DNS Complexity

ChelleChelle writes "Paul Vixie of Internet Systems Consortium guides us on a journey into the sublime details of the domain name system. Although it contains just a few simple rules, DNS has grown into a system of enormous complexity. This article explores the supposed and true definitions of DNS, and shows some of the tension between the two definitions through the lens of the philosophy of Internet development protocol."

Public DNS is corrupt, but Private DNS is sublime.

[Zombie+Ryushu]

The Public DNS System has become corrupted. It used to be edu, com, org, net, and country codes.

Then the bribes started, now we have .info, .tv, and god knows what else.

Internally, I use DNS and I would never replace it. Just secure it. All my Internal Updates for my home DNS System work like this. Using the LDAPDNS system, my reverse lookup zones become distinguished containers, like

relativeDomainName=1+zoneName=0.168.192.in-addr.ar pa,dc=0,dc=168,dc=192,dc=in-addr,dc=arpa

(I'm the guy who wrote this.)

http://slashdot.org/comments.pl?sid=235321&cid=191 90073

That. My zone updates are then wrapped up in SSL and replicated to my other Domain Controller. I would suggest that DNS return to its roots, restore the old Domain hierarchy and discontinue all these other TLDs, but they won't. There is too much money to be illegitimately made off the corruption of DNS.

Dynamic DNS

[iminplaya]

If more ISPs provided this, would it make traffic unbearable? How many dynamic domain name servers could we tolerate? Could we finally make the registrar problem go away?

moving hosts blows

[weighn]

my website is in an internet backwater and you wouldn't believe the crap we went through when our hosting provider changed the IP address of the server. We were given a weeks' notice of the new IP and the knobs at ozemail or uunet or iinet or whatever the fsck they are called for the moment still had us hanging for TWO DAYS after the address was changed (it wasn't due to dns caching - that added another 24-48 hours according to some lookups).

I eventually got onto their 'support' crew in Singapore who assured that their engineers were looking into it. I don't know how much looking you need to do to change a single entry on a DNS table from "nnn.nnn.nnn.42" to "nnn.nnn.nnn.38".

Oh and here's a single page version of TFA.

Re:moving hosts blows

[totally+bogus+dude]

Not sure exactly what your rant was about, but it just sounds like you had crappy support from ISP staff. Not really news, that. There's nothing about the DNS down under that makes it inherently slow. We moved our site recently to a different IP (different ISP, in fact), but we host our own DNS so we had control of the process. I reduced the TTL on the record a few days beforehand, and then really reduced it shortly before we launched the new site, and voila -- the updated record was visible to everyone pretty much instantly. (Except for people who configure their DNS proxies to ignore/override TTL values, but that's their problem.)

Obviously, relying on third parties to do the right thing by you is a crapshoot at the best of times. Not everyone has the luxury of hosting things themselves, though.

Re:Public DNS is corrupt, but Private DNS is subli

[grasshoppa]

I have a better idea: Let's open the process for making up a new TLD to everyone. A minor cost associated with the administrative overhead of setting up a new TLD, and that's it. True, we cheapen existing TLDs considerably, but then they're artificially overpriced anyway.

It's not like it's a technical issue. The DNS system doesn't care how many TLDs there are, it's irrelevant to the immediate search.

Here's the Cliffs' Notes version

[Kadin2048]

Basically, Vixie's point in the whole article really isn't to rehash how DNS works (although he does basically do that), but to make a rather interesting point about complex systems.

His point is that large systems can become unimaginably complex, even when they begin with a very simple set of rules. Particularly when those rules are vague.

Although he doesn't say it explicitly, I think there are probably some similarities between neutral networks and DNS -- both begin with very simple rules, and then the complexity comes out of the sheer number of connections when you scale it up. Likewise, with DNS, you can have a very simple implementation (say, for a home office) that's quite easy to understand and use. Everything makes sense. It's basically understandable. But then, take that same protocol, even some of the same software, and scale it up to a few billion nodes or whatever DNS has these days, and suddenly the whole thing is so complex, nobody can even begin to really understand it in its entirety. You can't even predict, exactly, how it's going to react to any change -- it's very much like a complex organic system at that point. You can perform experiments on it, and make hypotheses, but even though it's an entirely deterministic system (or ought to be), it acts mysteriously.

Re:Here's the Cliffs' Notes version

[apathy+maybe]

So, sort of like The Game of Life then? I've made the point before (not here though), that The Game of Life is a good example of simple rules creating a (potentially, very) complex situation. I then used it to make the analogy with the universe we live in.

Take gliders for example, you could observe them, and work out how they work, but each type of glider works differently. As such, you would have a different set of rules for each. Unless you noticed that the same (fourish) rules worked all the time. And if you make the system much, much bigger (really have an "infinite" game board), then your constructs get much bigger, and it becomes much harder to see the simple rules under lying the whole thing.

Re:Public DNS is corrupt, but Private DNS is subli

[bvankuik]

Who cares? Is something technically not right about the new TLDs? Or are you afraid someone else is making money off of it?

Weakness of DNS

I'd rather say that DNS is damned weak. It's probably the weakest point in the Internet infrastructure as a whole, and that's a lot to say. DNS was chosen by SANS Institute as one of the top 20 Internet vulnerabilities in 2006:

http://www.sans.org/top20/

Last time there was a major DNS failure? The DNS system relies on 13 servers. In 2002 nine of them went down due to a DDoS attack, the whole Internet was very slow or unreachable for an hour. This year in February almost three of the servers crashed due to another DDoS, which moved the Department of Defense to say that next time they will counterattack and even bomb the source of the DDoS, so guess if it was important.

By the way, remember that Paul Vixie's BIND is just one implementation and it's considered to be flawed by some wise people:

http://cr.yp.to/djbdns/blurb/unbind.html

Re:Public DNS is corrupt, but Private DNS is subli

[Professor_UNIX]

Eliminate the domain squatters and you'll eliminate the push for alternative TLDs. I'm sure more than half the domain names in existence are typo-squatting domain hoarders. There's no legitimate reason we need to allow them to keep those domains. Get a posse together of people with a clue and start going through domains. When you come across one that is obviously a domain squatter, delete it and then put more emphasis on analyzing that guy's other domains and delete those if necessary too until you've cleaned up the system. It's not property, you're just leasing a label from the collective community and we can choose to take it back if you're being an asshat.

Domain Names sdrawkcaB?

[mutube]

When written in ltr language most hierarchies follow that direction. Numbers have the most significant bit(s) at the left, taxonomies are written species:subspecies:variety, pages are identified as home > category > page.

Domain Names are the exception, with the "top level" domain on the right, while the left (most significant bit) can be stuffed with random chaff (a.k.a. subdomains).

I can't help but imagine that this has some impact on how easily people fall for spoofed websites (yourbank.somesite.com vs. com.somesite.yourbank). Being naturally lazy we only read as far down a list as as needed to confirm we have what we're looking for.

Does anyone knows of a historical basis for this decision & do you think it makes any difference?

Re:DNS DNS DNS DNS

[pairo]

For me, it happens every other month or so, with the .ro registrar screwing things up on a regular basis. Last time, everything newer than 2002ish went AWOL for a almost a full day.

Why is DNS so complicated anyway ?

[billcopc]

I often find myself wondering why most internet standards are so complex in the first place. Let's face it: DNS looks up a name in a database and spits out a number. It's like a phone book for the internet (white pages, that is). So then, why the hell is it such a pain to configure with its weird-ass zone files that half the world seems to struggle with, and obscure vulnerabilities like cache poisoning. Why can't it be as simple as "domain = IP" or "I don't know, but server X might" because that's basically what's going on, only it's buried under a pile of nerd filth that all but its originators truly grok.

Here's one big pain in the butt: listing name servers for a domain. Why the hell don't we use IP addresses for those ? Instead you have a chicken and egg situation where you would need to contact ns1.something.tld to ask about its own address, so instead we cheat with "hints" in the parent server's records and end up listing the IP anyway, making the nameserver's name redundant. Things like that make me wonder what the designers were smoking that day. In the end, it's all just a big relational database, only the tables are each stored on different hosts but the links work the same way, so why the big headache ?