Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie On What DNS Is Not

Posted by timothy on from the this-could-be-a-long-book dept.

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

6 of 164 comments (clear)

  1. not only Verisign by Tom · · Score: 5, Insightful

    Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

    Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

    Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

    Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:not only Verisign by Anonymous Coward · · Score: 4, Interesting

      If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.

      Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.

      Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

    2. Re:not only Verisign by NoYob · · Score: 5, Interesting
      Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

      Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.

      And so would most of you, too.

      --
      It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
  2. Don't be a baby! by iYk6 · · Score: 5, Insightful

    So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

    Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

    Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

  3. The two examples don't seem anything alike ... by Wrath0fb0b · · Score: 4, Interesting

    Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.

    What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.

    His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.

    Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.

    Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.

    1. Re:The two examples don't seem anything alike ... by BitZtream · · Score: 4, Insightful

      Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

      Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

      I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager