I received. It would only cost me a couple of bucks a month too at the rate that I send email
This sounds like a great idea. Let's present a new protocol. I suggest we name it Slashdot Mail Transfer Protocol. We could use the shortened form SMTP. hmmm well... on second thought maybe the name needs more work.
A lot of research and ideas and papers have been thrown around to replace SMTP with a better protocol but the costs involved are a major discouraging factor and people don't want to install a system when there is no guarantee that all the recipients have it too.
Maybe servers using a new mail protocol should be designed such that they first attempt to use the new protocol and if connect fails, try the good old SMTP
is it possible for the Slashdot collective to come up with another one?
Not a chance. The slashdot collective taken as a whole, is a very stupid group of people. Even the few intelligent people wouldn't be able to get anything useful done because they'd be shouted down by the teaming masses of idiots.
We hate Sony's recording arm, but we'll sell our souls to them for the next cool gadget. We hate MS, but 90% of us use windows on our main home machine. No to mention all the idiots who use words like boxen.
HELO imamailserver.com
250 Hello imamailserver.com [127.0.0.1] nice to meet you!
---
When I grow up, I want to be a kid again.
Do not send the message along with the envelope. Mail servers should only collect message envelopes, which contain information to obtain the real message. Then when someone reads their email their email program contacts the server to obtain the message. Thus you can't send email and vanish, since if you're not there when someone checks their email, they won't get your message.
Obviously ISPs will have to have the ability to store the messages of their users so they can deliver them while the user is offline, but that's no problem. If a user, or someone else, sends spam, once the ISP is notified, they can remove it from their servers, so that no further people who were sent the spam will actually recieve it upon reading their email.
Why I'm writing this I don't know. No one reads below score 3 anyway unless you're lucky and get one of the first 10 replies. Slashdot is useless. I'd shit myself if one person actually read this post. Hell, I can't even find posts after I make them, even after waiting several hours.
The summary: It's unfinished, the BIND company has poor implementations (like most everything else it implements), and won't provide a real increase in security. Interesting stuff.
It's hard take a recommmendation from the inventor to seriously.
The Trust pyramid is the kicker, it seems these things fall into the hands of the untrustworthy. Almost analogous to the handling of domain names.
Whoever is at the top should be non-profit and transparent.
let's get back to bashing microsoft or something
The proper acronym for "DNS Security Extension" should be "DNSSEX"
Nothing is ever good enough for /. readers, well except for Ogg Vorbis.
'Course it's good enough. Why, back in my day we didn't even have DNS; you had to send the domain to the next server via smoke signals, and that didn't always work so we often sent the packet data tied to the legs of birds. Of course, the going got real rough sometimes, usually around dove season...
Haven't we posted long enough about how none of us want anymore info on positively identifying ourselves online, and now this comes along? What is it we want, total invasion on knowledge of our whereabouts, or ability to be anonymous?
Personally, I have always seen identity confirmation problems as a software issue, rather than a protocoll one.
Rather than relying on the protocoll to identify the source of communications, either working off some non-protocoll-related trust basis (ie, dont just MD4 your IP or something) for pre-established communications. Or for first-contact type situations, agreeing on some type of communication security.
I do not see these types of problems as the sort of problems lower level protocolls should be addressing.
paul reinheimer
It seems RIPE have a One Day Introduction Course for "DNSSEC and related tools, and the specific procedures set up by the RIPE NCC to secure the in-addr.arpa zone"
- Sig
Protocol design and implementation are two very different things, as anyone who has ever configured and used BIND knows from personal experience filled with agony over buffer overflows from hell. I hope that DNSSEC code will be written at the level of quality of djdns.
Yes, Dan Bernstein is a very exasperating person and his code is hideously formatted, but it is effective, efficient and among the most secure code ever written. I still hate him though.
I, for one, think that even if we go for it and get our creative juices flowing, so to speak, we will still end up debating about it for another 10+ years.
Of course, no discussion of DNSSEC would be complete without Bernstein's comments. And here are the slides from his talk in pdf.
Not being an expert on the topic, I find DNSSEC a little worrying, as it seems to be a consolidation of the centralized power of Verisign or whatever. Ideally we should be planning how to move away from traditional DNS altogether, as the single-rooted namespace has led to much political abuse. But that is a really hard problem to solve.
Quoth the article:
"The technology behind these confidence
checks uses digital signatures and
public key cryptography..."
First, find a way that I can get a "top level" CA to give me a certificate without charging me $US350 _per year_
Wouldn't working on a improved form of SMTP be a better project?
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
I know you're out there. I can feel you now. I know that you're afraid. You're afraid of us. You're afraid of change. I don't know the future. I didn't come here to tell you how this is going to end. I came here to tell you how it's going to begin. I'm going to make this post and then I'm going to show these people what you don't want them to see. I'm going to show them a world without you, a world without special character filters or repetitious character limits - a world where any form of trolling is possible. Where we go from there is a choice I leave to you.
Top page ... Mockapetris or Mockapertis. But there are some countries where the name can be spelled different ways .... o well, do what you like - he'll just get mad anyway.
Servlet v2.4 container in a single 161KB jar file ? Try Winstone
Time for ICANN to be obsoleted by a nice DARPA funded project from MIT and Berkeley. The guys working on it are pretty bright, and DNS is what distributed hash tables are best for.
You can find it at IRIS
I know RFC 1149 governs "packet data tied to the legs of birds", but I can't seem to find the relevant RFC governing IP over smoke signals, only a draft document. Was this protocol ever finalized? Can you provide a link? I'd hate to see people out there implementing non-RFC compliant IP over smoke signals -- that would cause massive interoperability problems!
"Freedom means freedom for everybody" -- Dick Cheney
Why would you want to authenticate DNS traffic? I'm sure there is a perfectly good reason, it just isn't immediately apparent to me.
Trusted computing means seperating hosts into two piles: trust and non-trusted. What rules apply to gaining "trust"? Is gaining "trust" a monetary decision? How does the little guy make sure that his content is seen without paying for a costly, restrictive license? Would he have to constantly censor what content he has with his host in order to maintain a "trust" certificate? Seems more like censorship than protection to me :\
This is only my opinion, of course.
download games I make at: http://www.shippysite.com
I don't understand the security issues here? I tried reading the FAQ but I'm a mumbling nincompoop. Can someone explain in a bit better detail about why we need security for DNS? Is there any actual recorded instances of people breaking into the DNS database? Is this the website hacking I've heard about?
in girum imus nocte et consumimur igni
DNSSEC provides a secure key distribution mechanism. Right now, the only secure key distribution mechanism on the Internet is the SSL key mechanism, whereby a cartel of ~5 companies with keys that got into the original Netscape release essentially rule the roost, because Joe Average has no idea how to install a new root key in his browser. The cheapest key of this type will cost you ~$150 per year, and you can't use it to make more keys.
DNSSEC does require a top-level root key, but once you have registered your domain securely, you can generate keys whose public halves are *in the DNS* where anybody can get at them. That is, you can use your key to make more keys. Also, if you don't want to do business with one registrar, you can go to another, and as you are no doubt aware, the DNS registration market is quite competitive. So in fact DNSSEC is very democratic compared to its only current alternative.
Unfortunately, this is not a glitzy thing. This is nuts and bolts, wire dragged through conduits. DNSSEC is a really nice platform for building a more secure internet, but it doesn't solve the problem on its own - you have to build on it - e.g., using it to make SMTP more verifiable.
DJB says that BIND doesn't do DNSSEC very well. It's true that BIND 8 doesn't do as well as BIND 9. If you want to spend some money, my employer will sell you something even nicer. But the fact is that there are several free, working implementations of DNSSEC out there right now.
BTW, in the interests of full disclosure, I should say that I work for the same company as Paul Mockapetris (Nominum), and have in the past worked for the company that DJB styles "the BIND company," although I know much more about DHCP than about DNS.
But if we get rid of ICANN we can't vicariously live through their amazingly productive corporate meetings in Sri Lanka and Bermuda!
What I think we will see with the Fritz chip .NET will be a DNS that first asks "where do you want to go today" then tells you need to obtain the key!
OH THE SHAME I fell off the wagon and use sigs again!
I'll notify the one guy who designs all internet protocols and tell him to switch tasks.
Is it Petris or Pertis?
Come, come, we have inconsistent mockery here!
'Course, it'd fit right in on Limbaugh or O'Reilly.....
He wants the IETF to get off the dime
What is this guy, like, 50 years old? Twenty-three skidoo... Tippecanoe and Tyler too, and hubba hubba and don't take any wooden nickels, and the flappers these days! Scandelous!
Fuckin' old people.
Let's say the Slashdot guys create a PGP key, publish the public key on the various keyservers, and start signing their web pages. Once I have a path from my key to theirs, I can be pretty sure that it's really them.
Even if I don't have a path, my future browser could record the key that's used when bookmarking a site. That way if I come back to it later and the key doesn't check out or another key has been used, then I know it's been compromised since then.
This could be used for other purposes. Let's say someone has a personal web page somewhere and is forced to move for some reason. You could be sure that it's the same person at the new URL because the same key would be used to sign the content. The best part is that whoever takes over the old URL can't spoof the old guy since they don't have his private key. All they can do is publish the exact data he already had out there.
Taken to an extreme, you could almost stop caring about URLs. You could look up someone by searching for their PGP key, and then work out from there. It wouldn't matter where they were actually hosted, since it is verifiably them. There would be no point in publishing phony information, since the key wouldn't check out.
DNS let us abstract away IP addresses to some degree. URLs can get us away from worrying about specific hostnames. Can this be the thing to abstract URLs away to some degree?
There are certain aspects of DNSSEC that are infrequently discussed.
.com - I have heard that DNSSEC can make it take a very long time to come up after a change in zone contents. That's sort of having to wait for fsck to complete on a 500gigabyte disk every time you want to change a file in the filesystem.
First is that DNSSEC adds a degree of rigidity and inter-dependency to the net that makes it more brittle in the face of a natural or intentional disaster. When things have fallen apart, the time to recover is greatly increased if the rebuilders have to rebuild the security hierarchy before names can start resolving.
Another aspect is that DNSSEC tends to wire-in a single DNS root and wire-out competing roots.
Now, a lot of people think that competing roots are a horrible thing. And a lot of other people think they are a great thing. (I've been using competing roots for years with zero problems, so you can guess which camp I'm in.) And some communities (AOL) and countries, are not necessarily making noises that they really like the idea of one god-like root for DNS. (They want consistency, their concern is about there being a single authority.) Competing roots are also advocated as a way to escape captured regulatory bodies, such as ICANN.
For some of the big zones -
Any solution that leaves DNS around in its current form is broken. DNS's centralized naming scheme is and endless source of annoying political problems.
Need a Python, C++, Unix, Linux develop
URLs should provide a unique way to identify information, but the process of finding the URL that someone is looking for should be left up to those that specialize in this - namely web search engines.
With Freenet - information is identified by complex URLs which allow the user to guarantee that the information is what the user expects it to be. The problem of finding the URL you want is left to freesites that specialize in this.
It was going to be called DNSSEX, until the developers realized it might be mistaken for something else.
I'm the Devil the Windows users warned you about.
http://saveie6.com/
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Your point is rather interesting, if it is true. A rapid deployment of a system that defeats spam would mask its invasion of privacy leaving the public ignorant and there would be commercial and government spying on posts in forums like these.
That is if, and a big if, it tags everyone. I don't understand it all myself.
Hopefully if it actually tags everyone, there will be a public outcry similar to the RFID complaints when Walmart tried to implement them. Maybe calling up such a privacy group like the one that complained about Walmart would be an excellent thing to do.
This stuff is straight out of the book 1984. That prophetic book of the perils of technology has been in the minds of many lately. Unless people all across the world view invasion of privacy like taking away their civil rights, then nothing will happen. Microsoft and others like this company will strip away every right we have under the umbrella of "beneficial" technology. Businesses and governments will take advantage of such technology and know everything about a person. If a political or commercial figure doesn't like a citizen of his country that person would lose his job, his fame, his wealth, his friends or even his life.
When this happens, we will all be saying "I told you so!" but it may be be too late. Privacy then will be like a civil rights movement. There are many things I can say that might take place then, but I cannot say all of them. All I can say is that governments need to act now or risk losing public confidence. When public confidence erodes, so will the government. It is not wise for a government to have its people live in fear. Those type of governments have a history of being overthrown.
Now I've dragged on awhile about privacy, but if there is no invasion of privacy from this technology then I say "Go for it!"
Someone at 130.160.91.27 evidently is spamming people with my email address as the reply to. While they are working on dnssec, perhaps someone could modify SMTP / POP servers to validate the reply-to domain or disallow the mail.
This is my sig.
SMIME is a fine and lovely and centralizable way to do mail body encryption.
SMTP/TLS is a fine way to do transport encryption/authenication from one hop to another.
Lacking is a way - perhaps a signature header - for an MTA to "know" where a message is from. I'd love to be able to prioritize mail that's perhaps from "known good" domains. I believe IronPort is doing something proprietary along these lines.
Back to DNS:
DNSSEC tries to offer a way to ensure the content of a zone.
It's a good notion.
It's not been implemented well. I don't trust VeriSign, I certainly don't trust JoeBlow registrar. However, I'm willing to trust my domain and that's really what's needed when dealing with subdomains. And most of the meat of my DNS use is in the subdomains - every desktop, every server lives in a subdomain. www, ftp and MX records are in the top level - that's about it.
With BIND 9, I'm delighted that all my zones use notification and IXFR's (tranferring a 40,000 record zone over a DSL is not good without incremental zone transfers - esp in a DHCP heavy environment that can cause regular zone updates).
We can "extend" DNS with DNSSEC (or -alikes) because it's negotiable (like ESMTP is for SMTP). We cannot change how ALL DNS transfers and works by default without GREAT pain (we did that pain ONCE in 1980 going from NCP to TCP).
Paul Wouters from the FreeSWAN project spoke at DefCon 11 on DNSSEC... he has some materials online at: http://www.xtdnet.nl/paul/dnssec/
Nothing to see here; Move along.
Since you're willing to give Bernstein's solution a fair hearing, I suggest you also check out YURLs. There's even a simple proof-of-concept WWW browser that you can use to get a feel for how the WWW without DNS works.
Note that switching to decentralized authentication doesn't mean giving up on human memorable names, just global human memorable names. Users can still use a local namespace. This provides both useability and security benefits. See the YURL Name paper.
TylerTry again. IRIS hasn't proposed a thing that can solve DNS security issues. It might address decentralizing the mostly hierarchical lookup procedure (to address scalability for example), but this would in fact require something like DNSSEC so that DNS records could be verified as legitimate even when provided by untrusted/unauthoritative hosts in a DHT.
Comment removed based on user account deletion
Your issue is easily handled by the bookmark file keywords provided by Mozilla Firebird. After you've bookmarked a page, you can return to it by typing in your personally chosen keyword.
It is interesting how this simple user interface feature provides a function you thought could only be provided by a central bureaucracy like the DNS. Hold off on the hyperbole a bit. There are some good solutions if you look.
I've worked through a lot of these issues with my YURL work.
It's unfortunate that the ICANN Gods want to require everybody in the world who sells domain names to get a True Name and Subpoena Address and ICBM address and Retina Print in Triplicate in return for letting you use the name, but you knew that when you got the name. And if you're using a subdomain Number-6.anonymous-cowards.com, and the people who run anonymous-cowards.com will let anybody get a subdomain name without providing all that personal data, you're still protected - you've got a cert that anybody who wants your IP address can use to verify that it's really yours and not some proxy server at fbi.gov.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Thanks; ihnp4!arpanet!pobox!bill.stewart
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Maybe I'm missing something, but DNSSEC seems to go a bit overboard when trying to fix the major flaw in DNS today, the ability to falsify records.
Now, there are two ways to falsify records that I know of.
The first is a cross-zone caching issue where a DNS response contains records for a zone it doesn't control. This is a rather simple problem to fix and requires no changes to the protocol bitstream itself (though changes are required to how the protocol is handled). It basically involves applying a trust zone model and tossing some previously useful records.
The second is an ID prediction attack where a response to a DNS query is falsified by guessing the ID number of the query made by the DNS server. With a decent ID generator, this becomes difficult and you have to brute force the thing basically making it a one-in-a-billion chance. This is still too high, so modifications to the protocol bitstream are required to enhance the size of the ID field or add a secondary one. It is possible to hack in this with minimal compatibility problems, but it wouldn't be pretty. Alternatively having the DNS server simply query twice or use TCP would accomplish the same thing, though that slows things down a bit.
I fail to see how the leap to a full blown cryptographic PKI was made. Sure, technically it may be better, but it is also complex, intrusive and adds only slightly more security.
Personally, I'm happier with 99.999% security with minimal work vs. 99.99999% security with a complete overhaul of the system.
Maybe I'm missing something.
The world is neither black nor white nor good nor evil, only many shades of CowboyNeal.
The proposal for the secure nameserver is here: http://www.levien.com/fc.ps
And the draft thesis version is here: http://www.levien.com/thesis/compact.pdf
I originally started investigating trust metrics as a way to identify trustworthy, credible sources of name->key binding data. The trust metrics turned out to be interesting and useful on their own, and a lot easier to deploy successfully. I think there's a lot of important research still to be done on the problem, but I'm not especially hopeful that it'll get done any time soon. For one, if your goal is to avoid single points of vulnerability, you have to build the service as a peer-to-peer network, and we're still struggling with the best way to design those, even for relatively simple tasks such as media piracy^Wsharing, much less anything mission-critical.
I do hope that anyone seriously looking into the question of secure name services at least skims my thesis drafts. There are some good ideas in there, and I have a funny feeling that people will be remaking all the same mistakes I did.
LILO boot: linux init=/usr/bin/emacs
This will be a lot of fun for lynx users.
You call yourself a real /. reader? HA! Real /. readers custom code their own audio codecs and triple encrypt them. Only they are able to listen to their audio files! Let's see the RIAA stormtroopers steal my song "moncyb-In Soviet Russia-the Natasha chronicles.mecommieformat"!
If you think DNSSEC is vapourware, your information is outdated. As I presented in various talks this year at BlackHat, DefCon and CCC this year, DNSSEC is ready to be deployed, and IS deployed.
We are currently running over 150 domains in DNSSEC, using bind9 and some perl tools written by RIPE. We are using this to accomplish IPsec Opportunistic Encryption, which means massive deployment of IPsec tunnels by using secured DNS information for key material.
Please see:
DNSSEC is not vapourware. It will happen, and you want it to happen. Think about VOIP using the ENUM dnszone without DNSSEC. Do you WANT your phonecalls to be hijacked?
Conflict of Interest between SSL Key Certs and DNSSEC Key Certs - SSL keys certify something, usually about the "owner" of a given key, and let you have some trust in whoever possesses that key, often trusting a connection to a particular web server.
There is no conflict of interest, because the two serve different purposes.
Firstly, HTTPS (HTTP over SSL) is used for encryption as much as authentication. How many people check to see if the little lock symbol is there? Good. Now how many people check to see if the credentials associated with that lock match the company they're dealing with? Uh-oh. All you're getting, then, is encryption. DNSSEC will not provide the encryption to secure your credit card number, so the market for SSL certs is unaffected.
Secondly, DNSSEC aims at securing a different level. For many transactions that don't require SSL, it would be nice to have some assurance you're dealing with the right site. What if someone poisoned your DNS cache and redirected you to a fake Slashdot to gather your credentials and steal your account? How about sending mail, which is often handled completely under the hood by the MTAs involved without you, the mail client, having any say in checking on the routing?
Mind you, I tend to believe DJB knows what he's talking about when he criticizes DNSSEC, but the problem space is a valid one, and solving it won't conflict with SSL certificates.
They have largely gotten over that shit. It is now permissable to export higher grade encrypton. The new NITS approved encryption, AES, will go up to 256-bit keys and is fine for export, they just want to see what you are exporting first.
h tm l
http://csrc.nist.gov/CryptoToolkit/aes/aesfact.
http://www.bxa.doc.gov/Encryption/
It's still not as simple as it should be (the government should mind their own bussiness) but it isn't illegal like it used to be.
RFC for Smoke Signals already went up in smoke!
But regardless of whether you are talking about URLs, hostnames, or domain names, you are still wrong. All these names were most definitely intended to be as intuitive as possible, because search engines weren't invented until after ICANN's greed and foolishness wrecked the consistency of the namespace. Stop trying to rewrite the past.
Sendmail and Bind. The two programs, with the most fucked config files... completely archaic, bizarre config files. I've been using Unix since 93, and sendmail and bind have the most fucked config files compared to every other program I've configured.
Comment removed based on user account deletion
When I talked about government eroding I meant trust in government. I will stick with mine through thick and thin. If there is an invasion of privacy where I live, I will join the privacy activists. Others across the world like in China might view their governments differently when they announce computer chip ID cards for everyone. That is scary. Imagine the government tracking all your movements and having to display personal information wherever you go. One thing will lead to another and then . . . ,well, guess.
28 Apr '01 - 64 bytes from 10.0.3.1: icmp_seq=0 ttl=255 time=6165731.1 ms
Aegilops
The organization that became ICANN certainly existed before the type of search engine you are talking about. WAIS is not a locator service for sites, it's a text search on steroids. You can fiddle with the definitions of "ICANN" and "search engine" for the purposes of argument, but it's not really germane to this discussion.
Your viewpoint is interesting, but biased to the point of inaccuracy. I was actually around when DNS was designed and implemented, and I remember quite clearly when the host table system was deprecated (because my VAX was using them at the time). I remember when Alta Vista and AOL were created, too; I even used Geo-based AOL on an 8088 XT once or twice.
DNS would work fine if we freed the namespace and allowed it to work as a distributed directory (which is what it would quickly become, if it weren't for the incompetence with which it is currently managed). ICANN's objections are pseudo-technical strawmen that serve only greed.
DNSSEC has some problems, as Dr. Berstein has frequently pointed out, but key distribution through DNS is at least as good an idea as Hesiod.
Is DNS ok now? http://average.matrix.net/Daily/markP.html
As for freeing the namespace, the objections you raise are the same ones ICANN trots out (well, except you didn't mention their favorite "without central control nothing could possibly work!"). I'll trot out the usual responses, although you've probably heard them already. No. To have a top-level domain, you would have to be demonstrably able to reliably run the top-level nameservers for that domain, able to arbitrate disputes within that namespace, and willing to provide namespace at lower levels for a reasonable fee. It should be obvious that most top-level domains (such as, for example,
Think about how the nameservers are currently funded. Terp.umd.edu for example, or the Vixie nameserver. And does Paul Vixie go a single day without a lawsuit being at least threatened?
Not so. Several people have gone so far as to predict that the total number of names would decrease if the namespace was freed. Think about it; the George W. Bush campaign bought over 200 domain names, (including bushblows.com and bushsux.com, incidentally) and the average multinational corporation buys three. In a wide-open namespace, there would be no point in doing this, and companies would buy only one name and spend their money advertising it in meatspace. You might see a decrease in the total size of the DNS namespace along the order of 50% or more!
You would also see unpredictable morphing of the namespace to reflect global human economic and cultural patterns - something like ".blitzork" becoming the most popular domain, or ".lovesjesus" or whatever. That type of emergent behaviour alone would be worth the price of admission. I'm afraid they won't, though. The only LDAP server that would scale to the degree required would be Novell's NDS, and I personally do not consider it stable enough for this purpose (that's just my opinion, though - I think Gary Porter at UKy might disagree).
Oddly enough, I'm at work on Saturn's Day because I am working on LDAP replication problems in a ring of boxes (linux, HP-UX, and Sun) that authenticate using LDAP (the master server runs OpenLDAP). I don't think LDAP is anywhere near as robust as DNS, and in current incarnations it's certainly just as difficult to secure properly.
the same ones ICANN trots out (well, except you didn't mention their favorite "without central control nothing could possibly work!") ...because my arguments are independent from theirs.
.pepsi) would not generate enough income through name sales to support themselves; so simple economics would suffice (in the long run) to weed out non-viable top-level domains.
.pepsi example is a good one. Are you suggesting that ICANN (or whoever their successor is) have a requirement that a TLD owner re-sell? What expenses do you think a TLD owner has at this point that a major corporation doesn't already have funding for?
It should be obvious that most top-level domains (such as, for example,
I'm not sure I understand how you're coming to this conclusion. Your
If Pepsi had the opportunity to register a 'pepsi' top-level domain, even if they were "required" to resell underneath 'pepsi', throwing down a few million dollars or so for hardware and operating expenses for that TLD is nothing compared to what they throw at online expenses.
So hell yah, I'd buy some shiny new servers, drop the 'pepsi' TLD on them, and if required, start up a marketing campaign to give away joe-smith.loves.pepsi hostnames.
What company wouldn't?
What expenses do you think they would have that would make this unattractive or impractical?
Not so. Several people have gone so far as to predict that the total number of names would decrease if the namespace was freed.
You're looking at the gtld-servers, not the root-servers. The root servers today just answer for the top-level domains. These are a static list (today), and those servers can be optimized to just spewing out those results. By "freeing" the top-level namespace, every subsidiary of every company is going to want one, and even if a few are weeded out because they don't have the infrastructure (which I'm not sure will ever be the case, since there's a lot of money to be made from this idea), this will "fatten" DNS at the root level, even if it thins DNS out at the second-level.
Basically, the DNS hierarchy will become top-heavy. You've got to shift resources around to accomodate that shift in load, away from the gtld-servers and towards the root-servers.
But it does seem logical that overall, the number of registered names would decrease. As more TLDs come available, corporations begin to realize that they're not going to be able to buy every name that's going to be remotely similar to their own. The ".com" craze will wither as www.example.com stops being the standard locator mechanism.
Assuming something else has stepped in to be that locator.
The only LDAP server that would scale to the degree
LDAP (like X.500 and DNS) does support delegation, though. You don't need to set up one monolithic LDAP farm here, just one big enough to cover your organization. Get your locality to set up delegation properly and it's just as distributed as DNS.
The big scalability problems you see with DNS revolve around that silly second-level name, where everyone and their mother has to own every conceivable name dot-com. Once that goes away in favor of a more reasonable hierarchy, scalability becomes easier as things become more distributed.
But you still could be right; LDAP or X.500 might not be the appropriate thing here. But DNS (at least in its current form) isn't either.