Slashdot Mirror
DNS Complexity
ChelleChelle writes "Paul Vixie of Internet Systems Consortium guides us on a journey into the sublime details of the domain name system. Although it contains just a few simple rules, DNS has grown into a system of enormous complexity. This article explores the supposed and true definitions of DNS, and shows some of the tension between the two definitions through the lens of the philosophy of Internet development protocol."
I'm going to risk sounding like an idiot and say that I think it's inhuman that somebody could write an article explaining how DNS works without having at least one diagram in it. I mean, c'mon, I can wade through piles of opaque text with the best of them, but just throw me a bone here, alright?
Been a while since I've seen one of these.
~ a low user id is no indication I have a clue what I'm talking about.
While technically well written and clear, this is one of the most uninspiring pieces of work imaginable describing the values of DNS. It's so bad that I'd rather gouge my eyes out with a spoon. Highly technical and detailed while still being abstract, it's 100% accurate while still managing to be utterly devoid of any usefulness whatsoever.
Oh yeah, this is DNS we're talking about. Implementing it IS uninspiring and so abstract, it does make you rather gouge your eyes out with a rusty spoon.
But what DNS does is extremely exciting, and forms the foundation of what makes the Internet actually WORK for people. Think about it - when's the last time there was any major DNS failure? Never? Me too. Damned reliable, damned powerful, and damned easy to get you hooked up to the geek blogs, tunes, IRC, and whatever else we all crave.
Read this if:
A) You work with DNS regularly and want to know if you know enough for it to make some sense to you. (That's me)
B) You are thinking about implementing a DNS server.
Otherwise, move along, find something that might interest you, but take just a moment to reflect how difficult Internet life would be if DNS wasn't so well designed and crafted.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well, it was written by Paul Vixie, better known for writing a whole bunch of RFCs ... they're not known for being exactly graphics-heavy, either.
(Although some of them do have some neat ASCII art.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The Public DNS System has become corrupted. It used to be edu, com, org, net, and country codes.
.info, .tv, and god knows what else.
r pa,dc=0,dc=168,dc=192,dc=in-addr,dc=arpa
1 90073
Then the bribes started, now we have
Internally, I use DNS and I would never replace it. Just secure it. All my Internal Updates for my home DNS System work like this. Using the LDAPDNS system, my reverse lookup zones become distinguished containers, like
relativeDomainName=1+zoneName=0.168.192.in-addr.a
(I'm the guy who wrote this.)
http://slashdot.org/comments.pl?sid=235321&cid=19
That. My zone updates are then wrapped up in SSL and replicated to my other Domain Controller. I would suggest that DNS return to its roots, restore the old Domain hierarchy and discontinue all these other TLDs, but they won't. There is too much money to be illegitimately made off the corruption of DNS.
You lost me at "distinguished containers."
tv is the country code for Tuvalu.
If more ISPs provided this, would it make traffic unbearable? How many dynamic domain name servers could we tolerate? Could we finally make the registrar problem go away?
What?
I eventually got onto their 'support' crew in Singapore who assured that their engineers were looking into it. I don't know how much looking you need to do to change a single entry on a DNS table from "nnn.nnn.nnn.42" to "nnn.nnn.nnn.38".
Oh and here's a single page version of TFA.
Mongrel News all the news that fits and froths
Oh... well my point is still valid. DNS Should not be a tool for politicians.
I have a better idea: Let's open the process for making up a new TLD to everyone. A minor cost associated with the administrative overhead of setting up a new TLD, and that's it. True, we cheapen existing TLDs considerably, but then they're artificially overpriced anyway.
It's not like it's a technical issue. The DNS system doesn't care how many TLDs there are, it's irrelevant to the immediate search.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Basically, Vixie's point in the whole article really isn't to rehash how DNS works (although he does basically do that), but to make a rather interesting point about complex systems.
His point is that large systems can become unimaginably complex, even when they begin with a very simple set of rules. Particularly when those rules are vague.
Although he doesn't say it explicitly, I think there are probably some similarities between neutral networks and DNS -- both begin with very simple rules, and then the complexity comes out of the sheer number of connections when you scale it up. Likewise, with DNS, you can have a very simple implementation (say, for a home office) that's quite easy to understand and use. Everything makes sense. It's basically understandable. But then, take that same protocol, even some of the same software, and scale it up to a few billion nodes or whatever DNS has these days, and suddenly the whole thing is so complex, nobody can even begin to really understand it in its entirety. You can't even predict, exactly, how it's going to react to any change -- it's very much like a complex organic system at that point. You can perform experiments on it, and make hypotheses, but even though it's an entirely deterministic system (or ought to be), it acts mysteriously.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Who cares? Is something technically not right about the new TLDs? Or are you afraid someone else is making money off of it?
It is technical actually - the TLD server has to respond all of the time, every time, even when millions of people want it... caching reduces the load but doesn't eliminate it by any means.
.com failed for example).
If a domain goes down it affects one company. If a TLD goes down it affects thousands, perhaps millions (if
You could argue that one server == one TLD is a bad model and I wouldn't disagree.. there's no reason for one of the TLD companies to start a couple of hundred of the things - but then can you imagine what the likes of Verisign would do to that? Would it get cheaper? Hell no. They'd charge through the nose for it.
Tuvalu's main motivation for selling .tv domains was to get the money together to become a member of the UNO so they can officially get a voice to be heard concerning their country (their islands) basically sinking into the ocean due to global warming and rising sea levels.
So sometimes politics and DNS might be for a good cause.
There are two rules for success:
1. Never tell everything you know.
From the article: "To express multilingual symbol sets usually means Unicode, whose binary representation is not directly compatible with the upper/lowercase "folding" required for DNS labels."
UTF-8 should be perfectly compatible with the case folding. The character which get folded are in the US-ASCII subset of UTF-8 and therefore have their high bit unset. All multibyte-characters in UTF-8 have the high bit set in each byte, so they aren't subject to that case folding. The DNS standard is, as far as I know, completely UTF-8-compatible except in the places where it explicitly says that "only these particular characters are allowed here".
Finally! A year of moderation! Ready for 2019?
I've wondered about this for a while, but like any good slashdotter I haven't actually researched it myself, but figured I'd just post it here and see what sort of replies I get.
Where I work, we host a small number of websites, each usually with two or three domain names (one primary name, and the others redirected to that). These are in a variety of domains; the usual TLD's and a few country codes and special domains.
I've set them up so that each major domain has its own set of name servers; i.e. we have host servers defined under a .com name, which all of our .com domains use. .net has its own set, .com.au has its own, and so forth. These all point to the same IP addresses, they're just defined in different domains (i.e. a.ns.ourdomain.com is the same IP as a.ns.ourdomain.com.au).
My reason for doing this is to try to minimize the number of lookups needed. A lookup for "www.example.com" gets a reply saying "the nameservers are a.ns.ourdomain.com and b.ns.ourdomain.com, and their IP addresses are w.x.y.z and a.b.c.d". The resolver can then go straight to our name servers, rather than doing an extra one for ourdomain.com.
This is assuming the resolver is smart enough to realise it can trust the additional records with the IP addresses of [ab].ns.ourdomain.com, since they're coming from a server which is authoritative for .com, anyway.
While this is fine in theory, I don't know (and haven't tested) whether popular DNS servers actually do manage to make quicker lookups using this strategy. If not, then it's rather pointless -- there's a little bit more administrative overhead involved in maintaining separate NS host records.
Any DNS gurus out there have an answer to this? Anyone care to speculate wildly?
I'd rather say that DNS is damned weak. It's probably the weakest point in the Internet infrastructure as a whole, and that's a lot to say. DNS was chosen by SANS Institute as one of the top 20 Internet vulnerabilities in 2006:
http://www.sans.org/top20/
Last time there was a major DNS failure? The DNS system relies on 13 servers. In 2002 nine of them went down due to a DDoS attack, the whole Internet was very slow or unreachable for an hour. This year in February almost three of the servers crashed due to another DDoS, which moved the Department of Defense to say that next time they will counterattack and even bomb the source of the DDoS, so guess if it was important.
By the way, remember that Paul Vixie's BIND is just one implementation and it's considered to be flawed by some wise people:
http://cr.yp.to/djbdns/blurb/unbind.html
Eliminate the domain squatters and you'll eliminate the push for alternative TLDs. I'm sure more than half the domain names in existence are typo-squatting domain hoarders. There's no legitimate reason we need to allow them to keep those domains. Get a posse together of people with a clue and start going through domains. When you come across one that is obviously a domain squatter, delete it and then put more emphasis on analyzing that guy's other domains and delete those if necessary too until you've cleaned up the system. It's not property, you're just leasing a label from the collective community and we can choose to take it back if you're being an asshat.
DNS Should not be a tool for politicians.
So you're basically saying there shouldn't be country codes?
sigs are hazardous to your health
You... don't really sound like you know what you're talking about. (Sorry to be blunt.)
One TLD != one server; on the contrary, TLDs tend to have many, many servers.
The likes of Verisign, for example, run no less than 13 servers (a.gtld-servers.net through m.gtld-servers.net) for com and net, and, in reality, they almost certainly run many more, since each of those names is probably a cluster of actual machines.
The GTLD is managed similarly, and I'd be surprised if any other TLDs have less than 6 obviously distinct servers.
Even second-level domains are often redundant; many (all?) registars in com/net/org require 2-3 nameservers per domain.
The problem is that depending on who does these reviews, there will be entirely different results. I don't think that we can legally take the names back, anyway. It sure would be nice though if the /. community got to decide on it. Actually, that would be terrible. We'd spend the whole time fighting amongst ourselves.
When written in ltr language most hierarchies follow that direction. Numbers have the most significant bit(s) at the left, taxonomies are written species:subspecies:variety, pages are identified as home > category > page.
Domain Names are the exception, with the "top level" domain on the right, while the left (most significant bit) can be stuffed with random chaff (a.k.a. subdomains).
I can't help but imagine that this has some impact on how easily people fall for spoofed websites (yourbank.somesite.com vs. com.somesite.yourbank). Being naturally lazy we only read as far down a list as as needed to confirm we have what we're looking for.
Does anyone knows of a historical basis for this decision & do you think it makes any difference?
Python coder | PyQt Applications | Writer
I hear that the root DNS servers are monkeys. After all, at the root of all tree based architectures is monkeys. (I also hear that if you go to the edge of the internet, you'll fall off the edge of it!)
It might be more accurate to say that systems can become unimaginably complex BECAUSE they have simple rules. The more rules, the more limitations.
Not just the ones you listed, but also .mil and .gov too. .tv IS a country code (ccTLD) - for Tuvalu (http://en.wikipedia.org/wiki/Tuvalu).
*sigh*
Once again, BIND is associated with DNS and I'm not even past the third paragraph.
Zone transfers are not DNS-related, they are BIND-related! For that matter, the term ZONE is mainly a BIND thing!
Gah!
Anything is possible given time and money.
The original paper is available in Postscript at bell-labs.com or Google has an HTML translation.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Take a simple system and iterate it many times to produce a complex result. Sounds fractal to me.
I don't think that we can legally take the names back, anyway.
I'm pretty sure that ICANN. All puns aside, think about what that acronym means. Internet Corporation for Assigned Names and Numbers. They get to assign the names and numbers, and therefore they also have the authority to un-assign those names and numbers. ICANN giveth, ICANN taketh away. Ugh. That one wasn't intended. I'll stop now, but hopefully you get my point.
I often find myself wondering why most internet standards are so complex in the first place. Let's face it: DNS looks up a name in a database and spits out a number. It's like a phone book for the internet (white pages, that is). So then, why the hell is it such a pain to configure with its weird-ass zone files that half the world seems to struggle with, and obscure vulnerabilities like cache poisoning. Why can't it be as simple as "domain = IP" or "I don't know, but server X might" because that's basically what's going on, only it's buried under a pile of nerd filth that all but its originators truly grok.
Here's one big pain in the butt: listing name servers for a domain. Why the hell don't we use IP addresses for those ? Instead you have a chicken and egg situation where you would need to contact ns1.something.tld to ask about its own address, so instead we cheat with "hints" in the parent server's records and end up listing the IP anyway, making the nameserver's name redundant. Things like that make me wonder what the designers were smoking that day. In the end, it's all just a big relational database, only the tables are each stored on different hosts but the links work the same way, so why the big headache ?
-Billco, Fnarg.com
The only good DNS is Dead Nigger Storage
Internally, I use DNS and I would never replace it. Just secure it. All my Internal Updates for my home DNS System work like this. Using the LDAPDNS system, my reverse lookup zones become distinguished containers, like
relativeDomainName=1+zoneName=0.168.192.in-addr.a
You set this up for your freakin' home network!?!?!? Brother, there's this wild and wonderful thing out there called the world and you really, REALLY need to get a taste of it!
Some of the highlights that you'd do well to consider:
First, there's the Woman. Life with a good woman is a life with greater extremes. Good moments are way better, bad moments are way worse.
Another good thing to try while roaming the wild, real world: Beer! This can be a good way to land a woman, if only for a night.
Put the two together under the right circumstances, and you just might be able to experience perhaps the greatest pleasure of them all: SEX! Many would argue that this is the point of having a woman. I'd argue instead that basic physiology has the point belonging to the man, but I digress...
Seriously, implementing an LDAP backend to DNS for a home network is about like using a jet engine for a ceiling fan. I'd love to know all the details of your implementation, since it would likely make a good candidate for submission to another good website.
Lastly, to do "secure" DNS updates is pretty simple. I keep the DNS zone files on my laptop. All my DNS nameservers are configured identically, as master servers. I use a script to SCP the files to the nameservers when I do a DNS update. Stupid simple, excellent security a la SSH.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
As has already been pointed out, you can have a single TLD spread across several servers. You can also have multiple TLDs on a single server. More likely, you end up with a combination of these things: Multiple TLDs on a geographically disperse cluster of systems.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
That's a bad idea.
/example/blah/sub/foo /blah/sub/foo /sub/foo
/foo
With that, you can't tell where a host name begins and where the URI starts.
And he even thinks that is GOOD:
quote: "This would mean the BCS could have one server for the whole site or have one specific to members and the URL wouldn't have to be different."
Doh.
Say you have a conventional URL of http://blah.example.com/sub/foo
If we do things he proposed in that page how does he expect the browser to find the IP address for the server to go to?
With his suggestion the url will look like:
http:com/example/blah/sub/foo
Now that's very nice in "dreamland" where the speed of light is infinite and everything is perfect.
But in the real world, what domain name should the browser try in order to get the IP address to connect to?
Should the browser try to connect to "com" and fetch
Then if that fails connect to:
example.com and try to fetch
Then if that fails connect to:
blah.example.com and try to fetch
AND WORSE, even if that's the correct URL, say the server was temporarily broken/misconfigured, so now the browser is suppose to keep going?
e.g.connect to:
sub.blah.example.com and fetch
then try
foo.sub.blah.example.com
The browser has to wait for the necessary failure timeouts on each try. Don't forget, the URL I used as an example isn't even a very long one. Imagine one with a greater "directory depth".
Make you wonder if he "stumbled" on his _original_ scheme by sheer luck. Or he actually thought long and hard on it, and has now unfortunately forgotten the original reasons why things were done that way.
Nowadays I find there are not very many people who understand how lots of different things work, the various limitations, and how certain choices/changes affect things. There's often so much you need to know AND keep in mind.
.org is run by 1 linux machine (a 486/66 at that!) using djbdns and postgresql.
While the DNS definition is defined in RFCs. Paul's BIND implementation, as well as various commercially hardened versions he has worked on over the years are part of the glue we depend on to hold the Internet together. His code runs in more Unix/Linux systems than you can imagine today. I am a Real Vixie fanboi. The DNS paradigm sits on top of the address resolution paradigm and has added the flexibility we have need to grow the Internet over the last several decades. My hat is off to Paul.
I just read the post you linked to, and that sounds pretty much like home network heaven. Do you have any good links for starting points to setting up DNS, and the authentication the way you have?
Judging from that one article, Paul Vixie is a terrible writer. His thoughts are very unorganized. And, like many people with little understanding of how to write well, he is obviously not aware of the need to have an editor.
James Michener, the famous writer (South Pacific), was very intense about having his writing edited before he would present it to readers. With one of his books he said he and an editor read every word 5 times together.
This is NOT a comment about his achievements and contributions to the internet we all know and love. It is only a comment about his ability to express himself in writing.
The inability to communicate well limits achievments and recognition for achievements.
> Life with a good woman is a life with greater extremes. Good moments are way better, bad moments are way worse. :(
Yeah, the crying fits when she treats me like crap are way worse that my other bad moments, but masturbating is still the same
> Another good thing to try [...]: Beer!
The women I'm around when I'm drinking beer typically just point at me and laugh >:(
> And you just might be able to experience perhaps the greatest pleasure of them all: SEX!
If by whiskey^Wsex, you mean two of the first three images, then I'm not that impressed. I've watched elephants in the zoo, and the woman I alluded to previously has parents who have several cats living in their house. Some of them fornicated when I was sitting next to them. It's not what it's made out to be >>:(
And while I'm posting anonymously, I might as well go whole hog: I guess I should get some relationship advice from the slashcrowd! >>>:(
Writing style is often a habit formed by the understanding, or lack thereof, by the ones you are writing for/to; when questioning a persons style you must ask yourself a lot of quite hard (to answer) questions regarding both yourself, your understanding of the text/style and also the writer.
So, is he really "a terrible writer" limiting himself by his "inability to communicate", or was it just a case of an article written in a style not prefered/suitable for you (and/or the general reader of where the article's been made available)?
perl -e'print$_{$_} for sort%_=`lynx -dump svanstrom.com/t`'